Marco Möller writes:
On 21.09.21 17:53, Tim Woodall wrote:I would like to have some WORM memory for my backups. At the moment they're copied to an archive machine using a chrooted unprivileged user and then moved via a cron job so that that user cannot delete them (other than during a short window). My though was to use a raspberry-pi4 to provide a USB mass storage device that is modified to not permit deleting. If the pi4 is not accessible via the network then other than bugs in the mass storage API it should be impossible to delete things without physical access to the pi.
What about the overall storage size: Assume an adversary might corrupt your local data and then invoke the backup procedure in an endless loop in an attempt to reach the limit of the "isolated" pi's underlying storage. You might need a way to ensure that the influx of data is somehow rate-limited.
Before I start reinventing the wheel, does anyone know of anything similar to this already in existence?
I know of three schemes trying to deal with the situation:
(a) Have a pull-based or append-only scheme implemented in software.
Borg's append-only mode and your current method fall into that category.
I am using a variant of that approach, too: Have a backup server pull
the data off my local machine at irregular intervals.
(b) Use physically write-once media like CD-R/DVD-R/BD-R. I *very rarely*
backup the most important data to DVDs (no BD writer here and a single
one would not provide enought redundancy to rely on it in case of
need...).
(c) Use a media-rotation scheme with enough media to cover the interval you
need to notice the adversary's doings. E.g. you could use seven hard
drives all with redundant copies of your data and each day chose
the next drive to update with the "current data" by a clear schedule,
i.e. "Monday" drive on Mondays, "Tuesday" drive on Tuesdays etc.
If an adversary tampers with your data you would need to notice within
one week as to be able from the last drive to still contain unmodified
data.
Things like chattr don't achieve what I want as root can still override that. I'm looking for something that requires physical access to delete.
My solution is to use a separate, dedicated, not-always-on machine that pulls backups when its turned on and then shuts itself off as to reduce the time frame in which an adversary might try to break into it via SSH. In theory, one could leave out the SSH server on the backup server altogether, but this would complicate the rare occasions where maintenance is needed.
The backup tool borg, or borgbackup (this latter is also the package name in the Debian repository), has an option to create backup archives to which only data can be added but not deleted. If you can get it managed, that only borgbackup has access through the network to the backup system but no other user can access the backup system from the network, then this might be want you want. Borgbackup appears to be quite professionally designed. I have never had bad experience for my usage scenario backing up several home and data directories with it and restoring data from the archives - luckily restoring data just for testing the archives but not for indeed having needed data from a backup. My impression is, that this tool is also in use by the big professionals, those who have to keep up and running a real big business. Well, maybe someone of those borgbackup users with the big business pressure and experience should comment on this and not me. At least for me and my laboratory measurement data distributed on still less than 10 computers and all together comprising still less than 10 TB data volume, it is the perfect tool. Your question sounds like it could also fit your needs.
Its one tool that could be used for the purpose, yes.Borg runs quite slowly if you have a lot of data (say > 1 TiB). If you can accept that/deal with it, it is a tool worth considering. Some modern/faster alternatives exist (e.g. Bupstash) but they are too new to be widely deployed yet.
AFAIK in "business" contexts, tape libraries and rsync-style mirrors are quite widespread.
HTH Linux-Fan öö
Attachment:
pgp6_TtLjT44n.pgp
Description: PGP signature