Hi, when specifying a retention policy for snapshots/backups, are the snapshots/backups made immutable on the datastore during their lifetime until they have to be deleted so they won't be altered by a ransomware that could find its way to the proxmox backup server ?
Additional layer of security
- Thread starter Fathi
- Start date
over the API/CLI/GUI, snapshots are always immutable (in the sense that you can't modify the chunk indices that are making up a snapshot), but can be deleted given appropriate privileges.
but of course, if your backup server itself is taken over an attacker can rewrite any files, there's no way to stop that
if you enable encryption, you also get signed backups which would at least make an attack like that detectable.
but of course, if your backup server itself is taken over an attacker can rewrite any files, there's no way to stop that
if you enable encryption, you also get signed backups which would at least make an attack like that detectable."but of course, if your backup server itself is taken over an attacker can rewrite any files, there's no way to stop that if you enable encryption, you also get signed backups which would at least make an attack like that detectable." Of course you are right and I am doing my best to protect the server but a bug in the UI/API could be exploited by malwares (pve and pbs are not accessible from outside the company).
Now, in the 3-2-1-1-0 backup strategy it is said "1 : Store at least 1 of the copies offline" "Examples : rotating external USB-disks, tapes, object storage with immutability".
What i am thinking about is a flag like the "protection" one in proxmox pve that prevents the deletion of a vm/container either by accidental deletion or restoration.
It would be nice to have an automatic/manual flag for the protection of the backup on pbs that, in the underlying file system, would set the immutable attribute (chattr +i) on the backup file(s) automatically on creation and automatically on deletion by the scheduled prune job.
It could also be used, when "manually forced", to prevent the normal purge of a particular backup/snapshot (for any particular reason) like the protection flag on pve.
if you enable encryption, you also get signed backups which would at least make an attack like that detectable." Of course you are right and I am doing my best to protect the server but a bug in the UI/API could be exploited by malwares (pve and pbs are not accessible from outside the company).Now, in the 3-2-1-1-0 backup strategy it is said "1 : Store at least 1 of the copies offline" "Examples : rotating external USB-disks, tapes, object storage with immutability".
What i am thinking about is a flag like the "protection" one in proxmox pve that prevents the deletion of a vm/container either by accidental deletion or restoration.
It would be nice to have an automatic/manual flag for the protection of the backup on pbs that, in the underlying file system, would set the immutable attribute (chattr +i) on the backup file(s) automatically on creation and automatically on deletion by the scheduled prune job.
It could also be used, when "manually forced", to prevent the normal purge of a particular backup/snapshot (for any particular reason) like the protection flag on pve.
That's what I am looking for and a good starting point for immutability. Thank you Fabian.
Last edited:
As read on https://www.storagereview.com/news/proxmox-ve-7-1-now-available
"Backup jobs in the newest version of Proxmox VE feature a new, more flexible scheduler daemon named “pvescheduler.” They can also be labeled as protected, which means they cannot be pruned or deleted without manually removing their protective status first."
Great Team, great products, great job. Thank you very much.