Borg
Introduction
Borg is a client server system allowing to backup remotely to repositories
Risk analysis
Scenario: Backup server compromised
- Confidentiality of all client data in danger if no encryption is used. Client encryption is a must, could even be at repository level if the client shares different backup users with different kinds of data to backup.
- Integrity compromised at repository level, the structure of the backup data could be partly or completely damaged (mitigate by monitoring and report suspicious changes to the system).
- Availability (not much to do about that then), a second level backup is necessary
Scenario: Backup client compromised
- Confidentiality is compromised for the data on the client system and accessible by the client on the remote backup server. That means clients should be segregated into separate repositories to avoid a compromised client to be able to sneak/peek in another client's data.
- Integrity: compromised the client could add or delete data from the backup server it has access to and
can be mitigated by setting an
append-only
mode. But BEWARE with borg a pruning takes place automatically the first time a client wihoutappend-only
accesses the repository. - Availability: mitigate by preparing a redundant system
Recovery / Access
Using borg mount
to remotely mount snapshots to select data to be restored
Installation
Server
Install software
sudo apt install borgbackup
Create borg
user
sudo useradd -m borg
sudo passwd borg
Make directories for each of the clients
sudo mkdir -p /srv/borg/client1
# ...
sudo mkdir -p /srv/borg/clientN
# set permissions
sudo chown -R borg:borg /srv/borg
Client
sudo apt install borgbackup
Create a key pair (without password)
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_borg
# private key: ~/.ssh/id_borg.
# public key: ~/.ssh/id_borg.pub.
copy the SSH public key to the borg server
ssh-copy-id -i ~/.ssh/id_borg borg@<server>
Configure server SSH access restrictions
Login as user borg
on the server
# edit the authorized_keys file to restrict each client
vi ~/.ssh/authorized_keys
# each of the client should follow this format:
# command="cd /srv/borg/<client>; borg serve --append-only --restrict-to-path /srv/borg/<client>"
# for example, here is the entry for client1
# command="cd /srv/borg/client1; borg serve --append-only --restrict-to-path /srv/borg/client1" ssh-ecdsa root@<server>
Configure client for initial backup
Common variables:
export BORG_RSH="ssh -i ~/.ssh/id_borg"
export BORG_REPO=borg@<server>:<repos>
Initialize repository:
borg init --encryption=keyfile --append-only $BORG_REPOS
borg key export $BORG_REPOS ~/borg-server-backup.key # Store this and passphrase into KeePass
The key can be found here: ~/.config/borg/keys
Backup example daily:
# with heuristic compression, uses lzma if data compresses well (but is roughly 4x as slow)
borg create \
--verbose --filter AME \
--list --stats --show-rc \
--compression auto,lzma --exclude-caches \
$BORG_REPOS::'daily-{utcnow:%Y-%m-%d_%H:%M:%S}' \
/path1 \
/pathN
In order to automate the backup task it can sound good to use some environment variables to avoid the interaction. A better approach would be an ansible script run once and deleted after the backup completed or some secret management server like hashi corp Vault (in that case the use of BORG_PASSCOMMAND is indicated). That would avoid to keep the password at rest visible. But the misuse if the client is compromised can be performed on the data itself and the backup integrity is ensured through the use of append-only.
SERVER=<fqdn>
REPOS=<reposname>
PATH_TO_BACKUP=<absolute path>
export BORG_RSH="ssh -i ~/.ssh/id_borg"
export BORG_REPOS=borg@$SERVER:$REPOS
export BORG_PASSPHRASE='***'
# use lz4 compression and log into file
borg create \
--verbose --filter AME \
--list --stats --show-rc \
--compression lz4 \
$BORG_REPOS::'daily-{utcnow:%Y-%m-%d_%H:%M:%S}' \
$PATH_TO_BACKUP \
2>> "borg_backup_${REPOS}_$(date --iso-8601).log"
Pitfalls
- repositories not created with the
append-only
option are not append only - the
append-only
restriction only applies to the client connecting using that key. - any other client not having the restriction with automatically start pruning (!!BE CAREFUL!!)
- compression can be specified and is applied on the chunks but does not apply to existing chunks, these need to be forcibly retransferred with another compression method applied if absolutely wanted.
Recover data
borg mount
can be used to mount the data provided you have the key and passphrase and ssh access
to the server holding the encrypted data.