We all know we should have backups, but you often see ransomware groups also targeting backup storage. Luckily, there are some nice ways to make your backups-over-SSH more secure using a neat authorized_keys trick.
In short: You can add some options to your authorized_keys file to force connections with that key to run a specific command.
These tricks should also work on Hetzner storage boxes, and most other providers that allow you to upload an authorized_keys file.
Borg (non-immutable)
At Ferox, we use the following for onsite quick-access borg backups:
command="/usr/bin/borg serve --restrict-to-path /storage/mcsystembackups",restrict ssh-ed25519 AAAAC...Since borg works over ssh, it tries to run borg serve on the remote host. This command basically replaces that borg serve command with one that is limited to a specific folder.
Borg (Immutable)
Keep in mind that this key will now not allow pruning or deleting backups, so you will have to schedule that from a trusted location/key.
command="borg serve --append-only ",restrict ssh-ed25519 AAAAC3NzaC1lZ...J borgmatic_offsitersync (Immutable)
command="rrsync -wo -no-del -no-overwrite DIR",restrict,from="fdba:000:1c1c:bff6::1" ssh-rsa AAAAB3Nza... root@box-to-backupThis requires the remote host to have rrsync, which we are unfortunately missing on hetzner’s storage boxes.
Age + SCP (Encrypted)
Age is a nice tool for simple encrypted files. Useful for things like offsite backups: https://github.com/FiloSottile/age
$ apt install age
$ age-keygen -o backupkey.txt
Public key: agepublickkeythingy
$ age --decrypt -i /opt/backupkey.txt data.tar.gz.age > data.tar.gzcat /tmp/billingdbbackups/billingbackup-$(date +%d-%m-%Y).sql.gz | age -r agepublickkeythingy > /tmp/billingbackup.sql.gz.age
scp -P23 /tmp/billingbackup.sql.gz.age [email protected]:/home/agebackups/billingbackup-$(date +%d-%m-%Y).sql.gz.age