I was helping a friend build some immutable backup storage recently, and we put some interesting FOSS tools to use. The results were great. This is not a plug for anything, just my observations.

MinIO: MinIO is an S3-compatible object storage system, with premium tiers available for enterprise users. Some of the key features useful to us were write-time encryption (using KES) for encrypted data at rest, bucket immutability and versioning (important), and simplicity of setup and maintenance. By placing the MinIO host on a dedicated network segment behind an OpenSense firewall, we can expose only the API to a single data ingest host that performs all the front-end work, like a heavy forwarder for backups. This keeps the backup data cozy and safe. The data storage and data ingest hosts can still be hardened to STIG or CIS benchmarks, of course!

Corso Backup: Corso Backup is a 365 backup client, with FOSS and premium editions available. Purely CLI-driven, this lightweight and easy-to-use tool backs up 365 data such as Exchange and SharePoint, with a variety of supported backup destinations (including self-hosted S3-compatible repositories). It has a small footprint on the data ingest host and has many of the nice-to-haves such as deduplication.

Slack Nebula: Nebula is a network overlay product that transmits TLS-encrypted TCP data over UDP, using a “lighthouse” server on the transit network for UDP hole punching to create persistent sessions through NAT gateways. Each client requires its own key and configuration file, and no automatic onboarding tools are provided by Slack (although they use this product for their internal network, and one must assume they have sophisticated tooling internally). However, the manual process is compensated for by how well and reliably it works, and the embedded YAML IP access list within the configuration file. By having pre- and post-backup scripts to establish and drop the Nebula tunnel, remote hosts can be backed up to the immutable S3 bucket via the intermediary ingest host, without requiring site-to-site VPN or any permanent connectivity. Employing well-defined access lists ensures only the minimum necessary surface area is exposed between hosts, for the minimum necessary interval, and not to public or transit networks.

While this isn’t archtiected to suit an organisation the size of HP, it is an excellent implementation for a small or lab environment, plus being fun for my friend and I to build something functional using FOSS tools while keeping in the spirit of least trust and secure by design.