Skip to content

piorpiedev/BackupUSB

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

44 Commits
archive
archive
 
 
backups
backups
 
 
configuration
configuration
 
 
crypto
crypto
 
 
images
images
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build.bat
build.bat
 
 
go.mod
go.mod
 
 
main.go
main.go
 
 
stripBinaries.py
stripBinaries.py
 
 

Repository files navigation

BackupUSB

This is a simple project, meant to safely backup to an external drive one or multiple paths, recursively, in order for them to be restored later

This project is MEANT to rely on asyncronous encryption, in order to keep the backups (stored with the program to generate them) and the decryption key separate

Commands

Usage: backup [help | config | decrypt]

  * backup help
     - Shows you this message

  * backup config
     - Lets you edit the program configuration

  * backup decrypt <file> [destination] [--tar]
     - Decrypts a previous backup file
     - You can also set the private key as an enviroment variable (PRIV_KEY) to avoid pausing
     - Please AVOID storing the key as a persistent value and only set it on each execution

No Args

If a config is found (config.bc) this will simply start backing up the paths in the given config

Config (backup config)

This will open an interactive config editor in terminal, since the config itself is stored in a statically encrypted format

config

Decrypt (backup decrypt)

You can run this command to decrypt a given backup

The destination path refers to the path of the decrypted output. It defaults to _[FILENAME] for backups extracted to folders, and to [FILENAME].tar for backups only uncompressed, and still in a tar format

Finally, you can specify the argument --tar either as the first or as the last argument, in order to only decompress the backup, and not extract it (as described above)

How does it work

First run

When the program is first executed, is creates a default config, suggests a randomly generated key pair (the public key is added to config automatically) and the config editor is opened

Encryption

Backups that exceed the amount specified in config (default 5) get deleted (oldest first). Set it to -1 to disable

The file is created, and 64 bytes at the start are skipped for the macsum

The pre-encrypted header is written to file, as well as the data itself, that gets encrypted at the same time as it's archived (in order to avoid any possible file recovery)

The macsum of the rest of the file (both encrypted header AND data) is finally written at the start of the file

Decryption

The MacSum is read, followed by the header

MacSum of the encrypted header and data is calculated and compared to the MacSum found previously

IF, and only if, they match, continue with the decryption and decompression, and if unspecified (--tar is not set) with the extraction, as described above

TODOs

  • Check if the linux binary shipped within the releases actually works, since lukechampine/blake3 requires C support
  • Add test coverage
  • Insert an actual args manager, allowing to specify the command arguments and pass them more clearly
  • Add sftp support for backups (with option to ALSO store locally, as well as to send to multiple sftps)
  • Instead of saving folders/files inside of the tar directly, first check that the names don't repeat themselves
  • Add an option to store the paths with a full path, instead of just the basepath specified
  • Give more flexibily on the compression, allowing to change the compression level, as well as the algorithm itself

Algorithms

  • Blake3: Used for the MacSum of the already encrypted file, in order to verify the file integrity before decrypting
  • Crystals Kyber K2SO: Used to generate and safely encrypt the whole header, key by key
  • AES256 CTR: Used to encrypt the main data block, using a random key generated by Crystals Kyber on every encryption
  • Tar: Used to generate a constant stream of data, archiving the files (uncompressed)
  • Zstandard: Used to compress the already tarred file (compression level 5)

Streams

In order to garantee for everything to be done in memory, whilst working for very large file, the program in based on a series of read/write streams

Encryption

File I/O (Files) -> Tar -> Zstandard -> AES Encrypt -> File I/O (Backup) AND MAC

Decryption

  1. File I/O (Backup) -> MAC

  2. File I/O (Backup) -> AES Decrypt -> Zstandard -> UnTar [Optional] -> File I/O (Tar/Files)

File Structure

[MacSum] | [AesKey] [IV] [MacKey] | [Data]

First Block (MacSum, Plain/Blake3)

  • [MacSum]: 64B - Blake3 of the already encrypted file, in order (both header and data)

Second Block (Header, Crystal)

  • [AesKey]*: 1568B / 32B - Random key generated with Crystals Kyber
  • [IV]*: 1568B / 16B - Random key generated with Crystals Kyber (NOTE: On decryption this returns 32B, we only take the first 16 of those)
  • [MacKey]*: 1568B / 32B - Random key generated with Crystals Kyber

*The keys in this block have a different size when encrypted and decrypted

Third Block

  • [Data]: AnySize / Same Size - AES256 CTR - This is the encrypted version of the compressed archive, containing the backed up files

About

Backup folders to an external drive, securely

Topics

backup post-quantum-cryptography encryption-tool zstandard aes-ctr blake3 kyber-crystal usb-backup

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

2 tags

Contributors 2

  •  
  •  

Languages