Borg native S3 storage compatibility without mount

[LucaBernstein]

Have you checked borgbackup docs, FAQ, and open Github issues?

Yes

Is this a BUG / ISSUE report or a QUESTION?

ISSUE

Describe the issue you're having.

I want to establish a fail-safe backup strategy with borg.
For that it would be awesome to be able to backup to an S3 storage without mounting it (#102 ).
That's because if I mount it I am vulnerable to a ransomware attack and if the borg backup on the storage is encrypted I have no more data left (with the local backup also being encrypted as it is mounted I have no backups left).

What possibility is there that borg supports native S3 storage API in the near future?

I hope I conveyed my issues and if anyone has suggestions to build a nice backup concept please feel free to raise that so maybe we can work around this. ;)

[ThomasWaldmann]

The is no "cloud storage" support in borg and at least for the foreseeable future, there won't be.
IIRC, this has already been discussed in other tickets before, please look it up there.
One usual workaround is to have a local borg repo and use rclone to have a copy in the cloud.

If attacker code gets control over your machine, storage does not need to be mounted to be affected, the attacker could also use borg to delete your backups or maybe intercept s3-related credentials and use them to delete all your s3 stuff.

[MPW1412]

There is a logic flaw in @LucaBernstein's request: If borg can write to the S3 storage, the credentials must be held locally, and so the ransomware could erase the data, if it was coded to search for them.

[yuvadm]

I believe it should be possible to configure AWS IAM keys that can only append data to S3, not modify or delete. You can also use the regular permissions but while enabling S3 versioning, so even if files do get corrupted or deleted you can always retrieve the old ones.

[lapineige]

Hello,

The is no "cloud storage" support in borg and at least for the foreseeable future, there won't be.*

Is that still valid ?

Thanks

[infectormp]

Hello,

The is no "cloud storage" support in borg and at least for the foreseeable future, there won't be.*

Is that still valid ?

Thanks

yes

[ThomasWaldmann]

I plan to do some rather fundamental, experimental and big change (which also relates to the backends) in master branch ("borg2") soon, but the outcome of that has to be seen.

IF that comes out as successful, a future with other than filesystem backends in borg might be possible.

[lapineige]

Thank you for the feedback :)
Good luck implementing it if you end up doing so :)

[toby1984]

I plan to do some rather fundamental, experimental and big change (which also relates to the backends) in master branch ("borg2") soon, but the outcome of that has to be seen.

IF that comes out as successful, a future with other than filesystem backends in borg might be possible.

Just came across this issue as I was looking into using Backblaze (S3 compatible) with Borg ... I take it that the experimental changes did not work out ?

[ThomasWaldmann]

@toby1984 I am working on this in #8332.

Works, but I may have to do some more work / refinements on it before merging.