Skip to content

Regularely disable append-only mode automatically (optionally) #222

New issue
New issue
Open
#468
Open
Regularely disable append-only mode automatically (optionally)#222
#468
Labels
under considerationSomething I'm going to study for integration without knowing whether it will be done or not.
@rugk

Description

@rugk
rugk
opened on May 14, 2024

Append-only mode has been introduced in #160; doc: https://borgwarehouse.com/docs/user-manual/repositories/#append-only-mode

However, the issue obviously is this can fill up your disk space.

Can you somehow add an option to enable or disable it automatically, say… every 30days? (And re-enables it after pruning or after some interval again like maybe 10h or whatever – where the backup client is scheduled to do it's backup.) So you have at least 30 days of backups?

Threat model assumes a compromised client, but one, where you would at least in some interval notice this. Like a ransomware will hopefully after… say… 30 days at most show you a notice to pay.
Of course, there is a risk that "real pruning" happens at some time, when the data has been deleted, but AFAIK, there is not a lot you can do here. The risk is always there… because… even if you don't see it ransomware could have encrypted/deleted everything already. If the malware is as sophisticated to check for Borgbackup, it would also be silent for a long enough time for your backups to be "too old" and be pruned, potentially, likely…

Alternatives

The alternative is kinda the same thing: You might manually check this whether backups have been made/the system is okay and then disable append-only, Here you also cannot be sure whether your client is really not compromised already – how could you? If you would know that already, you would not need the backup for later, you would just restore the current one…
So depending on your threat model and how sophisticated you guess your attacker is, the "automatic append-only disable" mode may be sufficient IMHO and be better than not having append-only mode at all. Because realistically, this is the more relativistic alternative…

More ideas

Thinking about it, you could have a simple "sanity check" (or some would make market it and solve it with AI haha…) that just checks before the mode is disabled, whether:

  • much da has been pruned recently
  • any other criteria that could be a tell for a compromise of the client?

In such a case (even when this option is not enabled), there could be some warning (/triangle) or so being displayed like: "In the last 7 [30|60] days, more than 6GB of data has been deleted. This could be generally a nice feature.
AFAIK this is how Nextcloud's ransomware protection app kinda works. (though it may have more data to analyze, like file names etc.)

Metadata

Metadata

Assignees

No one assigned

    Labels

    under considerationSomething I'm going to study for integration without knowing whether it will be done or not.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions