Restic for backup of a compromised machine


First I’m fairly new with restic and IT security, so I hope my questions are not too dumb.
I have a machine at home, that is exposed to the internet through a DMZ. It hosts a NextCloud instance. I want to backup the data on that machine to onedrive using rclone/restic.

Solution 1:
Using rclone/restic directly on that machine, with the usual setup and regular backup. My question is, if that machine gets compromised/hacked, are there any risks of me losing my data present on my OneDrive backup ? In other words, are my fear legitimate ? My restic password is saved in /etc/environement, as cronjob won’t work otherwise.

Solution 2:
I could use rclone to mount Nextcloud on another safe/isolated machine. I could also mount onedrive there, and then regularly backup from one to the other.

Which solution do you believe is safer ?

Happy to be told of another alternative as well, I’m here to learn and get help.

If the machine is able to delete data in a backup so is an attacker. Unless OneDrive offers some way to prevent data deletion I don’t know about.

If an attacker cannot compromise the isolated machine then that’s probably the safest option. Another way would be to setup rclone in append-only mode similar to the description at Append-only backups with restic and rclone just with onedrive as target and not a local repository.

Please don’t. Either store the password in a file that is only readable by the proper user and use --password-file filename as parameter for restic. Or create a wrapper script which sets the proper environment variables.

Yes obviously first and most important step is to secure the machine. But plan for the worst hope for the best.

I will look at this option, this sounds more promising. I could then run pruning and maintenance through another machine to help with space.

I’m new to restock I didn’t know the file option was possible. I’ll do that. I guess the file should be set with chmod 0600 ?

Actually the restrict of commands won’t work I believe.

It restricts command a user can run when ssh-ing to a remote server.

I wasn’t planning on letting my DMZ machine to ssh to my safe/lan network. It’s actually the safe lan/machine that would ssh to DMZ to backup the data. That way no restic/rclone is on the machine that could be compromised

has the --apend-only option

You can also make a self-hosted s3-backend server and set it to append-only too