On Mon, Jan 12, 2026 at 09:31:39PM +0000, [email protected] wrote: > Hi all, > > I am looking to implement an OpenBSD server as a backup server. > > Critically, it will provide backup to untrusted clients, so I need the > setup to be robust against an adversary in possession of the access > codes. > > Does anyone have recommendations for a solid setup? > > My current plan is: > > - create a restricted user that has ssh access to the machine - use > rrsync, lock down the shell of the restricted user following the > recommendation of rrsync - use rsnapshot on top of this > > Any feedback welcome, thanks! Jake
Hi Jake, As others have mentioned, it will be a good idea to implement the backups so that you will be pulling data from the less trusted source to your backup server (the more trusted one). rsync over SSH is probably the most reliable for this purpose, as has been mentioned. Consequently, I've been working on a set of operational tooling scripts dubbed restic-ops, which aims to help formalize and automate *data recovery* (not just backups) in case of a disaster. This type of thing you might want to use to back up your backup server. To that end I welcome the community to take a look at this MIT licensed repository. https://github.com/larihuttunen/restic-ops I'm running this on OpenBSD, so the current version is fully usable on it. The releases are self-extracting archives, hence quite platform independent. I am pondering on making an OpenBSD package out of it, but let's see. Br, Lari Huttunen -- Inforta Ltd | "Connecting you to expert insights, anytime, anywhere." https://inform.social/about/
