Security immutability against ransomware

I heard! Do duplicates have some immutability security system of the destination location where the backup files are stored?

Welcome to the forum @Sergionei_Reichardt

What did you hear? Are you seeking comment on it? If so, please describe it, or preferably post a link.
Does it relate to your question? The short answer is you provide storage, and you secure the storage.
The next question becomes how to have Duplicati live under your security, but let’s get oriented first…

Duplicati act only on the “backuped” host and it store some files on destination… so if the destination host il compromised nothing can save files on it - and also duplicati backup files.

Of course versioning can save host files: if backup save accidentaly some cripted files they can restored from older versions - of course an older version not cripted of this file must be exist (duplicati delte older version according to data retention policy)

1 Like

Yeah, there’s no magic that Duplicati can do, but I’m still wondering what it was that the OP had heard.

Immutability is hard to do. Using the search box at top, one can get about 25 topics discussing options potentially unappealing, but it depends mostly on priorities. Immutability Duplicati-style has drawbacks.
Basically, changes upload as backups are done, and stay on destination indefinitely, per immutability…

Ransomware protection extends to trying to keep the backed up system from deleting the backups too, regardless of whether credentials are found somehow, so by this definition Duplicati can’t delete either.

There are a lot of finer points to this, and I’m not sure what level of detail the original poster wants here. Versioned backup can help against ransomware, but only if backup isn’t destroyed by the malware first.

Typically (I think) the “immutability” term refers to some additional limits on ability of files to be changed, after initial creation. Duplicati tends not to overwrite files, but it can do delete unless configured not to…

Probably too simple but I’ll mention it anyway.

Backup to a USB drive then unplug it…

Neither the Internet with stolen credentials or Ransomware can access a drive that’s unplugged.

Of course, the very key item is that the drive does get unplugged and preferably is then replaced with another creating a “backup rotation”.

From past experiences any and all connected drives will be (re-)encrypted by the Ransomware (locking you out) of the contents of the connected drive(s). If you have multiple drives in the rotation, each containing multiple versions of your files you should be fairly well protected even if the currently connected drive does get encrypted by Ransomware.

If “unplugging the drive” is an issue i.e. physical access or simply remembering to do it. You could set a script to run after the backup completes that would eject/dismount the drive.

That doesn’t guarantee that Ransomware can’t somehow figure out a way to remount the drive but from what I can see it would take a lot more coding effort to do so and would probably only represent a fringe amount of users typically in that state.

The other side effect of ejecting is that until the drive is re-mounted, either by physical means or via scripting (doable but getting tricky), the backup won’t be able to see the drive and backups will fail.

1 Like

I’ve got several of those because I sometimes do image backup before Windows version updates – just in case, and it also gives me a stale copy of lower-value data that I didn’t (by choice or lapse) backup online. Having multiple backups is good anyway, and one should evaluate the actual needs and tradeoffs such as cost, convenience, etc. Making things simple for you and tough for an attacker seems to need balancing.

Some storage types might, instead of immutabity (with its drawbacks) allow rollback to a previous version. Microsoft 365 paid versions claim to be able to do that, Store files directly or store Duplicati’s backup files, however I don’t know whether there’s an easy way for the malware (or you) to defeat this sort of rollback.

Yeah, I do this too but every 6 months or so anymore as that’s good enough for me.

Really, if the application backs up to some other computer or device in a way that requires username and password and only the application has access to it during runtime then it should be safe anyway.

Too often people do something like attach computers with Windows Network Sharing to a drive letter and save the username and password or make it so it doesn’t need one and anything can jump through that with no problem. Those that do it to another computer get multi fun.

At least far better than an open drive. By default, remote credentials are stored in a scrambled fashion, requiring some specialized software (or Duplicati) to get. It all depends on how secure one wants to be.

1 Like