-
-
Notifications
You must be signed in to change notification settings - Fork 741
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to prevent deletion of backups? #1011
Comments
Borg's encryption deals with the case of a untrusted backup repo server, so the symm. encryption key is stored on the machine running the borg client. You can do different things server-side to avoid deletion: filesystem and lvm snapshots come to mind. Also, recent borg versions can operate in "append-only" mode, making archive or repo deletion impossible. Some people experiment with pull backups (using ssh -R) which is good if the client is compromised, but bad if server is compromised. |
The append-only mode looks nice, sorry I missed it when reading the doc. |
Not at this time |
Allowing to change the append-mode from the client would miss the point of protecting against "owned" clients deleting the repo or archives. borg prune must run on the client as it needs the encryption key. |
I can have an other client, safer than A, allowed to prune. |
I am adding some words about this to docs / FAQ. There is currently no automation to toggle append-only mode. |
See PR #1012. |
So in order to prevent server A from running
Is that correct? |
well, in the authorized_keys file, adding in front of the ssh key |
Typo: it's |
I just noticed that. But in the file I wrote it correctly and it's not working.
or
I tried these two and none works. |
How do you determine "not working"? Please note that append-only is not holding the client back from running |
I have two servers, A and B. I want to use Borg to make encrypted backups of A on host B (key stored on A, so data is safe if B is compromised).
However, I would like to prevent A from deleting its backups on B, so an attacker with control of A cannot remove backups from before A was compromised.
Is this possible with Borg? If yes, how?
The text was updated successfully, but these errors were encountered: