Secure Backup Strategy - Requesting Comments

Hi there, I’d like to chime in on this topic.

For my needs, I would like to use Restic on a VPS to push backups to S3 and/or B2. I would also like to run automatic prune jobs from the same VPS on a schedule. I am working on the assumption that any server connected directly to the internet with a public IP could theoretically be compromised by a determined human hacker, whereas my workstation can be assumed to be 100% safe for the purposes of this scenario. I am also assuming that the hacker would do catastrophic noticeable damage to the VPS and its services, such that I would notice and intervene relatively quickly. I understand that there are even more insidious options of slowly corrupting data, but for my usage scenario I can assume that won’t happen. I am also assuming that a single backup server in the cloud attached to the provider’s object storage could be compromised, so I prefer S3 or B3 storage since it will presumably not suffer an attack at an infrastructure level. I am also assuming that my admin account for the storage service will not be compromised.

A human hacker with root access could simply locate the keys and passphrases on the server and with those use the command line tool for S3 or B2 to delete the bucket and or its contents, and would never even need to use Restic. Sometimes I see suggestions to use a key with no delete permissions on the main server, and then use a secondary server with a delete key to run automatic prune operations, but that would simply transfer the attack vector to the the secondary server. And I don’t want to have to deal with manually pruning the archives via my workstation.

My current solution uses Duplicity (which I want to move away from for many reasons) to push backups to S3 using a key with no delete permissions, so no pruning. Then the S3 bucket has a lifecycle policy that deletes the files after a certain amount of time. This is feasible with Duplicity because it uses the traditional full+incremental style of archives.

So I was wondering if it would be feasible to use Restic with a normal S3 or B2 key including file deletion permissions and an automated prune schedule. But then maybe I could enable the bucket’s lifecycle policies to retain files marked for deletion for a certain period of time? Then if necessary I could manually login to the storage service admin account and manually restore the latest good version. But I’m not sure if this would be feasible for effectively pruning the amount of backup data stored given the way Restic shards backups and how blobs get distributed. (Not sure if this helps?)

Thanks a lot for any insight you could offer!