Server for not trusted clients

[enboig]

I am my family IT. I don't trust their computers, but must backup family computers. My idea (similar to kopia) is:

• Clients can only add snapshots
• Clients have their own password (different from encryption password) and can only access their own snapshots.
• Deduplications works accros clients.
• Snapshot date is written by server (to avoid ransomware creating corrupted snapshots to mess retention policy)
• Maintanience tasks (deleting snapshots, prune, forget, ...) are done by server.

[goebbe]

@enboig What would be the user/ attacker scenario you would like to protect from?

• an attacker that has access to the user account of your family computers?
• would the attacker be able to install/ use a key-logger to sniff password inputs?
• would the attacker have access to the passphrase of the repository (e.g. from the keyring?)

"append_only"-mode on the server should protect the backups from malicious actions on "untrusted computers" of the users.

Of course "append_only" is different from a sever-controlled backup mechanism, where a server is responsible for the backups and takes care of schedules, sources, excludes, rentention, checking, compact,...

[m3nu]

To add a little here: You can run the vykar-server service with appropriate resources and it give you good isolation for one user. They can have their own password, disk quota, etc.

I initially had multiple repos per server, but decided against it since it's harder to secure properly. I'd rather add more granular features for a single repo and you just run multiple instances if you have more repos. This is the main difference to Restic's REST server.

[enboig]

If a "client" is compromised, the attacker should not:

• Get access snapshots of other "clients".
• Get access to encryption key.
• Generate snapshots with malicious dates, (which could derivate in automatic deletion of correct backups).
• Force deletion of existing "uncorrupted" data.

Client is already compromised, so access to current data and old snapshots is inevitable; but in case of ransomware, old data should be preserved.

I will check again vykar-server if this is possible. Right now I am using kopia for family because it has ACL and allow most of these points.

[m3nu]

can be mounted only as "read only" by the client? (via webDAV)

mounting is always read-only.

[enboig]

Are vykar-server and rest server the same?

The server running in "--apend-only" could overwrite new snapshot datetime with now() to ensure old data cannot be converted in obsolete.

About encryptions keys, I haven't read how kopia solve this, I think repo key is only in server, and data between server and client is encrypted only "in-transit" using https.

I want a "pseudo shared" repo because most of huge family videos and photos are shared accross clients, so there is a lot to deduplicate.

[enboig]

https://kopia.io/docs/repository-server/

[goebbe]

Are vykar-server and rest server the same?
Yes, "vykar-server" is a "rest server".

[enboig]

After reading https://vykar.borgbase.com/server-setup:

• Client just need a access_token to acces repository. I don't know if at any point the encryption key is sended; if it isn't it means encrytion key is safe.
• Append-only ensure no data is deleted, but if client can't upload malicious snapshots with altered dates/content, it could lead server compaction to delete old data.

What I am looking is adding to rest-server pairs hostname/token; so a client can only create/read it's own snapshots. For my use-case complex ACL is not needed. Each hostname has its own access; and if supervision is needed I can SSH rest-server to do necessary tasks.