Sifo: Securely Push and Pull to and from Backblaze

sifo enables cloud backup and restore functionality using backblaze as the cloud storage provider, and rclone as the syncronisation tool.

sifo also implements archive (*.tar.gz) and AES-256 (CBC) application-level local encryption.

Dependencies

None. Unless you are building from source.

System Requirements

sifo currently targets:

• amd64 and arm64 architectures.
• linux, windows, and darwin operating systems.

Note: Only linux/amd64 and darwin/arm64 have been tested through repeated usage. Use the others at your own risk. See testing

Installation

Download the appropriate binary for your system here, or use make install to build from source.

Building from source

Requirements

• go >= version 1.20
• make

Build and install. The default install location is usr/local/bin. This can be configured with INSTALL_PREFIX

make build
sudo env "PATH=$PATH:/usr/local/go/bin" "GOPATH=$HOME/go" make install
sifo --version

Uninstalling

sudo make uninstall

Configuration

To set the rclone configuration file with a backblaze remote, create a file named ~/.config/rclone/rclone.conf.

[backblaze]
type = b2
account = <bucket account name here>
key = <bucket account key here>
hard_delete = true

Get the bucket account value and key by creating a b2 bucket here.

Validate the rclone configuration file.

sifo config-validate --config-path=~/.config/rclone/rclone.conf           

Generate a AES-256 encryption key. Keep this secure.

sifo gen-key > ~/.sifo_key

Usage:

Example of a folder called /home/foo/Documents/Notes for a bucket called FileBackups on a remote called backblaze

Push a folder from local machine to backblaze remote:

sifo push \
    --src-dir=/home/foo/Documents/Notes/ \
    --private-key=~/.sifo_key \
    --bucket-name=FileBackups \
    --remote-name=backblaze:

Pull a folder from backblaze remote to local. The remote directory will be compressed and suffixed with tar.gz.enc. In this example, the files will be restored to /user/home/restored_notes.

sifo pull \
    --backblaze-remote-file-path=Notes.tar.gz.enc \
    --backblaze-remote-name=backblaze: \
    --backblaze-bucket-name=FileBackups \
    --key-path=~/.sifo_key \
    --dst-dir=/home/foo/restored_notes

Testing

A subset of functionality is unit tested. A report on code coverage can be found via make test.

End-to-end testing is not implemented. There are practical challenges involved setting up a suitable test environment for the end-to-end tests that can interact with a real backblaze cloud environment.

Notes:

Encrypted rclone config

Currently, sifo does not support dependencyless configuration encryption. If you want to encrypt your configuration, you can do so by downloading rclone and setting it up by following the docs.

Once the config is encrypted, sifo can be used push and pull folders, provided that RCLONE_CONFIG_PASS is exported.

Versioning the backups

Versioning can be conifgured in backblaze. Read more in the docs.

Rationale for application-layer encryption

backblaze provides server-side encryption. Similarly, rclone supports a crypt remote that provides encryption to the remote.

The rationale for implementing encryption outside of backblaze & rclone is to have complete control + redundancy over the encryption process, independent from the rclone & backblaze encryption implementations.

Rationale for full backups

For simplicitiy and reliabilty of restorations, full backups were chosen over differential or incremental backups.

Implementation details

sifo is fully statically linked with no runtime dependencies. With the optional exception of requiring rclone if wanting to encrypt your rclone config

librclone exports shims that wrap over the rclone RPC. Hence sifo's' rclone dependencies are included at compile time.