BorgBackup 2 has no server-side append-only anymore
67 comments
·June 7, 2025homebrewer
rsync
You can achieve append-only without exposing a rest server provided that 'rclone' can be called on the remote end:
rclone serve restic --stdio
restrict,command="rclone serve restic --stdio --append-only backups/my-restic-repo" ssh-rsa ...
ssh user@rsync.net rclone serve restic --stdio ...
champtar
If you want to use some object storage instead of local disk, rclone can be a restic server: https://rclone.org/commands/rclone_serve_restic/
snickerdoodle12
I use restic+rclone+b2 with an api key that can't hard delete files. This gives me dirt-cheap effectively append-only object storage with automatic deletion of soft deleted backups after X days.
antoniomika
This has been replaced with a permissions feature that still provides both delete and overwrite protections. The difference is the underlying store needs to implement it rather than running a server that understands the permission differences. You can read more about this change here: https://github.com/borgbackup/borg/issues/8823#issuecomment-...
bayindirh
This comment needs to be pinned, alongside what the developers say [0] since the change is very misunderstood.
> The "no-delete" permission disallows deleting objects as well as overwriting existing objects.
[0]: https://github.com/borgbackup/borg/pull/8798#issuecomment-29...
zargon
Isn't this "no-delete permission" just a made-up mode for testing the borg storage layer while simulating a lack of permissions for deleting and overwriting? In actual deployment, whatever backing store is used must have the access control primitives to implement such a restriction. I don't know how to do this on a posix filesystem, for example. Gemini gave me a convoluted solution that requires the client to change permissions after creating the files.
ThomasWaldmann
at first it was implemented to easily test permission restricted storages (can't easily test on all sorts of cloud storages).
it was implemented for "file:" (which is also used for "ssh://" repos) and there are automated tests for how borg behaves on such restricted permissions repos.
after the last beta I also added cli flags to "borg serve", so it now also can be used via .ssh/authorized_keys more easily.
so it can now also be used for practical applications, not just for testing.
not for production yet though, borg2 is still in beta.
help with testing is very welcome though!
antoniomika
Currently, you can either provide the `BORG_REPO_PERMISSIONS` env var to borg [0] or `--permissions` flag to `borg serve` [1]. You can then enforce this as part of your `authorized_keys` command, for example.
[0] https://github.com/borgbackup/borg/blob/3cf8d7cf2f36246ded75...
[1] https://github.com/borgbackup/borg/blob/3cf8d7cf2f36246ded75...
jaegerma
Thanks for that link. That issue somehow didn't come up when I researched the removal of append-only. The only hint I had was the vague "remove remainders of append-only and quota support" in the change log without any further information.
dblitt
It seems the suggested solution is to use server credentials that lack delete permissions (and use credentials that have delete for compacting the repo), but does that protect against a compromised client simply overriding files without deleting them?
ThomasWaldmann
no-delete disallows any kind of deleting information, that includes object deletion and object overwriting.
null
throwaway984393
No. Delete and overwrite are different. You need overwrite protection in addition to delete protection. The solution will vary depending on the storage system and the use case. (The comment in the PR is not an exhaustive description of potential solutions)
qeternity
Append-only would imply yes. There is no overwriting in append-only. There is only truncate and append.
mosselman
You have misread I think.
There used to be append-only, they've removed it and suggest using a credential that has no 'delete' permission. The question asked here is whether this would protect against data being overwritten instead of deleted.
gausswho
My current approach is restic, but I'd prefer to have asymmetric passwords, essentially the backup machine only having write access (while maintaining deduplication). This way if the backup machine were compromised, and therefore the password it needs to write, the backup repo itself would still be secure since it would use a different password for reading.
Is this what append-only achieved for Borg?
nathants
Do something simpler. Backups shouldn’t be complex.
This should be simpler still:
orsorna
Is this a joke?
I don't see what value this provides that rsync, tar and `aws s3 cp` (or AWS SDK equivalent) provides.
nathants
How do you version your rsync backups?
somat
I use rsyncs --link-dest
abridged example:
rsync --archive --link-dest 2025-06-06 backup_role@backup_host:backup_path/ 2025-06-07/
rsync_cmd = [
'/usr/bin/rsync',
'--archive',
'--numeric-ids',
'--owner',
'--delete',
'--delete-excluded',
'--no-specials',
'--no-devices',
'--filter=merge backup/{backup_host}/filter.composed'.format(**rsync_param),
'--link-dest={cwd}/backup/{backup_host}/current/{backup_path}'.format(**rsync_param),
'--rsh=ssh -i {ssh_ident}'.format(**rsync_param),
'--rsync-path={rsync_path}'.format(**rsync_params),
'--log-file={cwd}/log/{backup_id}'.format(**rsync_params),
'{remote_role}@{backup_host}:/{backup_path}'.format(**rsync_params),
'backup/{backup_host}/work/{backup_path}'.format(**rsync_params) ]iforgotpassword
Dirvish
yread
Uh, who has the money to store backups in AWS?!
seized
Glacier Deep Archive is the cheapest cloud backup option at $1USD/month/TB.
Google Cloud Store Archive Tier is a tiny bit more.
mananaysiempre
Both would be pretty expensive to actually restore from, though, IIRC.
ikiris
To quote the old mongodb video: If you don't care about restores, /dev/null is even cheaper, and its webscale.
nathants
Depends how big they are. My high value backups go into S3, R2, and a local x3 disk mirror[1].
My low value backups go into a cheap usb hdd from Best Buy.
PunchyHamster
Support for S3 means you can just have minio server somewhere acting as backup storage (and minio is pretty easy to replicate). I have local S3 on my NAS replicated to cheapo OVH serwer for backup
aborsy
Borg2 has been in beta testing for a very long time.
Anyone knows when will it come out of beta?
ThomasWaldmann
The usual answer: "when it is ready".
For low-latency storage (like file: and maybe ssh:) it already works quite nicely, but there might be a lot to do still for high-latency storage (like cloud stuff).
puffybuf
I've been using device mapper+encryption to backup my files to encrypted filesystem on regular files. (cryptsetup on linux, vnconfig+bioctl on openbsd). Is there a reason for me to use borgbackup? Maybe to save space?
I even wrote python scripts to automatically cleanup and unmount if something goes wrong (not enough space etc). On openbsd I can even Double encrypt with blowfish(vnconfig -K) and then a diff alg for bioctl.
anyfoo
Does your solution do incremental backups at all? I have backups going back years, because through incremental backups each delta is not very large.
Every once in a while things gets sparsed out, so that for example I have daily backups for the recent past, but only monthly and then even yearly for further back.
TheFreim
I've been using Borg for a while, I've been thinking about looking at the backup utility space again to see what is out there. What backup utilities do you all use and recommend?
singhrac
I spent too long looking into this and settled on restic. I'm satisfied with the performance for our large repo and datasets, though we'll probably supplement it with filesystem-based backups at some point.
Borg has the issue that it is in limbo, i.e. all the new features (including object storage support) are in Borg2, but there's no clear date when that will be stable. I also did not like that it was written in Python, because backups are not always IO blocked (we have some very large directories, etc.).
I really liked borgmatic on Borg, but we found resticprofile which is pretty much the same thing (it is underdiscussed). After some testing I think it is important to set GOGC and read-concurrency parameters, as a tip. All the GUIs are very ugly, but we're fine a CLI.
If rustic matures enough and is worth a switch we might consider it.
muppetman
restic
Single binary, well supported, dedup, compression, excellent snapshots, can mount a backup to restore a single file easily etc etc.
It's made my backups go from being a chore to being a joy.
rsync
... also you can point restic at any old SFTP server ...
Saris
Restic is nice. Backrest if you like a webUI.
TiredOfLife
Kopia
conception
Kopia is surprisingly good. I use it with a b2 backend, had percentage based restore verification for regulatory items and is super fast. Only downside is lack of enterprise features/centralized management.
neilv
I used to have a BorgBackup server at home that used append-only and restricted-SSH.
It wasn't perfect, but it did protect against some scenarios in which a device could be majorly messed up, yet the server was more resistant to losing the data.
For work, the backup schemes include separate additional protection of the data server or media, so append-only added to that would be nice, as redundant protection, but not as necessary.
mrtesthah
FYI for those using restic, you can use rest-server to achieve a server-side-enforced append-only setup. The purpose is to protect against ransomware and other malicious client-side operations.
jbverschoor
Moved to duplicacy. Works great for me
seymon
Borg vs Restic vs Kopia ?
They are so similar in features. How do they compare? Which to choose?
noAnswer
I use Borg since eight years and it has never let me down. Including a full 8TB disaster restore. It's super resilient to crashes.
When I tested Restic (eight years ago) it was super slow.
No opinion about Kopia, never heard of it.
aborsy
Restic is the winner. It talks directly to many backends, is a static binary (so you can drop the executable in operating systems which don’t allow package installation like a NAS OS) and has a clean CLI. Kopia is a bit newer and less tested.
All three have a lot of commands to work with repositories. Each one of them is much better than closed source proprietary backup software that I have dealt with, like Synology hyperbackup nonsense.
If you want a better solution, the next level is ZFS.
PunchyHamster
Kopia is VERY similar to Restic, main differences is Kopia getting half decent UI vs Restic being a bit more friendly for scripting
> If you want a better solution, the next level is ZFS.
Not a backup. Not a bad choice for storage for backup server tho
the_angry_angel
Kopia is awesome. With exception to it’s retention policies, but work like no other backup software that I’ve experienced to date. I don’t know if it’s just my stupidity, being stuck in 20 year thinking or just the fact it’s different. But for me, it feels like a footgun.
The fact that Kopia has a UI is awesome for non-technical users.
I migrated off restic due to memory usage, to Kopia. I am currently debating switching back to restic purely because of how retention works.
zargon
I’m confused. Is Kopia awesome or is it a footgun? (Or are words missing?)
spiffytech
I picked Kopia when I needed something that worked on Windows and came with a GUI.
I was setting up PCs for unsophisticated users who needed to be able to do their own restores. Most OSS choices are only appropriate for technical users, and some like Borg are *nix-only.
For anyone looking to migrate off borg because of this, append-only is available in restic, but only with the rest-server backend:
https://github.com/restic/restic
https://github.com/restic/rest-server
which has to be started with --append-only. I use this systemd unit:
I also use nginx with HTTPS + HTTP authentication in front of it, with a separate username/password combination for each server. This makes rest-server completely inaccessible to the rest of the internet and you don't have to trust it to be properly protected against being hammered by malicious traffic.Been using this for about five years, it saved my bacon a few times, no problems so far.