Archive for December, 2010
We always hear how important backups are and the need to backup often. What’s the right tool to use? This will vary by your needs and how important your data is to you. I want to recommend a solution rooted in the BSD community called Tarsnap.
Tarsnap is a really easy to use command line utility that resembles the traditional tar(1) utility that we all know and love. It compresses the data that you want to backup and uploads it to an Amazon S3 storage server and keeps it encrypted. The cost is $0.30 per gigabyte. It works on a prepaid basis where you deposit funds into your account from which it draws when you transfer data. There’s a minimum $5 US deposit to start using it. The project is headed by the FreeBSD chief security office Colin Percival and the profits help fund the FreeBSD project.
Unfortunately, there’s no package or port for OpenBSD currently so you’ll have to compile it from source. Fortunately, this is super easy on a BSD system since all the necessary pieces are normally already in place unlike most Linux distros. Just to compare I compiled it on CentOS 5.5 and kept getting prompted to install additional packages like the installation instructions mention on the Tarsnap installation page.
There are a few caveats with building it on OpenBSD as opposed to FreeBSD. Mainly the location of the tarsnap.conf file and the man pages. Since the configure script is just detecting that it’s building on BSD it takes a few FreeBSD liberties such as placing tarnsap.conf.sample in /usr/local/etc instead of /etc. If you move the file to /etc the binaries will not see it. OpenBSD frowns on the use of /usr/local/etc due to the fact that /usr/local is commonly exported over NFS. The other gotcha is that the man pages are installed to /usr/local/share/man which does not exist by default on OpenBSD. This means you’ll need to make some adjustments in /etc/man/conf.
If you’re looking for easy and and cheap cloud storage I would strongly suggest that Tarsnap is the way to go. Being security conscious OpenBSD users we definitely can appreciate the Tarsnap approach to backups.
Update: I found a workaround for the issue I had with the files being put in a FreeBSD-like directory structure. When you’re running the configure script you just need to pass a couple extra arguments so that the files are put in the proper OpenBSD sanctioned directories like this:
# ./configure –sysconfdir=/etc –mandir=/usr/local/man
I recompiled Tarsnap and it worked like a charm without having to tweak /etc/man.conf or the like.
Update 2: There’s been some recent chatter on the ports@ mailing list about a tarsnap port.
If you haven’t already seen the news on Slashdot, Reddit, Ars Technica, OS News, or other sites, Theo de Raadt, the OpenBSD project leader, made public a letter sent to him by one of the original contributors to the OpenBSD IPSec network stack originally developed about 10 years ago stating that the FBI had inserted backdoors into the code while working for NETSEC. As Theo mentions in his response it’s uncertain to what extent this affects OpenBSD or any other project who has borrowed code from the project. I think it’s important to take these allegations with a very large grain of salt. Being an open source project OpenBSD’s code is scrutinized by many eyes and undergoes the round of security audits that the Unix-like operating system is so well known for. Why this is only now being brought forward is anyone’s guess. Gregory Perry who sent the email to Theo claims that it’s because his NDA has expired. Also interesting to note, Scott Lowe who is mentioned in the email as having some sort of ultimatum for his recent OpenBSD advocacy has refuted the claims stating that he has never been affiliated with the FBI. In any event I am certain that OpenBSD developers will exercise due diligence by auditing the code to see if there is any warrant to the claims made by Perry. I don’t think this is anything to become paranoid about.
Here is an excerpt from Theo’s response:
The mail came in privately from a person I have not talked to for nearly 10 years. I refuse to become part of such a conspiracy, and will not be talking to Gregory Perry about this. Therefore I am making it public so that (a) those who use the code can audit it for these problems, (b) those that are angry at the story can take other actions, (c) if it is not true, those who are being accused can defend themselves.