prevent client from deleting remote backups and repository

[wohecha]

Dear community
I am testing borg backup and i find it quite a nice piece of software.
Although borg can prevent the loss of files during hardware fails,
There are a few elements that comes to my mind when protecting files from a malicious actor taking control of the client:

When using the remote repository (with borg serve),
Deleting the whole repository can still be done from the client and unfortunately, borg serve --append-only can't prevent this from happening.

I would imagine a configuration where:

• 1. The client pushes the backups (accessing the borg-serve --append-only,restrict ssh-rsa client_pub_key instance)
• 2. a management machine would prune,compact archives (accessing the borg-serve, restrict ssh-rsa mgmt_pub_key instance)
     but i have read that this is not possible due to the fact that server does not know more than lower-level get/put/delete from the client
     see: borg serve option to restrict prune #1545

• Is there any project on having those features supported on upcoming version ?

• What are the capabilities of the V2: borg serve --permissions regarding the deletion of the repository ?

• Would it be possible to manage the retention policy & the files to backup from a configuration file stored on the server ?

Any advice would be greatly appreciated
Many thanks

[ThomasWaldmann]

I would imagine a configuration where: * 1. The client pushes the backups (accessing the |borg-serve -- append-only,restrict ssh-rsa client_pub_key| instance) * 2. a management machine would prune,compact archives (accessing the |borg-serve, restrict ssh-rsa mgmt_pub_key| instance) but i have read that this is not possible due to the fact that server does not know more than lower-level get/put/delete from the client see: #1545 <#1545> * Is there any project on having those features supported on upcoming version ?

If the management machine is a client that has the passphrase, can access the key and the repo on the server, you can do that already with borg 1.x.

What are the capabilities of the V2: |borg serve --permissions| regarding the deletion of the repository ?

Did you check the docs? They are rather fine grained, so one could implement a similar setup.

Would it be possible to manage the retention policy & the files to backup from a configuration file stored on the server ?

Only if the server has the borg key and passphrase, then it could also prune/compact. But then, if an attacker gains access to your server, all your data could be decripted using that key/passphrase.

…

---- GPG Fingerprint: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393

[wohecha]

Thank you for quick and detailed answer.
yes i have checked the V2 documentation.
so i assume that if borg serve --permissions is run with

• no-delete : the client cant prune nor delete the whole repository
• write-only: the client can only make backups, and can't list nor check

Many thanks