#Presentation
An Immutable Storage is a system that enables the secure storage of files: they can be stored and read but never erased or modified. This is the ultimate weapon against ransomwares.
The application presented here offers this type of functionality:
- save, list and load file, never erase or modifyncoding, random sequence generation
- access via http(s), scp and sftp
- authentication by ssh key, ssl certificate or password
The application can run on any type of platform:
- on a computer or mobile device with an OS: Windows, Unix-like, MacOS, iOS, Android
- bare-metal on the Raspberry Pi 4 board
- bare-metal on the MM-2350 board
Obviously, if not on bare-metal, your system relies on the security of the OS: any root/admin user may erase your data. That's when bare-metal is a real must-have. In bare-metal MINIMACY there is no such thing as a root/admin, there is no way to login and prompt commands.
#Setup
- clone the application repository:
>git clone https://github.com/ambermind/immutable-storage.git
## Running on a computer
You can already run the application on your computer
- install Minimacy, as described in the [Setup section](page://2000.100.100). Build Minimacy or use the Release distribution.
- run the program ./immutable.storage.mcy
## Running on the MM-2350 board
You can use the application on the MM-2350 board:
- it is assumed you are already familiar with the board; if not, see the tutorial here: [Tutorial >>](https://minimacy.net/book/#/tag/mm-2350)
- copy the contents of the repository to the root of an SD card formatted as FAT32
- insert the SD card into the MM-2350 board
- it is recommended to connect the console (usb/uart cable) and run the program ./programs/romdisk/romdisk.server.mcy to monitor the hsm startup
- power on the MM-2350 board
[
](html)
## Running on the Raspberry Pi 4 board
For the Raspberry Pi 4 board:
- it is assumed you are already familiar with the board; if not, see the tutorial here: [Tutorial >>](https://minimacy.net/book/#/tag/rpi4)
- prepare an SD card formatted as FAT32 with the official files and the two Minimacy-specific files, as explained in the 'Blink' chapter of the Raspberry Pi 4 page
[
](html)
- then copy the contents of the immutable-storage repository to the root of the SD card
- it is recommended to connect the console (usb/uart cable) and run the program ./programs/romdisk/romdisk.server.mcy to monitor the hsm startup
- power on the Raspberry Pi 4 board
#Configuration
Configuration is done in the file immutable.storage.config.mcy. Configuration files in Minimacy are preferably written in the Minimacy language:
- a single language for everything
- it is compiled when you launch the application, so its syntax is checked
- you have access to the language's computation functions
// SPDX-License-Identifier: GPL-3.0-only
// Copyright (c) 2026, Sylvain Huet, Ambermind
// Minimacy (r) Demonstration
//------------------- config
const ROOT_PATH="immutable/";; // root path on the physical storage
const MAX_UPLOAD_SIZE = 1024*256;; // maximum upload size in bytes
const HOST_USER="foobar";; // on linux-like system, the server will switch to this user account as soon as http and ssh server are started.
const HTTP_ENABLED=true;;
const HTTP_MAX_CONNECTIONS=16;;
const HTTP_IDLE_TIMEOUT=30;;
const HTTP_EVICTION_TIMEOUT=10;;
// HTTPS server:
//const HTTP_ADDR="127.0.0.1";;
//const HTTP_PORT=8443;;
//const TLS_SERVER_KEY="foobar.com.key.pem";;
//const TLS_SERVER_KEY_PWD= "";;
//const TLS_SERVER_CER="foobar.com.cer.pem";;
//const TLS_LOGIN_CER="loginAuthority.cer.pem";;
//const TLS_LOGIN_LIST:(list Str)="foobar"::nil;;
// HTTP server:
const HTTP_ADDR="0.0.0.0";;
const HTTP_PORT=8080;;
const TLS_SERVER_KEY="";;
const TLS_SERVER_KEY_PWD= "";;
const TLS_SERVER_CER="";;
const TLS_LOGIN_CER="";;
const TLS_LOGIN_LIST:(list Str)=nil;;
// SFTP/SCP server
const SSH_ENABLED=true;;
const SSH_ADDR="0.0.0.0";;
const SSH_PORT=1234;;
const SSH_SERVER_KEY="ed25519_private.pem";; // generation: openssl genpkey -algorithm ed25519 -out ed25519_private.pem
const SSH_SERVER_KEY_PWD="";;
const SSH_PASSWORDS:(hashmap Str->Str)= nil;; // hashmapInit(8, ["foobar", "8ef9601a03170c3452e337c72522afd7|2f696c3ddd840c98814b7c3ee34c31fbc5e5d501eb800f3e48d9dd6d13a1ee34"]::nil);;
const SSH_PUBLICKEYS:(hashmap Str->Str)= nil;; // hashmapInit(8, ["foobar", "AAAAC3NzaC1lZDI1NTE5AAAAIBkRUQrg+i+STX6A6XTMRthZ2OoRWmNDczBECr7j+hlt"]::nil);;
const SSH_MAX_CONNECTIONS=16;;
const SSH_IDLE_TIMEOUT=60*10;;
const SSH_EVICTION_TIMEOUT=10;;
// WHITE LIST of authorized IPs (nil means anyone)
const IP_LIST:(list Str)=nil;; //"192.168.0.100"::nil;;
//------------------ MM2350
const IP_LEFT:Str=nil;; // "192.168.0.10";;
const IP_LEFT_MASK="255.255.255.0";;
const IP_RIGHT:Str="169.254.1.1";;
const IP_RIGHT_MASK="255.255.0.0";;
const MM2350_VOLUME_NAME="sd0";;
const MM2350_GAUGE_REFRESH= 60*5;; // refresh gauge every 5 minutes
//------------------ Raspberry Pi 4
const IP_ETH0:Str="169.254.1.1";;
const IP_ETH0_MASK="255.255.0.0";;
const RPI4_VOLUME_NAME="sd0";; // set "usb0" when you want to use a usb storage key
const RPI4_GAUGE_REFRESH= 60*5;; // refresh gauge every 5 minutes
If you set HTTP_ENABLED=true, you immediately have access via http on port 8080. For https access, you will need to provide:
- the certificate foobar.com.cer.pem obtained from a certificate authority
- the private key foobar.com.key.pem linked to your certificate, along with the password if the pem file is encrypted
- for client authentication by SSL certificate, you must also provide the certificate of the certification authority
To enable SSH, you must set SSH_ENABLED=true, but you must also create an SSH key for the server and give it a name such as 'ed25519_private.pem'
You can use openssl to generate such a file:
>openssl genpkey -algorithm ed25519 -out ed25519_private.pem
Once the configuration has been modified, you must restart the application for the changes to take effect.