I would appreciate more information on the advertised feature: SSH Append-Only Mode

[ovizii]

This is the main reason I would like to start using BBS but upon further digging around this seems limited.

The docs of BBS, at least as far as I have found the right one: https://github.com/marcpope/borgbackupserver/wiki/Remote-Storage only touches upon this topic in a minor sentence under "Best practices":

Enable append-only mode on the remote host if your provider supports it (rsync.net does)

This feels a bit wrong, advertising a feature that then gets dealt with in one sentence. I read up some more and found out that this feature is also available on a Hetzner Storage box: https://docs.hetzner.com/storage/storage-box/access/access-ssh-rsync-borg/

They link to borg's docs, where I found this info, meaning it can even be enabled per repository or per used ssh key?

In addition, borg serve can act as if a repository is in append-only mode with its option --append-only. This can be very useful for fine-tuning access control in .ssh/authorized_keys:

command="borg serve --append-only ..." ssh-rsa
command="borg serve ..." ssh-rsa

BBS's docs for setting up a Hetzner Storage box: https://www.borgbackupserver.com/hetzner/ only shows a drop-down to select the borg version on Hetzner's side but since its a drop-down, it looks like one cannot pass any parameters?

[ovizii]

Just to add more info. I found this page: https://www.borgbackupserver.com/security/ where I found this quote:

Immutable Backups
Append-only mode
stops ransomware

Every agent connects via SSH with forced commands that restrict it to borg serve --append-only. Agents can create new archives but can never delete, modify, or overwrite existing ones.

Does this mean, the append-only feature can be enabled even for remote repositories i.e. Hetzner Storage box?

[marcpope]

Thanks for pushing on this @ovizii — you're right that the docs undersell how this works, and the Hetzner setup screen doesn't (yet) surface the knob you're asking about. Let me lay it all out.

How append-only works in BBS

Borg's append-only mode is a server-side restriction that lets clients write new archives but forbids them from deleting or modifying existing ones. Even a compromised agent — ransomware, hostile admin, stolen SSH key — can add backups, but it cannot erase the ones already on disk. Prune and compact still work; they run from the BBS server itself, which holds a separately-privileged key path.

Direct backups (client → BBS server): enforced automatically.

Every agent SSH key added to a BBS-managed tenant is installed in authorized_keys like this:

command="/usr/local/bin/bbs-ssh-gate /var/bbs/home/<tenant>",restrict ssh-ed25519 AAAA…

Two things are happening there:

1. restrict disables port forwarding, X11, agent forwarding, PTY allocation, and user rc execution. The key can't be used for anything other than the forced command.
2. command="…bbs-ssh-gate…" ignores whatever the agent asks the server to run and hands control to bbs-ssh-gate. The gate inspects SSH_ORIGINAL_COMMAND and for normal borg traffic execs:

   borg serve --append-only --restrict-to-path <tenant home> [--restrict-to-path <extra storage>…]
   

So every borg operation the agent runs against the BBS server is sandboxed to that tenant's paths and forbidden from destructive operations. The agent literally cannot issue a delete or a prune over the wire, regardless of what its borg client tries to send. That is the protection advertised on the security page.

Offsite repos (BBS → rsync.net / Hetzner / BorgBase / etc.)

This is where your reading of the borg docs is exactly right, and it's also where BBS stops being able to help you automatically.

When a backup targets a third-party SSH repo, BBS orchestrates the transfer but does not own the remote's authorized_keys file. borg serve --append-only has to be forced on the remote side, by the remote's key configuration — BBS can't inject it. That's why the Hetzner setup page only shows a borg-version dropdown: there's no BBS-side toggle that can reach into your Storage Box and rewrite your keys for you.

The good news is every major offsite borg provider supports this directly, exactly the way the borg docs you quoted describe it:

• Hetzner Storage Box: edit ~/.ssh/authorized_keys over SSH/SFTP and prefix your BBS-issued key with command="borg serve --append-only --restrict-to-path /home" (plus restrict if you want the same hardening as BBS uses internally).
• rsync.net: same pattern in their authorized_keys.
• BorgBase: they have a UI checkbox called "Append-only key" — just flip it for the key BBS gave you.

Once you've done that, the offsite copy gets the same ransomware protection as the on-box copy. If you skip it, a compromised agent can reach into the offsite repo and delete archives the same way a legitimate prune does — the offsite repo is only as tamper-resistant as whatever restriction the provider's key enforces.

What I'll fix on our side

1. Expand the Remote Storage wiki page from that one-sentence mention into a real section, with copy-pastable authorized_keys snippets for Hetzner, rsync.net, and BorgBase.
2. Add a note directly on the Hetzner setup screen in BBS telling you to flip on append-only on the Storage Box and linking to the instructions.

Tracking those as documentation follow-ups — thanks for flagging that the current docs punt on what is genuinely one of BBS's main selling points.

[ovizii]

Thanks a lot for the detailed reply. I am glad you picked up a few thigns to correct in your docs. Sorry for the delayed reply, I am still catching up on a few discussions.