What is an appropriate security strategy to install automatic backups with restic on other people's computers in Windows?

In my case I plan to install restic on the computers of some clients.

So far I’m using --files-from, --exclude-file, and --password-file and leaving the text files in the same folder as restic.

But if someone accidentally or on purpose changes or deletes those files, the backup is compromised.

A basic option would be to hide the text files in some other folder.

Does it make sense to take other security measures assuming another user has access to that computer?

If an attacker has access to those files, they already have access to the files you are backing up in the first place, so it doesn’t matter much.

To prevent against an attacker, having access to the password files you mentioned, deleting the backups from the repository, use some kind of storage/backend where there’s versioning or retention of files so that you can always get your repository back if need be.

Another way is to use rest-server with the --append-only mode, which would prevent the attacker from deleting the backups in the repository. However, be sure to read Security considerations in append-only mode as well.

1 Like

Understood!
I also meant that if the -files-from text file includes:
C:\Data 1
C:\Another data
and someone, whether willing or not, deletes one of the entries, the backup continues working but backing up less information and I would not receive any alert

Great info thanks.

I’m going to study about rest-server
Very kind as always, your answer helps me a lot.

1 Like

This is indeed true, an attacker could effectively make the backups contain nothing. With access to the system they could also do things like disabling the backups entirely (which you could however detect when there’s no new snapshots being created). I think the only way to deal with that is to back up the data using another user or system service, but then that would have to be protected as well.

In the end it boils down to physical access to the system and other things, it’s kind of a matter of how deep you want to go. At the end of the day one has to establish what one wants to protect against.

Restic’s threat model assumes the system where restic is running to be trusted, in other words restic does not try to protect against a local system (client) compromise, that’s outside of the scope.

1 Like

Totally agree. I will investigate a way that works for me and if I see that it is worth it I will document it here

It is understood yes. Restic does his job and does it very well. Thank you very much again. :smiley: