I have tried to build a secure backup solution with restic and restic-server (–append-only), but apparently some important building blocks are still missing.
Backup solutions always offer a possibility to manage retention, restic can do that too, but if you use restic-server with the option “–append-only” it is no longer possible to manage retention.
The limited (storage) scalability of restic-server (without S3 support) is also a problem.
For the best protection of the data, restic-server should provide a function to configure/manage retentions, so that the mode “–append-only” can be used in a meaningful way.
Furthermore, restic-server should be able to store the data on S3, taking into account the S3 feature “object-lock”. This would make it possible to protect the backup data even against an attack on the restic-server host.
Is there already development in this direction?
I had some of the same problems, when I had to implement a backup solution.
Somewhere here I’ve read, that the rest-server only does filemanagemant (recieves a file from restic and stores it in the backend), so it can not manage retentions.
I do backups of a server with restic and since this server is exposed to the web, I don’t want it to have access to delete backups. So I wanted to use the rest-server and b2. In my first try I mounted the b2 with rclone to a dir and then rest-server. This wasn’t working really good. So I found out, that rclone has some sort of the rest-server built in.. So now I run my “restserver” the following way:
rclone serve restic b2bucket --append-only --fast-list
For the retention policy, I would suggest, that you write a small skript on the server with the
rest-server which basically does the following:
restic forget RETENTIONPOLICY -r rclone:b2bucket
restic purge -r rclone:b2bucket
There’s issue https://github.com/restic/restic/issues/3195 for adding object locking.
https://github.com/restic/restic/pull/3584 also adds some documentation for a common used setup for append-only backups, where clients can only add data and a trusted host is allowed to prune the backup.