Tarsnap – Secure online backup

I’ve recently set up Tarsnap on my servers to keep my important things backed up securely. It’s ridiculously simple to get started and who can turn down software with the tagline “Online backups for the truly paranoid”?

I already had a ‘backup’ solution in place that simply rsynced my data from my remote servers to one I have here at home, and visa-versa, so that I always had two copies of most of my irreplaceable data at any one time. Shell scripts would handle this and rotate the data for 7 days before removing it. As I’m lazy, I wanted to use these existing ‘backups’ and throw them up on Tarsnap as an extra layer of security.

Tarsnap encrypts all of your data with a key only you have access to. This means that even if the developer wanted to, he wouldn’t be able to access your information. This also means that government organisations can’t get hold of it either (unless you’re in the UK, in which case they can RIP your keys off you, although IANAL).

Tarsnap will also deduplicate all of your data and compress it, as well as only uploading files that have changed. You will only pay for the storage you use, and the bandwidth you use uploading the changes, which works out to $0.30/GB/month for storage, and $0.30/GB in bandwidth used. It’s actually billed in bytes and ‘picodollars’, so you really are only paying for what you use. This works out very, very cheaply. The initial $5 (~£3.13) payment for setting it up will likely last you for months if you’re not uploading and storing all that much.

So, let’s get started:

  1. Tarsnap doesn’t have any pre-built packages, so firstly ensure you have GCC installed, along with OpenSSL, zlib and e2fsprogs development libraries installed. If you’re using a RHEL/Fedora derivative, the following should do the trick:
  2. Download the tarsnap source code, optionally verify it, and extract it ready for building (check you’re getting the latest version!):
  3. Next up we need to do the standard ./configure, make, make install routine. I usually install non-packaged software in it’s own directory under /usr/local to make removal easier, and all the following instructions are based on that assumption.
  4. As I’ve installed the binaries and manpages to /usr/local/tarsnap/…, You’ll have to adjust the $PATH and $MANPATH variables if you don’t want to type full paths. You’ll still need to use full paths in your scripts, though, and likely when using sudo – bare this in mind. Add the following to the bottom of your ~/.bashrc or ~/.zshrc – no doubt someone will point out these are the incorrect files for these, but it works for me.
  5. Next up, we need to inspect the tarsnap configuration file and make any necessary adjustments. Also, gaining root at this point will simplify things.
  6. Now we need to generate our keyfile to secure the content we’re uploading. You’ll need to enter your tarsnap password at this point as well.
  7. Depending how you intend to use tarsnap, you may need to adjust those permissions so that other users than root can read the keyfile. I’ll be running my backup scripts as root, so it’s limited as such. You will also want to take a copy of that keyfile and place it somewhere safe, as without it you cannot access your backups.
  8. At this point I ran the tarsnap with the --fsck option to force it to create its cache directories. You probably won’t need to do this, however…
  9. You should now be good to go! As an example, let’s say we have a directory called ‘/backups’ and we’d like everything under that to be uploaded to tarsnap. The following command should accomplish this:

    So to explain, the -c flag is to create a new archive, which you name with the -f flag, in this case it’s a date and time, followed by the directory or directories you wish to backup. That’s it! Once complete you can view your uploaded archive with:

    And extract it with:

  10. The beauty of all of this is that you can easily script it and shove it in a cron job. Every Wednesday and Sunday my server runs the following script to upload parts of my backup directory to tarsnap and email me the results: