#Presentation An Immutable Storage is a system that enables the secure storage of files: they can be stored and read but never erased or modified. This is the ultimate weapon against ransomwares. The application presented here offers this type of functionality: - save, list and load file, never erase or modifyncoding, random sequence generation - access via http(s), scp and sftp - authentication by ssh key, ssl certificate or password The application can run on any type of platform: - on a computer or mobile device with an OS: Windows, Unix-like, MacOS, iOS, Android - bare-metal on the Raspberry Pi 4 board - bare-metal on the MM-2350 board Obviously, if not on bare-metal, your system relies on the security of the OS: any root/admin user may erase your data. That's when bare-metal is a real must-have. In bare-metal MINIMACY there is no such thing as a root/admin, there is no way to login and prompt commands. #Setup - clone the application repository: >git clone https://github.com/ambermind/immutable-storage.git ## Running on a computer You can already run the application on your computer - install Minimacy, as described in the [Setup section](page://2000.100.100). Build Minimacy or use the Release distribution. - run the program ./immutable.storage.mcy ## Running on the MM-2350 board You can use the application on the MM-2350 board: - it is assumed you are already familiar with the board; if not, see the tutorial here: [Tutorial >>](https://minimacy.net/book/#/tag/mm-2350) - copy the contents of the repository to the root of an SD card formatted as FAT32 - insert the SD card into the MM-2350 board - it is recommended to connect the console (usb/uart cable) and run the program ./programs/romdisk/romdisk.server.mcy to monitor the hsm startup - power on the MM-2350 board [](html) ## Running on the Raspberry Pi 4 board For the Raspberry Pi 4 board: - it is assumed you are already familiar with the board; if not, see the tutorial here: [Tutorial >>](https://minimacy.net/book/#/tag/rpi4) - prepare an SD card formatted as FAT32 with the official files and the two Minimacy-specific files, as explained in the 'Blink' chapter of the Raspberry Pi 4 page [](html) - then copy the contents of the immutable-storage repository to the root of the SD card - it is recommended to connect the console (usb/uart cable) and run the program ./programs/romdisk/romdisk.server.mcy to monitor the hsm startup - power on the Raspberry Pi 4 board #Configuration Configuration is done in the file immutable.storage.config.mcy. Configuration files in Minimacy are preferably written in the Minimacy language: - a single language for everything - it is compiled when you launch the application, so its syntax is checked - you have access to the language's computation functions // SPDX-License-Identifier: GPL-3.0-only // Copyright (c) 2026, Sylvain Huet, Ambermind // Minimacy (r) Demonstration //------------------- config const ROOT_PATH="immutable/";; // root path on the physical storage const MAX_UPLOAD_SIZE = 1024*256;; // maximum upload size in bytes const HOST_USER="foobar";; // on linux-like system, the server will switch to this user account as soon as http and ssh server are started. const HTTP_ENABLED=true;; const HTTP_MAX_CONNECTIONS=16;; const HTTP_IDLE_TIMEOUT=30;; const HTTP_EVICTION_TIMEOUT=10;; // HTTPS server: //const HTTP_ADDR="127.0.0.1";; //const HTTP_PORT=8443;; //const TLS_SERVER_KEY="foobar.com.key.pem";; //const TLS_SERVER_KEY_PWD= "";; //const TLS_SERVER_CER="foobar.com.cer.pem";; //const TLS_LOGIN_CER="loginAuthority.cer.pem";; //const TLS_LOGIN_LIST:(list Str)="foobar"::nil;; // HTTP server: const HTTP_ADDR="0.0.0.0";; const HTTP_PORT=8080;; const TLS_SERVER_KEY="";; const TLS_SERVER_KEY_PWD= "";; const TLS_SERVER_CER="";; const TLS_LOGIN_CER="";; const TLS_LOGIN_LIST:(list Str)=nil;; // SFTP/SCP server const SSH_ENABLED=true;; const SSH_ADDR="0.0.0.0";; const SSH_PORT=1234;; const SSH_SERVER_KEY="ed25519_private.pem";; // generation: openssl genpkey -algorithm ed25519 -out ed25519_private.pem const SSH_SERVER_KEY_PWD="";; const SSH_PASSWORDS:(hashmap Str->Str)= nil;; // hashmapInit(8, ["foobar", "8ef9601a03170c3452e337c72522afd7|2f696c3ddd840c98814b7c3ee34c31fbc5e5d501eb800f3e48d9dd6d13a1ee34"]::nil);; const SSH_PUBLICKEYS:(hashmap Str->Str)= nil;; // hashmapInit(8, ["foobar", "AAAAC3NzaC1lZDI1NTE5AAAAIBkRUQrg+i+STX6A6XTMRthZ2OoRWmNDczBECr7j+hlt"]::nil);; const SSH_MAX_CONNECTIONS=16;; const SSH_IDLE_TIMEOUT=60*10;; const SSH_EVICTION_TIMEOUT=10;; // WHITE LIST of authorized IPs (nil means anyone) const IP_LIST:(list Str)=nil;; //"192.168.0.100"::nil;; //------------------ MM2350 const IP_LEFT:Str=nil;; // "192.168.0.10";; const IP_LEFT_MASK="255.255.255.0";; const IP_RIGHT:Str="169.254.1.1";; const IP_RIGHT_MASK="255.255.0.0";; const MM2350_VOLUME_NAME="sd0";; const MM2350_GAUGE_REFRESH= 60*5;; // refresh gauge every 5 minutes //------------------ Raspberry Pi 4 const IP_ETH0:Str="169.254.1.1";; const IP_ETH0_MASK="255.255.0.0";; const RPI4_VOLUME_NAME="sd0";; // set "usb0" when you want to use a usb storage key const RPI4_GAUGE_REFRESH= 60*5;; // refresh gauge every 5 minutes If you set HTTP_ENABLED=true, you immediately have access via http on port 8080. For https access, you will need to provide: - the certificate foobar.com.cer.pem obtained from a certificate authority - the private key foobar.com.key.pem linked to your certificate, along with the password if the pem file is encrypted - for client authentication by SSL certificate, you must also provide the certificate of the certification authority To enable SSH, you must set SSH_ENABLED=true, but you must also create an SSH key for the server and give it a name such as 'ed25519_private.pem' You can use openssl to generate such a file: >openssl genpkey -algorithm ed25519 -out ed25519_private.pem Once the configuration has been modified, you must restart the application for the changes to take effect.