Releases: symmetree-labs/zerostash
v0.7.0-pre1
This is a CI test, full release notes coming in the final release.
0.6.1: Pipe fixes
0.6.0: ZFS & more
The new release brings an upgraded dependency tree, stability fixes, and a feature I'm very excited about.
ZFS
You can now use Zerostash to store zfs snapshots wherever you want, with a centralized encryption & sealing interface.
This is how you do it:
snap=cloud-$(date +%FT%T)
zfs snap -r zroot@$snap
0s -c config.toml zfs commit -n zroot@$snap my_favourite_stashWhen you run into trouble, and need to restore things, you can extract the same stash. 0s will even forward your command line arguments to zfs recv:
0s -c config.toml zfs extract -n zroot@$snap my_favourite_stash -- -suMd -x encryption storage
Dig into the archives
0s from 0.6 allows you to specify a --commit-id option whenever you interact with a stash. Instead of using the latest version of the stash, this will base it off of the specified commit.
0.5.0: Root of trust
0.5 is a huge milestone for Zerostash, paving the way for some long-term plans, including truly write-only backups. With 0.5, we're half-way there to truly ransomware-resistant backups. In this process, Zerostash 0.5 will also transparently upgrade your existing archives to a more robust encryption scheme that mitigates nonce-reuse and potential partitioning oracle attacks.
Write-only archives
With Zerostash 0.5 you can create a write-only archive on an ordinary storage. While this mode is not useful against an attacker destroying your backups, it will help you make sure they can't read the archive contents without the correct keys. Note that the index is still accessible using your symmetric password, so they'll see all the file names, but not the contents.
This is how you do back up your entire /:
0s keys gen /path/to/stash split_key --user [email protected] \
--read-keyfile ~/read_key.toml \
--write-keyfile ~/write_key.toml
0s commit --keyfile ~/write.key.toml /path/to/stash /
Hardware-based encryption with Yubikeys
Road warriors will appreciate that there's now a way to give a bit more of a personal touch to their backups. A Yubikey configured to perform Challenge-Response HMAC-SHA1 operations can require a touch to decrypt then re-seal the archive. Using challenge-response mode also allows you to easily create a backup Yubikey.
Note, that if you decide that touch is what you want, you will need to pay attention to when 0s finishes crunching your data, and seals the stash. To set up the Yubikey, consult the amazing documentation by Strongbox. If you just wanted to create an archive of your user directory on an external disk, this is how you do it:
0s commit --yubikey /mnt/path/to/stash /home/user
Depending on your preferences, you may want to create a keyfile:
0s keys gen /mnt/path/to/stash yubikey slot2 hmac1 --user [email protected] --keyfile home_backup.toml
Hardware security with macOS Keychain
macOS users will appreciate that they can configure Keychain to store their passwords. On modern mac laptops, this means your Zerostash credentials are protected by the Secure Enclave. You can use this feature in conjunction with your Yubikey or split_key keys, too. If you're adventurous, synchronizing your Keychain with your iCloud account will enable access to your stashes on other fruity devices.
To generate a keyfile with Yubikey that picks your password from Keychain:
0s keys gen /mnt/path/to/stash yubikey --keychain --keyfile home_backup.toml
To simply run a backup and save the password to Keychain:
0s keys commit --keychain --user [email protected] /mnt/path/to/stash /home/user
Changing password
Up until now, there was now way to change the password of a stash once you create it. This has now changed. Right this way, please:
0s keys change /path/to/stash toml --keyfile home_backup.toml
To explore the full suite of new key operations, you can always consult the helpdesk:
0s keys --help
I want to try this, right now!
That's good to hear. You can access the binaries for Linux, Windows, and macOS straight from this release. You can also use Homebrew and Nix to install a packaged version in your system!
Have fun, and happy hacking!
0.4.1.1: Homebrew goods
This release is equivalent to 0.4.1, but brings support for binaries distributed through Homebrew.
0.4.1: Cache and keys: The pirate edition
This release adds a proper caching mechanism, as well as a few better ways to manage your keys.
For the full variety of configuration options, make sure to check out config.toml.example in the repo!
Macos Keychain support
On macOS, you can use the following config snippet to store your keys in Keychain:
[stash.example_keychain]
key = { source = "macos_keychain", user = "[email protected]"}
backend = { type = "fs", path = "/path/to/stash" }Keyfile
External keyfiles are supported everywhere! Zerostash adds this, so you can copy/paste your config, and provision keyfiles through whatever you need.
[stash.local_keyfile]
key = { source = "file", path = "keyfile.toml.example" }
backend = { type = "fs", path = "/path/to/stash" }Local file cache
This is probably the most interesting thing. You can create a local cache for all your files in the cloud, so you can quickly update your backups and run queries on files stored locally. Zerostash will automatically keep in the cache the most recently used files and folders, while making sure all the metadata queries stay fast.
You can use it with any kind of upstream, but your local copy needs a directory path.
[stash.remote_cached]
key = { source = "ask" }
[stash.remote_cached.backend]
type = "fs_cache"
path = "/Users/user/Code/repo"
max_size_mb = 1000
[stash.remote_cached.backend.upstream]
type = "s3"
bucket = "test_bucket"
region = { name = "custom", details = { endpoint = "https://127.0.0.1:8080/", "region" = "" }}0.4: Native S3 support
The major addition is native synchronization to S3, and some minor tuning of the chunking algorithm.
0.3.1
0.3
Release 0.2
Smarter command line, and separate out the infinitree encrypted database for storage.