Using HTTPS for authentication-only in Restic Server

thank you for making restic :slight_smile:

I was wondering if it is secure (and makes sense) to use HTTPS to authenticate but not encrypt the connection with a restic-server. This would mean for example to use a client-side certificate for authentication and then use a Null Cipher to disable encryption.

According to restic-server documentation, it would seem ok:

restic already properly encrypts all data it sends, so using HTTPS is mostly about authentication

However, that mostly is what is prompted me to ask this question.

This could work, however Iโ€™m not sure itโ€™s necessary. Backups are generally going to be either disk- or network-bound and not (usually) CPU-bound. The CPU overhead of HTTPS is probably negligible, though Iโ€™d be interested in benchmarks comparing the performance of HTTP vs HTTPS.