Use Nextcloud for storing backups highly securely - Mark folder as "Glacier"

[theodiefenthal]

I'd like introduce a new special folder type to Nextcloud, something called like "Glacier"

I'd think about a workflow like this: In the WebUI, I can mark a folder as "Glacier" and (optionally) specify a grace period in days (otherwise, a default of e.g. 30 days is used).

What happens in a glacier folder? For a glacier folder, when the NextCloud user/client deletes (or modifies) a file, the original file is kept for another 30 days (or whatever is specified as grace period). The difference to the trashbin: Not even the user can delete/modify his own files (directly)! Even if the user changes the grace period or tries to remove the entire glacier folder, it is kept (and accounts to his quota) up until the grace period is expired after the delete/modify operation (and then deleted automatically). Changing the grace period should only have effect on newly added files, not the existing one for a glacier folder. Only an admin is allowed to directly delete files from a glacier folder (if the client added mistakenly a very large file or specified a way too large grace period).

What's this feature for? I think about storing my device backups in NextCloud kind of highly secured. On my device, I have a backup software running (in my case: Duplicati). Usually, I attach an external disk to my computer and store my backups directly on that disk. As this requires manual interaction, it often happens that I don't create a safe backup every day. And only once in a month or so I exchange my backup disks and bring the disk with the recent backups to another location (So my data is almost safe against fire, theft, virusses, whatever...)

Ideally, I'd like to have my backup process automated and the backups stored on a different location, which sounds like a perfect solution with nextcloud. I can configure my backup program with some plan (e.g. run every day, create full backup every month, and perform incremental backup for all other days). I'd perform the backups to a local disk and the NextCloud client would sync it up to my server (in a different location).

But just using nextcloud here can lead to another issue with my backups: What if a crypto trojaner encrypts my disk and my backup folder (Syncing the data to the server?) or what if I accidentally delete files from my computer and backups? Here, the "Glacier" folders come into the game: I'd still have like 30 days left to recognize the problem and could easily restore my backup. Even a very evil attacker with full access to my system (but not the nextcloud server) would have no way to delete data from my computer, because he couldn't remove files from the glacier.

What do you guys think about it? I'd even have another idea for improvements: Mark files/folders as "keep on server until manually removed". That would be useful for e.g. a full backup of my disk (dd or such) before a major OS upgrade. I'd like to sync that to my server and get rid of it on the client. If I realize a year after that I definitely don't need that anymore, I could delete it via Web-UI and wait for the grace period until its finally gone.

What do you guys think about it? Sounds that reasonable? Would it preferable to directly integrate it to the nextcloud server or would an add-on be a better place? (And would it be possible after all to implement this via an add-on?) I think, this would be a major improvement for an already very big usecase of nextcloud: Backupping your data.

[isdnfan]

The versions app has an option to store previous file versions for defined number of days. The only problem is that versions app are only keeps files as long the user has enough quota available.. if version uses more then 50% it deletes old version. Providing enough space and defining minimum keep period should address you needs.

[theodiefenthal]

Imagine a crypto-malware which has the interest that a user is not able to restore its data from a backup (The user won't pay the decryption if he had backups). As a crypto vrius developer, I'd quickly build plugins to detect whether the user has Dropbox, Nextcloud, Owncloud, or something similar running and delete all files from there.

As far as I know: If I delete a file from nextcloud and from trashbin (which the virus could do), the versions are gone as well?

Further: An admin could run /occ versions:cleanup and the backups of all users would be gone. That's not what I like for my long-term stored backups.

[isdnfan]

I completely agree with you arguments. The problem is once you as the user have write access to the system there is no way to protect them from malicious activity if the attacker is smart enough. in last instance you are lost if the attacker gets admin access to Nextcloud.

I know you want to prevent removing old versions by the user, but what is if legitimate user runs into space issues and needs to remove it? if there is some way to write/remove data there is chance an attacker could use this way as well. and you completely block removing you introduce possible issues for legitimate use cases.

I don't think there is highly reliable option to protect old file versions without introducing too much drawbacks. To address your goal you should bring the data completely out of scope and out of sight of the accessing user. Most common option would be backup of the Nextcloud instance by some external process. This would protect your data from attacker accessing your Nextcloud with user AND admin rights.

If you still want to keep all the data within your Nextcloud instance maybe Flow could help you - maybe you can setup 2 users and copy files from your original user to backup user, and work with versions on the backup user side. This would protect against attacks by original user - but still vulnerable if attacker gains admin rights on NC instance.

[szaimen]

Hi 👋

We are currently cleaning up our issue tracker. The feature described in this issues sounds like a good idea for a dedicated app. Feel free to post it in our "App ideas" section in the forum, to find a developer that wants to work on it: https://help.nextcloud.com/c/apps/app-ideas/21

We are closing this issue here now, so the "issue tracker" of the server repository can be used better to track issues instead.

Cheers

[MrRinkana]

Sorry to comment on an old issue, just wanted to argue that this feature is better done on the storage layer under nextcloud - by for example using a snap-shotting filesystem (zfs, btrfs..) and/or off-site backups. This provides better data safety and protection against ransomware and such, while avoiding the mentioned complexities with user quotas..