Hacker News new | past | comments | ask | show | jobs | submit login

All the data is encrypted before it ever leaves your machine. Not even cperciva should be able to read it.

You can also create a write-only key. If you run tarsnap from a server which gets pwned, the attackers can't touch the existing backups. Don't be the next Astalavista[1].

[1] http://joncraton.org/blog/49/analyzing-the-astalavista-hack




With Crashplan, all data is encrypted before it leaves your machine if you use a private key. The pricing is MUCH better and it's not a single man operation.

If you're paranoid about it being closed source, you can make a quick script to encrypt sensitive data, copy it to another folder, then sync that encrypted folder online. I do something similar with a small % of my data.

As far as server backups, it's trivial to script a copy to your local machine then let Crashplan sync that.


The thing is that Colin Percival has done genuinely novel computer science, real heavy lifting, to make both strong encryption and smart de-duplication possible in the same service.

So far as I know, nobody else has done that.

In practice tarsnap is cheaper than everything else because of the dedupe.


Why do you say so? Crashplan lets you have your own clientside keys that never leave your computer.

Crashplan does dedupe and compression but has UNLIMITED storage/bandwidth for one price.


Well you have me there. I'll fall back on the fact that Colin's code is available and that he's published papers covering all the maths and computer science that leads up to being able to dedupe without sending stuff to the server or decrypting on the server side.


I would have trusted that more if the tarsnap client had source code available.


The source code is available; it's available under a "shared source" license rather than free software/open source (you can look at it, but not modify it), but it is available for review. https://www.tarsnap.com/download.html

He also has a bug bounty http://www.tarsnap.com/bugbounty.html, and several substantial security bugs have been found and fixed due to the bug bounty (http://www.tarsnap.com/bounty-winners.html). In fact, the first of those, the AES CTR nonce bug, was found before he had offered the bounty program; the bounty program was inspired by that bug, and has since led to the discovery of several other more minor issues.

So, the source is available, and there's a bounty out for discovering bugs ranging from cosmetic issues to major security issues. Feel free to review it and submit any bugs you find!


"At the present time, pre-built binaries are not available for Tarsnap — it must be compiled from the source code." https://www.tarsnap.com/download.html


Er, https://www.tarsnap.com/download.html




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: