Can tardigrade please provide full support for append-only backups to protect a server from being able to delete all its own backups in the event that the server is compromised?
I’d really love to switch my org’s backups over to using Tardigrade, but we can’t unless it has full support for append-only backups. This would require:
-
The access keys granted to the server would permit the server to be able to add new files to our backups, but not delete existing files on tardigrade and
-
There would need to be some system in-place on tardigrade’s side to set a retention policy for files matching some regex – since [a] we necessarily won’t let our servers have the rights to delete our backups (to protect us from ransomware), and [b] we also don’t want to have to do this manually
In the past few years, countless government organizations and private companies have become infected with ransomware, which did three things:
-
they (the attackers) encrypted the disks of all the victim organization’s servers,
-
they deleted all of those organization’s backups since their servers had the ability not only to write backups, but also delete previous backups, and
-
they demanded hundreds of thousands or millions of dollars worth of bitcoin in exchange for the disk encryption keys, which they held for the ransom.
The obvious solution to this is to have good backups that cannot be deleted. For large organizations, this means using a tape library and some physical tape rotation kept offline. But for small non-profit organizations like ours, this is not possible. Instead, one option is to use a cloud storage provider that supports append-only permissions.
Currently we use backblaze b2, and we’d love to switch to tardigrade. It does appear possible to set an access key in tardigrade to have permission to write but not delete files. If that’s the case, then tardigrade is half-way there.
The next step is to allow users to define a set of retention policies matching a user-defined regex so that, for example, files matching /.*daily.*.tar.gz$/
should be kept for 10 days, files matching/.*monthly.*.tar.gz$/
would be deleted only after 2 years, and files matching /.*yearly.*.tar.gz$/
would never be deleted.
Without full support for append-only backups for ransomware protection, our org cannot switch from Backblaze B2 to Tardigrade. Please consider adding this very important, security-critical feature.