chill is a command-line backup tool for incremental, offline (cold storage) and encrypted archives:

  • offline/cold storage: the archived content is meant to be stored on disks that are only temporarily attached to a computer

  • incremental: the tool keeps a local state of the processed files and skips the ones that are already stored during the previous sessions.

  • encrypted: the tool encypts the content on the disk so unauthorized tools or persons cannot observe its content.

Limitations and disclaimers

  • May not work.
  • May lose data.
  • May not protect data.
  • Data format is not stable.
  • Does not track renames and deleted files. (yet)
  • Does not deduplicates content (within- or cross-sessions).

Warning: This is an opinionated tool for a very special use-case. If you are unsure about it, please use a different backup tool.

The goal of this tool is to create incremental cold storage archives that can be stored on offline hard drives at untrusted offsite locations (or cloud storage). The tool keeps track of the already processed files in a local repository, and the archived files can be shipped out and kept offline (until a restore is needed).

NOTE: The tool is experimental and may have breaking changes in the future.

Example use

dart pub global activate chill 0.1.0

dart pub global run chill init \
  --repository ~/path/to/local/repository \
  --source /path/to/input/one \
  --source /path/to/input/two

# backup session with a 800 GiB limit
dart pub global run chill backup \
  --repository ~/path/to/local/repository \
  --output /mnt/disk1/targetdir \
  --limit 800gib
# restoring
dart pub global run chill restore \
  --repository ~/path/to/local/repository \
  --input /mnt/disk1/targetdir \
  --output /path/to/restore

Respository

chill stores its main chill.yaml config and its tracking data locally. This is considered a trusted location and the repository itself is not encrypted.

Each backup command creates a new session file in the sessions/ subdirectory. The file contains the session's encryption key and the file chunks that are stored in the output blob. (Useful information for both incremental updates and restore)

It is strongly advised to create separate backups of the repository after each session.

Cryptography

The tool uses ChaCha20-Poly1305-AEAD block cypher to encrypt each content chunk that is written in a backup session. The encryption key is stored in the repository's session file, the nonce and the mac is stored alongside the ciphertext. Each chunk is prepended by a random number of random bytes.

Libraries