Zerostash

Zerostash is a deduplicated, encrypted file store with versioning.

It was designed for speed and to secure all metadata related to the files, including the exact size of the data that is stored.

On a M1 Macbook Air, Zerostash can achieve speeds of around 1GB/s.

Use cases

• Incremental backups in the cloud, or on external hard drives
• Encrypt and store entire workspaces for fast sync between computer
• Git on crypto

Getting started

Once you install the 0s command using one of the methods below, you can start backing up:

0s commit /path/to/repository $(pwd)

That's it! No configuration necessary.

You will be asked for a username and a password to create a stash, which you'll need to enter on any subsequent invocations.

If you want to get fancy, you can leave a note with your commit, just like you do with Git.

0s commit -m 'My first backup!' /path/to/repository $(pwd)

Commits are only created if there are changes between runs to preserve space, and speed things up.

You can then restore your backups using the checkout subcommand and entering your credentials:

0s checkout /path/to/repository files_to_restore/*

For more details, run

0s --help

Remote backups

You can send your backup objects to an S3-compatible remote destination by using the following syntax:

0s commit s3://accesskey:secretkey@region#server.com/bucket /

For instance, if your files are on AWS, in the us-east-1 region, you can use the bucket like so:

0s commit s3://us-east-1#/backups

Omitting the access and secret key parameters from the URL will read them from the environment:

export AWS_ACCESS_KEY_ID=xxxx
export AWS_SECRET_ACCESS_KEY=xxxx

Configuration

An config file with examples and documentation can be found in this repository.

Place it at ~/.config/zerostash/config.toml, or inside your $XDG_CONFIG_HOME/zerostash directory.

Using a configuration file is optional, but can make managing stashes easier, and some powerful backend configurations are currently not exposed on the CLI.

An example config looks like so:

[mystash]
key = { source = "ask"}
backend = { type = "fs", path = "/archive" }

To use your newly defined mystash stash in your backups, just use it instead of a path to the repository.

0s commit mystash /path/to/movies

Installation

Zerostash works on Linux, macOS, and Windows, and you can download pre-built binaries!

If you're looking for package manager integrations, though, look below.

Installation on macOS

There is a homebrew tap you can use!

brew install symmetree-labs/homebrew-tap/zerostash

Installation on NixOS

This repo is actually a nix flake! You can include the zerostash package in your flake-based configurations, or just run it like this:

nix run github:symmetree-labs/zerostash

Note: nix/macOS currently is not supported due to a known issue. Please help us find a workaround!

Install with cargo

Assuming you have cargo installed on your system, you can use it to install zerostash from crates.io.

cargo install zerostash

Using pre-built binaries

You can download a static Linux binary from the GitHub Releases page.

Place it in your $PATH, and then run:

0s --help

Build from source

The usual Rust incantation will also do to build the binary yourself. Use rustup to get cargo running or use your package manager, then off you go:

cargo build --release

Threat model

Zerostash considers the following things to be part of the threat model:

• Protect data confidentiality, integrity and authenticity
• The exact size of data should not be known
• Individual user data shouldn't be attributable on shared storage
• Once a data is shared, it is no longer secure.
• Deleting data from the storage should be possible
• Access to only the key and raw data should not be sufficient for full data compromise

Design

For more details about the cryptographic design, consult the documentation in the underlying Infinitree library.

Security notice

This is unreviewed security software. Use at your own risk.

License

Distributed under GPLv3.