Developer Shares A Recoverable Container Format That's File System Agnostic

Long-time Slashdot reader MarcoPon writes: I created a thing: SeqBox. It's an archive/container format (and corresponding suite of tools) with some interesting and unique features. Basically an SBX file is composed of a series of sector-sized blocks with a small header with a recognizable signature, integrity check, info about the file they belong to, and a sequence number. The results of this encoding is the ability to recover an SBX container even if the file system is corrupted, completely lost or just unknown, no matter how much the file is fragmented.

Nifty

[EnigmaticSource]

Thanks, looks interesting. I can see some applications for use in long term storage... it's better to get some data back rather than lose it all.

why?

That's an interesting property, but what's the use case?

How often does your filesystem get corrupt and instead of restoring from backups, you curse the fragmented tar file that can't be reassembled?

How practical is it to keep files in an sbx container rather than extracting them? Can apps read files inside an sbx container?

Re:why?

[MarcoPon]

That's an interesting property, but what's the use case?

I can't say I know them all, or even the best/killer ones, but I listed some on the readme. Probably the most immediate/interesting application would be on a digital camera, for photos/video.

Can apps read files inside an sbx container?

Yes. The blocks are of a fixed size, so the format is seekable and reading from it is far simpler than, say, reading from a ZIP file.

Re:why?

[KiloByte]

So the only failure mode this protects from is corruption of metadata while every data block remains intact. On any sane filesystem, that sounds useless: the only cases this might happen are filesystems that can't handle unclean shutdown (FAT, ext2) or the disk lies about barriers. And those cameras that still use FAT have software you can't update, so you can't install that SBX thingy -- if you could, you'd be better off switching to a better filesystem.

In its present state, I'd suggest you scrap the whole project, it's a waste of time.

On the other hand, it would be an entirely different story if you added some form of erasure code that operates on amounts of data bigger than a single sector (most storage devices already have per-sector erasure codes).

Re:why?

Flash memory wear leveling failure.

Re:why?

How does your utility compare to something more established like MultiPar?

Re:why?

[MarcoPon]

They are two entirely different thing, but they could "help each other" in some ways.
PAR (or a RAR archive + recovery records, etc.) try to address the problem of losing some small parts of a file (due for example to physical errors), using some amount of redundancy. SeqBox try to address the issue of identifying and reassembling all part of a file, when they are all still on the physical media, but without the file systems indexes / structures to locate them (es. after a quick format, zero writes on the first sectors, etc.).
If you combine the two, creating an SBX container of a RAR + recovery records for example, you get both qualities.

Re:why?

[sexconker]

Is much, much, much more likely to nuke some data than it is to nuke the filesystem's metadata.

Re:why?

They are two entirely different thing, but they could "help each other" in some ways.

PAR (or a RAR archive + recovery records, etc.) try to address the problem of losing some small parts of a file (due for example to physical errors), using some amount of redundancy. SeqBox try to address the issue of identifying and reassembling all part of a file...

This could be part of a defense in depth strategy. I can see some similarities with other techniques of splitting things up. You could add parity as well, to give some additional defense, but at any rate this is basically a defense against losing the index to all your files, which should already be redundant, and which you can probably add even more copies with tuning options. (Yes, I'm too lazy to check this, but I'd imagine some file system has the feature.)

A more interesting feature might be a firmware update to a spinning disk that cuts the drive capacity exactly in half. Basically a hard drive is going to have probably double the drive read heads as platters. Just store a copy of the data on a different head/platter surface, ideally, if possible, on a different platter. Add the firmware update to deal with the details. 1/2 the capacity, 1/2 the data rate, but some degree of added redundancy.

How much protection that would give, I'm not prepared to guess. It would likely not be twice as reliable. Why did I recommend a different drive head rather than just making two copies of the file/partition/whatever? Basically with a spinning disk, seek time is still pretty important. This would have the same seek time, and effectively be a real time backup, without actually any additional expense.

Now if you wanted to get really fancy, you could effectively have two complete hard drives in a 3.5" package on top of each other. Any write command forces both to act to do the job. Any read command would force the top one to act, with the details all made transparent. At any rate, you would just be reinventing raid 1 there, with the idea being that usually the top "drive" would fail first, and once you had that occur you should usually have enough time to get data off the bottom drive. The control logic that deals with the details would need to be made even more reliable than the rest, or you could again, just use software raid 1, or even have a 3.5 sata drive with two sata connections and let windows/linux/whatever do periodic backups.

All in all, I'm not sure the distributed meta data approach yields enough gain. It might help, but if your data is important enough to consider it, putting another copy on a completely different storage medium seems the first thing to do.

Maybe a file index made into chunks with each chunk having as much forward error correcting protection as is feasible, and then having multiple copies of the file index? That would make the index more bullet proof, without necessarily needing any additional overhead in the files themselves.

Re:why?

[MatthiasF]

You should read through this and see if you can adopt any of the methods mentioned to eliminate lost data in the container completely.

https://www.usenix.org/legacy/...

Re:why?

[MarcoPon]

I'm probably familiar with most of those concepts, but it's nice to see them all in one well presented document which is also a sort of nice historic artifact. I think I stumbled upon it a long time ago and then lost track of it. Thanks.

Re:why?

[KiloByte]

A more interesting feature might be a firmware update to a spinning disk that cuts the drive capacity exactly in half. Basically a hard drive is going to have probably double the drive read heads as platters. Just store a copy of the data on a different head/platter surface, ideally, if possible, on a different platter. Add the firmware update to deal with the details. 1/2 the capacity, 1/2 the data rate, but some degree of added redundancy.

You're looking for btrfs -dDUP then. It does what you describe, and unlike any other filesystem except ZFS, the data is checksummed so it can be recovered even in case of a silent corruption (which happens way more often than people notice).

Obviously you want the same for metadata (-mDUP) which happens to be the default for rotational media. This pretty much renders the format described in the article pointless -- metadata corruption due to hardware failures that don't kill the entire disk is pretty much gone.

This doesn't quite work on typical flash media, though -- often the FTL will remap writes and put them into the same erase block, meaning you lost performance and capacity for no safety gain.

Re:why?

[Immerman]

Indeed. Give it built in redundancy so that the data could be recovered reliably after almost any not-completely-terminal disk failure, and *then* you'd have something I'd be extremely interested in. Can't tell you how much archived data I've lost over the years due to "bit rot"

Yeah, I should have had it archived in three different locations, but who actually does that for personal data?

Re:why?

[KiloByte]

Yeah, I should have had it archived in three different locations, but who actually does that for personal data?

From what I've seen, a typical intelligent person learns about the importance of backups after around 30 data loss events.

Re:why?

When my OS got infected by a ransomware, i got around 800 data losses in just one infection all at the same time. So I learned the importance on that night itself.

Not to seems like a philistine...

[Chris+Mattern]

...but this is better than a backup, how, exactly?

Re:Not to seems like a philistine...

[MarcoPon]

It's a bit of a different thing. Think about a digital camera that could save on a SDCard both a JPEG and a JPEG in a SBX container. If the SD file systems get corrupted (maybe the batteries given up just when writing), your chances or getting back the JPEGs are so-so (depends on how much/if they are fragmented), but you could surely recover the SBX files.

Re: Not to seems like a philistine...

If you're worried about file system corruption because of an inopportune power failure, use a journaled file system rather than writing everything twice.

Re: Not to seems like a philistine...

Flash storage uses wear leveling, which can fail. If that happens, the flash chip can mostly still be read, but all erase blocks on the chip will be in a "random" order compared to the lost logical wear leveled position. Then you want a way to recover the logical order of the blocks, which this format allows you to do.

Re:Not to seems like a philistine...

[slashrio]

What will be written first? If it's the SBX, then why wouldn't the battery give up while writing the SBX file? Your picture will be lost.

Re:Not to seems like a philistine...

[MarcoPon]

That one yes, but not the others already saved. A fragmented JPEG instead is pretty difficult to recover if the file system is inconsistent. The usual recover tools would easily find the first fragment, and then proceed from there collecting sectors in sequence, which may or may not contain the right data.

Re: Not to seems like a philistine...

[Zontar+The+Mindless]

"A camera that writes to an SD card using a journaling filesystem?"

(To get the right effect, read aloud in the tone of voice one might use for saying, "A planet where apes evolved from men?")

Re:Not to seems like a philistine...

[sexconker]

How are you going to recover an SBX file containing a JPG file if the batteries give up when writing?
If you're saying the batteries give up after writing the data but before updating the filesystem's metadata, then any recovery program that supports that filesystem will be able to recover the data. And really, this is a problem with older shit like FAT and NTFS and ext2 (for which there are plenty of tools available).

Re:Not to seems like a philistine...

[twistedcubic]

Wow, man, they're all over you with poor assumptions. Sometimes it's hard for people to accept that someone they don't know can do brilliant things. Good luck, and keep programming!

Re: Not to seems like a philistine...

Orrrr, maybe you are dealing with industry professionals, who know the tools of the trade and see no use case for this software.

Sometimes your Projects mean more to you than other people. So looking at it objectively is hard sometimes. So by posting on slashdot, the people who would use this tool get to break down all the things they see wrong with it.

stop being a little white knight snowflake bitch. This is the real world where software gets judged on the problems it solves and how well it solves them. And apparently from what I'm reading, this software solves little to no issues at all that aren't already solved in a good way.

Sometimes creating something just to create it doesn't cut it. See systemd for a good example.

Re:Not to seems like a philistine...

[MrL0G1C]

"How are you going to recover an SBX file containing a JPG file if the batteries give up when writing?"

That's a silly strawman it really is, I don't hear anyone suggesting you can magically recover a file that hasn't even been written yet.

Re:Not to seems like a philistine...

Could you add this to something like CHDK?

Re: If you can compact encrypted images...

Great question. We just ordered five new SANs because we can't compact disk images. I doubt it can, but if it could, we would have gotten raises instead of a 2% pay cut.

Re: If you can compact encrypted images...

1) Obvious troll.

2) Nowhere is compression stated.

3) If you can compress your encrypted file, then your encryption isn't worth anything.

Re: If you can compact encrypted images...

There's no way it can. LUKS is great but it wastes tons of disk space on vms.

Fail?

[DontBeAMoran]

Basically an SBX file is composed of a series of sector-sized blocks.

What if your file system and/or hardware uses a different sector size? Didn't those change size over the last decades?

Re:Fail?

[MarcoPon]

The default block size used is 512 bytes, which is a suitable sub-multiple of every sector size used by most system after the CP/M days. One example of system that doesn't plays well with is Amiga Old File System (which use 488 bytes per blocks, IIRC). Actually it's the only FS/platform that I found not working, among the ones I managed to test (a bit over 20, I listed them in the readme, just above the tech spec).

Re:Fail?

[raftpeople]

AS400 has 520 byte sectors, 512 for user data and 8 bytes for system data.

Re:Fail?

[MarcoPon]

Interesting, didn't know that. Of course it's possible to create a new block version with a suitable block size (the 3 current ones differs just in the block size: 512, 128 or 4K - mostly for experimenting and verifying that the tools worked correctly with different versions), but that would be a bit like cheating. Will add the AS400 to the not working list, thanks.

Re:Fail?

[raftpeople]

if compression is enbabled then it's 522 bytes (a 2 byte trailer)

Re:Fail?

[raftpeople]

The other challenge is that the as400 natively distributes sectors of every object across all disks in the system always (for performance reasons, parallel IO).

So recovery would require reading all disks to reconstruct one object.

Re:Fail?

[MarcoPon]

I see. It surely is a corner case, but an interesting one. My only experiences with AS400 was seeing some at some customer premises, and occasionally having to transfer some file from/to but nothing more. I remember an external IBM 5 1/4" floppy drive that was the length of an arm, and similar cost! :) Oh and BTW, SBXScan can scan and collect block positions from multiple images, even if it would be of no help in this situation. The idea was that if one keep 2 or more copies of an SBX file on different media, and all copies become corrupted in some ways (bit-rot, random blocks gone bad, something like that), it's still possible to collect all the good blocks from every available source, and perhaps still restore the complete container.

Re:Fail?

[raftpeople]

Ya, probably not your target market for multiple reasons, but interesting to know about differences between systems.

Re:Fail?

[johannesg]

Amiga OFS has 488 _user_ bytes per block. The rest is the block header, which can be used to, I don't know, recover blocks even when part of the disk is lost, for example. The actual block size was still 512 bytes like everybody else uses, because that's something the hardware generally supports.

https://en.wikipedia.org/wiki/...

Re:Fail?

Exactly, so a 512 byte SBX block won't fit in a 488 byte OFS block, which was the issue raied by GP. It's not really a problem though, as OFS is mostly used on floppies. Hard drives use FFS with 512 byte blocks, or other more modern filesystems.

Re:Fail?

[johannesg]

Oh sorry, I thought he meant the other way around... That his format is a container around existing formats.

Re:Fail?

[MarcoPon]

I was searching what to use as a file system name for the AS400 one, to add a note to the readme, but then I read again what you wrote in your first reply (sorry, was around 04:00am here): "520 bytes sectors, 512 for user data". If that's the case, then SeqBox should work just fine. The essential thing is that an SBX block, of 512 bytes, remains whole/integral, and that seems to be the case. The only things to keep in mind would be to use an adequate step with SBXScan when searching for the blocks (520 or 522 in this case, or even just 1).

Re:Fail?

[raftpeople]

It probably depends on what exactly is in the 8 bytes. I know there is a sector index (among other things), but not sure if that is necessary for reconstruction (sequencing) or not.

Re: If you can compact encrypted images...

Because it never occurred to you to compress before encrypting?

tar cJf - dir | gpg -c -o archive.tar.xz.gpg

Compressed and encrypted archive, plain and simple.

Re: If you can compact encrypted images...

Wait, so your job gives you impossible tasks, and then docks your pay when you can't do it? Get a new job!

IoD

And this is how you get an Internet on a Disk.

Re: If you can compact encrypted images...

[K.+S.+Kyosuke]

Doesn't GPG already compress the input data for improved input cleartext?

What about files stored in MFT?

[JoeyRox]

I did a quick read of the code and see that it relies on a magic cookie in the first four bytes of every physical sector to identify a block. This may not work for files small enough to fit entirely within the MFT on NTFS since that data isn't guaranteed to be aligned on a physical sector. There are other filesystems that store small file segments in the metadata structures as well.

Re:What about files stored in MFT?

[MarcoPon]

I think the limit for NTFS is something like 640 bytes. A 1 byte file encoded in SeqBox format would occupy at least 1 block for the data, plus 1 for the metadata (with attributes like file name, date, size, etc.), so 1024 bytes minimum.

Re:What about files stored in MFT?

[JoeyRox]

The MFT limit is closer to 1K. But if your minimum size is 1K that should be fine.

Next question - for the encoding of the file, you're putting a 16-byte header in front of every blocksize-piece of data, correct? If that's the case, and if you're storing the entire block of original data after that pre-pended header, then how are you assuring that the spill-over piece of data will be on a contiguous block on the disk? For example, say you're encoding a single 4096 byte file using a 4K blocksize. The SBX-equivalent size would be 4,112 bytes; how are you assuring the final 16 bytes of data are on a contiguous disk block to the first 4K?

Re:What about files stored in MFT?

[MarcoPon]

Assuming 4K block, a 4096 bytes would end up occupying 12228 bytes. 4096 for the metadata block, then 2 data block of 4096. The last one, would contain just 16 useful pad, and the rest would be just padding (with 0x1A bytes). Of course with very small files this isn't efficient, but it's not usually a problem. Overhead is just a bit over 3% with the default 512 bytes block, and less than 1% if 4KB blocks are forced.

Re:What about files stored in MFT?

[JoeyRox]

So if I'm understanding you correctly, the first 4K block is meatdata-only (no user data), then each additional block can contain up to 4096 - 16 bytes of user data (first 16 bytes of each block is the header).

Re:What about files stored in MFT?

[MarcoPon]

Yes. Just keep in mind that the default blocksize is 512 bytes, as a reasonable compromise between overhead and compatibility with most file systems / platforms, older ones included. You can check the readme.md for the complete file specs, near the end.

Re:What about files stored in MFT?

[JoeyRox]

Ok, I missed the data layout details at the end of the article. Rather than creating a super-set SBX file that holds all the original user data + 16-byte headers did you consider just storing the SHA-256 of every user block of data and storing that in the SBX file? You can reconstruct the file during your scan by SHA-256 every block read and matching it against the list of hashes in the SBX file.

Re:What about files stored in MFT?

[MarcoPon]

I thought about something along that lines (I was considering blake2b/s as a faster hash), but I choose to do it this way considering that the SBX file could, at least in some case like the digital camera one, be the only copy, as it's easily decoded on the fly and seekable. But keeping just a list of hashes and some metadata is surely interesting too.

Re:What about files stored in MFT?

[JoeyRox]

I think in practical applications users would prefer just storing the hash. It's just over 6% storage overhead vs 103%.

Re:What about files stored in MFT?

[MarcoPon]

It certainly possible in some scenario. In others it could be more practical to create a SBX file, and then keep just that one, instead of having the original file and another file to keep track of, for a larger total overhead.

Re:What about files stored in MFT?

[JoeyRox]

For archival perhaps. But then they're denied access to use the original file unless they unpack it first.

Re:What about files stored in MFT?

[MarcoPon]

I'd say for archival or read only. It's trivial to read from the file directly, and for some application a simple plug-in may do the job (like there are audio players that can read audio files inside ZIP archives, for example).
About the the separate file with hashes, instead, the main issue would be that if the file system is in an inconsistent / damaged state, that file too would be inaccessible. So it would need to be kept somewhere else, and that would complicate things a lot.

Re:What about files stored in MFT?

[JoeyRox]

Realistically speaking applications aren't going to support the notion of a metaformat like this. If there's demand for this type of redundancy it would be better achieved by implementing it in the filesystem. And most modern file systems log their metadata updates anyway so the likelihood of not being able to reconstruct the file extents is rather low vs the probability of media-level corruption affecting the user data itself. As for the SBX of hashes not being locatable due to metadata corruption, you can avoid that by applying a header to the SBX blocks themselves.

Re:What about files stored in MFT?

[MarcoPon]

As for the SBX of hashes not being locatable due to metadata corruption, you can avoid that by applying a header to the SBX blocks themselves.

OK, I see what you mean.

Re:What about files stored in MFT?

[MarcoPon]

I'll definitely experiment with creating a file with just the hashes + metadata, to be then encoded in a SBX, so that it will be possible to do both things (standalone SBX file, or normal file + just the hashes in an SBX). Thanks for the nice discussion (and sorry for the delay, was about 05:00am here :) ).

Uncorruptable

Therefore if everything uses this container then hard drives would be uncorruptable? Sounds too good to be true.

Cool.

You solved a problem I've never had in 25 years of using computers and losing data. Congratulations to you.
Or I could just use ZFS and set copies = 3. Which begs the question, how well will your solution fail when data is striped across drives and one of the drives in unrecoverable, or the uC in an MMC refuses to let you read any of the flash and not just the FAT table.

Take your freshman school project and get the fuck gone, man. I hate kids today.

Re:Cool.

[DontBeAMoran]

From what I understand his idea isn't to be hardware failure-proof, it's to be file system failure-proof.

Re:Cool.

Seriously... I've been using computers since the C64 and I don't see the use case here.

Re:Cool.

[MarcoPon]

Yes, exactly. And it's not just about data recovery. For example, I'm not sure how "generally useful" that would be, but I found myself using it for extracting/exchanging data from disk images formatted with a foreign file system.

Re: If you can compact encrypted images...

[KiloByte]

There's no way it can. LUKS is great but it wastes tons of disk space on vms.

It can! Just turn on discard (and have the system inside issue trim commands). This does have an impact on encryption, though, which might or might not be acceptable for you: it is possible to tell used from unused disk space, which leaks information about usage patterns inside the VM.

Re: If you can compact encrypted images...

This. But I would guess they can't support that since libvirt doesn't already.

Re: If you can compact encrypted images...

I didn't say compression! Nice attempt at trolling. I said compact. Very often virtual machine images can be compacted to be less than 80% of their previous size. If you have a vm that uses a lot of disk space, and for example, you copy those logs off, then they can be greatly compacted.

Encrypted signatures?

Posting anon so as to not undo moderation to developers posts above.

Could the identifying signature in each sector be obfuscated with user generated encryption? This could prove useful as part of a reversible dead man switch for a filesystem where the hidden container could later be recovered. Also useful possibly for hidden encrypted containers such as ones used by truecrypt/veracrypt.

Re:Encrypted signatures?

[MarcoPon]

Yes. You could supply a password that is hashed and the the hash is XOR-ed against each block, signature included. It's not really strong encryption by any means (that could be implemented in a later version, at the moment I just wanted to keep it simple), but it's probably obfuscated enough to avoid detection. Especially if one didn't expect an SBX container being there, and/or isn't prepared to go trough a lot of data collection to find some blocks with the same first 4 bytes (different depending on the password used) sprayed around.

Re: If you can compact encrypted images...

He said compact.

best back up of all time

I use write only memory for all my backup needs. I don't have to worry about any sector size b.s.

Re:best back up of all time

/dev/null is write only.

Re: If you can compact encrypted images...

He said compact, not compress.

Re: If you can compact encrypted images...

Since the disk image is encrypted, it doesn't compress well. Compacting is vey different from compressing.

A couple of problems

You obviously tried to keep the per-block header small to minimize overhead. But that has caused questionable decisions that may make this format less useful than it could be. Firstly, at 48 bits, the UID is a bit short. If UIDs are chosen randomly and with even distribution, there's a 1 in 1000 chance of a duplicate UID with just 750000 files. That might seem low enough, but I think it's cutting it a bit close. Secondly, the block sequence number is a 32bit value, so 4 billion blocks in a file max. With this format, files are limited to 2TB. Thirdly, the 2-byte checksum is too small. No two ways about it. Fourthly, you wasted 3 bytes on a "magic" string. These would have been put to better use in the checksum. You could tell a SBx block from other blocks by making the verification calculations.

I think you should redo this with a header twice the size and sequencing that relies on a hash of the previous block and a small block index (actual block index modulo a small number). That would remove the file size limit and make it much more robust against collisions.

Re:A couple of problems

[MarcoPon]

You obviously tried to keep the per-block header small to minimize overhead. But that has caused questionable decisions that may make this format less useful than it could be.

It's surely a compromise, but I think it's pretty sensible for the present version (but some variations can surely be implemented as different versions, to better suite different scenarios).

Firstly, at 48 bits, the UID is a bit short. If UIDs are chosen randomly and with even distribution, there's a 1 in 1000 chance of a duplicate UID with just 750000 files.

That seems a bit off, 48bit assuming even distribution would give 281,474,976,710,656. But again, 750.000 files would seems an enormous number for the practical uses I was thinking about at the moment.

Secondly, the block sequence number is a 32bit value, so 4 billion blocks in a file max. With this format, files are limited to 2TB.

Yes, 2TB with the 512 block, or 16TB with 4K block. It's not good for everything but it's probably good for a lot of case. But again, it can be easily upgraded if needed.

Thirdly, the 2-byte checksum is too small.

A 2 byte CRC seems to be plenty for 512 bytes, and even for 4KB isn't bad. Here is not about detecting tampering, but just to distinguish a random block that just happen to have the right signature, with a specific UID & sequence number, from a real SBX block.
That said, again I agree that for applications that could envision a lot of files with far larger sizes, a different kind of header, with expanded fields (and some other things) would be better suited.

Re: A couple of problems

[guruevi]

Thousands of images are often used in medical imaging for a single scan. I have a production filesystem with 2B images, over 200TB. 16TB file sizes aren't all that hard to come by either. Obviously there is also the birthday problem, ZFS alleviates it by using bit comparisons in combination with 128 bit checksums.

I'm baffled that 48 bit checksums is still considered good enough nowadays.

Re: A couple of problems

[MarcoPon]

There's no 48 bit checksum in the specs. The 48 bit field is a UID that's used to id a file, and it could be anything "unique enough" for the job. For example in the case of a digital camera that saves photo on an SD, that could be even just the progressive number used in the filenames. Or could be an hash, or just a random number. A giant file repository wasn't exactly the first thing on my mind when I developed the concept. 2TB/16TB could be a limit in some situations, undoubtedly, but again it's reasonable enough in a wide variety of other.
But note that the specs include a version number and so can be flexible. It's simple to add a new version with far larger limits, extending the size of the header, if needed, and that was the plan depending on the interest and usage that could come up.

but why?

[JustNiz]

I mean the chances of the filesystem being corrupted without the file itself also being corrupted seem small to none to me.

Re:but why?

Please research filesystems.

Re:but why?

I mean the chances of the filesystem being corrupted without the file itself also being corrupted seem small to none to me.

Not at all, quite the reverse actually.

If you have say 3 copies of your data on 3 pieces of media, what are the odds that the exact same location in the file system on ALL 3 pieces of media will be exactly the same?

Non-zero to be sure, but short of a fault in the design of a specific piece of media, it should be fairly low at least for a pretty decently long amount of time.

So long as at least one given block is OK on at least one piece of media, it will be recoverable in full.

Bit rot on things like hard drives and SSDs seems to occur for all intents and purposes here at random.
Things like CDR/DVDR I can see being one of those "faulty design" pieces of media, in that the organic dye seems to start decaying on the physical edges of the disc (from the outside in, and from the middle hole out), so would have a decent chance of all copies of your media having the same "holes" in it.
But when it comes to mass storage I don't see that being a problem.

Not to mention you can always keep more copies.
With 10 copies, each copy can lose 90% of it's data and still have a small chance they don't overlap where that 90% of corruption is and is corrupted over all 10 copies.
More likely a situation would be a much lower percentage of corruption, which drastically lowers the chances the exact same spot on all 10 copies will be corrupted at the time you go to restore the data.

Natural magnetic bitrot is actually a pretty rare event. It would take quite a lot of time to even reach 10% of the drive as corrupted, yet with 10 copies that's what, a one in one ten thousandth chance all 10 copies of the same block go bad within the mechanical lifetime of the drive.

It sounds at least as reliable as a raid 6 array would be, and much more reliable than a raid 5.

This would be great for SSDs

[Gravis+Zero]

Unlike HDD controllers, SSD controller do wear-leveling, so there is no guarantee that your data will be written as as a contiguous block of memory (regardless of what the filesystem says), only that it will be in 4096 byte blocks. Recovering deleted data from a SSD is no simple task because it means you need to know or guess the controller behavior for wear-leveling in order to go back and find the order of previously written data. With this you would be able to just read the raw memory even after the controller has been reset and still be able to recover the data. I think it would be a nice option to have a filesystem be able to encode user files in something like this highly recoverable format. The only real problem is that the file has to be completely rewritten even if you only modify part it in order to differentiate the new version from the old version.

Re:This would be great for SSDs

[MarcoPon]

Note that the 4KB block has just come up in some examples, but the default blocksize is 512, and I think that's reasonable to assume that a block of that size will not be broken down in a smaller parts.

Re:This would be great for SSDs

[Gravis+Zero]

The memory used in SSDs are all 4096 byte blocks of NAND FLASH memory. 512 bytes is the sector size for HDDs... though they may have changed that in recent years.

Re:This would be great for SSDs

[MarcoPon]

Sure. In general, 512 byte as a sector size is considered legacy, nowadays. More so, I don't see many chances of a 512 byte block being broken down further.

Re:This would be great for SSDs

Recovering is no walk in the park because almost every recent SSD encrypts or scrambles the data written to flash for *technical reasons* (yes, FLASH can have issues with too many ones or zeros or certain patterns always being written to the same cell, etc). You need to know the key. Note that this doesn't mean the SSD necessarily externs the fact that it is scrambling the data to the user like "self-encrypting OPAL SSDs" do. But it still means it will be a major pain to recover data from a bricked SSD.

Also, most SSDs "zero on TRIM", which means you need to use backdoors of some sort (electric or firmware) to get to the data of something that has been trimmed (if it was not yet reclaimed by the background garbage collector).

Now, the simple FTLs in pendrives/flash drives are less likely to do anything, and it will be much easier to recover from these. Same for older SD/SDHC cards (no idea about SDXC).

Re:This would be great for SSDs

[Dwedit]

Usually when an SSD fails, you get some stupid small device. Intel SSDs give you a 8MB hard drive named "BAD CONTEXT" which can't be read from or written to, and JMicron drives give you a 4GB drive named "JM-Loader 001".
When this happens, you don't get to see your actual disk sectors at all. Without access to the actual contents of your drive, having a container format that lets you recover data won't help.

Re:This would be great for SSDs

[Gravis+Zero]

I've not had that experience, however, it seems like a good reason to have an open source SSD controller firmware, so that you can force it to let you access it.

Re:This would be great for SSDs

[tlhIngan]

The memory used in SSDs are all 4096 byte blocks of NAND FLASH memory. 512 bytes is the sector size for HDDs... though they may have changed that in recent years.

Incorrect. Modern SSDs use large page NAND which has anywhere from 128kiB to 1MiB block sizes.

In NAND, you can only erase on block boundaries. However, when you write, you can write on page boundaries, of which there can be anywhere from 16 to 128 pages per block. Small page NAND (old NAND) had 512 byte pages (and typically 32 pages per block, giving a 16kiB block size). Modern NAND is large page size, which is typically 4096 bytes, but it can be larger, and it can have 32 pages (128kiB/block) or more (64 is common, for 256kiB/block). The smallest writable unit of storage is a page, so 4096 is a convenient unit to work with.

Re:This would be great for SSDs

[Gravis+Zero]

I only meant that "sectors" were 4096 bytes but thanks for the additional info. I suppose it only makes sense that they also use larger blocks in order to achieve higher read/write throughput rates.

forward error correction?

[ooloorie]

It seems to me this would be a lot more useful if it directly incorporated forward error correction.

Re:forward error correction?

[MarcoPon]

I thought about it, but at least initially I choose to keep it simple. One can always process the file in some way before creating the SBX, for example creating a RAR archive with recovery records, and then encoding that one.

Re:forward error correction?

[ooloorie]

thought about it, but at least initially I choose to keep it simple. One can always process the file in some way before creating the SBX

Since loss and recovery takes place at the block level, it's best if you arrange for error recovery (and compression) to take into account block boundaries.

Re: If you can compact encrypted images...

Compact for vms has a very specific meaning.

Re: If you can compact encrypted images...

It can't compress blocks that have previously encrypted data. That the problem.

What it does and why it's (partially) useful

[Excelcia]

There is some confusion as to what this is actually doing.
Most filesystems have use special structures to store the name and location of your files on the drive. Directories, cluster bitmaps, etc etc. The reason why it's difficult at best to recover files from a hard drive when parts of the filesystem have been damaged is that it's difficult to identify where on your hard drive the files are. Besides the special filesystem directories, no where else stores information on what is stored where. If you lose the directory it's hard to tell one file's data from another on your hard drive.

That is where SBX comes in. What it does is make sure that every physical sector that stores data for a particular file is labelled with a number that identifies that file, and a sequence number so you can reconstruct what order that piece is in the original file. Really, for the amount of overhead, something like that should be embedded into every filesystem. Basically a distributed backup of all the filesystem metadata.

Some people are criticizing this that is solves non problems. I disagree. While it isn't the solution to global warming, it is both simple and clever (and will thus suffer from a lot of people who will disparage it out of a "well anyone could have thought of that" attitude). It won't save you from a full hardware crash. It won't save you from physically bad sectors in that file. What it will save you from is accidental deletion and from loss of the filesystem's metadata structures. How often does this happen? Twice to me from failures of a whole-disc-encryption system driver.

I wouldn't use this for every file, but for critical ones, sure. Why not. The problem is, where it is most useful, for very volatile files that change a lot (databases etc) between backups, is where it can't really be used until/unless different applications start supporting it. So it unfortunately has limited use in the places where it would really help the most. Like I said above, this sort of thing really needs to get rolled into a filesystem. The amount of overhead it costs is meaningless in today's storage environment.

Re:What it does and why it's (partially) useful

Reiserfs already did this. You could break the filesystem and it can (in most cases) reconstruct the whole filesystem by scanning it for data.

An amusing bug, if you ran the filesystem reconstruction on a filesystem that contained other reiserfs filesystem images, it would turn into a mess. They fixed this by adding a mechanism to escape out data that looked like the magic metadata identifiers.

Deleted data was also ressurrected. Sometimes this was useful, sometimes not so much.

Re:What it does and why it's (partially) useful

[MatthiasF]

Don't ZFS, ReiserFS and Btrfs all already have something similar inherent in their file systems?

Re:What it does and why it's (partially) useful

[thegarbz]

It would seem like it but: a) this doesn't need to be applied at a filesystem level and b) it isn't encumbered by licensing issues, a dead project, or an experimental filesystem, in respective order.

Okay so it is actually experimental, but not be filesystem wide it is also much simpler and able to contain failures.

Re:What it does and why it's (partially) useful

[MarcoPon]

It's somehow similar, but not really the same thing. From what I gathered (but I'm surely not an expert in ReiserFS), ReiserFS can scan the disk to locate and recover its file structures / indexes, that in turn would enable to find the files again. SeqBox enable one to recover a SBX container without even considering any FS structure, but instead just scanning the raw bytes for the file itself, because each of its blocks is made recognizable. You can zero out all the file system info, partition table, etc. and still find an SBX file.

Re:What it does and why it's (partially) useful

it isn't encumbered by licensing issues, a dead project, or an experimental filesystem, in respective order.

The licensing issue can be disputed. Licensing issues are always a matter of use cases. In this case the license specifically says that it is provided without liability or warranty. While the author might be willing to provide those under a different licensing deal the same can be said for any other filesystem.

Primarily I would dispute you claim that this isn't an experimental filesystem. It claims to not be a filesystem but it fits every checkbox for one, except perhaps having to delegate block allocation to someone else, but there are plenty of readonly filesystems out there.
It also has a lot less testing done to it than Btrfs so it appears strange to not call this one experimental. I suspect Btrfs isn't really that experimental if you let someone else deal with the block allocation.

As for the dead project part. Give it a couple of years. No project is dead in the beginning.

Re:What it does and why it's (partially) useful

[twistedcubic]

An implementation like this which is so thoroughly understandable with such a short description on Slashdot might be experimental, but not like BTRFS raid. This software might have bugs, but it sounds like most competent systems programmers can debug it in a few hours. People are more comfortable with implementations of simple, neat ideas like this than millions of lines of filesystem code.

Re:What it does and why it's (partially) useful

[maestroX]

I can understand a finer-grained meta data model can aid recovery, but isn't the corruption of an SBX container more likely than the filesystem meta system with its backups?

Re: If you can compact encrypted images...

If the disk image is encrypted then it doesn't compress well. Plus the underlying file system doesn't know about unused blocks. That is why compacting LUKS encrypted disk images just doesn't work. Compression doesn't either due to the random (as is expected of any good encrypted algorithm) data in the disk image. We need a file format for vms that supports encryption and supports compaction.

Re: If you can compact encrypted images...

[Miamicanes]

If you can meaningfully compact *anything* that's encrypted, the encryption was improperly implemented. You *always* want to compact files prior to encryption, and a well-encrypted compressed file should be statistically indistinguishable from random noise.

Re: If you can compact encrypted images...

Zero your freespace? Then your unused sectors can at least be compressed.

Beware padding oracle with compression& encryp

[raymorris]

Compression before encryption often results in a padding oracle or other problems. If you're designing a system that is supposed to be secure, avoid compression until you fully understand the issues. Avoid compressing and encrypting chosen plaintext at all - you'll never be sure you understand all of the issues with that.

Hash the block number with the password

[raymorris]

Hash the password AND block number through a key-stretching routine to get the encryption key. It is important to avoid using the same key for all blocks. If different blocks are XORed with the same key, I can still see your penguin:
https://blog.filippo.io/the-ec...

Re:Hash the block number with the password

[MarcoPon]

Of course, as I wrote the current password feature isn't a strong encryption by any means, but more just a way to implement a sort of mild obfuscation, just to show that data hiding it could also be a uses case. In time I plan to implement a proper block encryption scheme.

Use-case of distributed pieces?

[John+Da'+Baddest]

Could this be also be used when the file contents are deliberately separated? Eg, distribute the file pieces (sectors?) to different audiences / storage locations, such that one has to get cooperation from all piece-holders to retrieve the net results? Eg: nuclear launch codes, and other less dramatic scenarios.

Re:Use-case of distributed pieces?

[MarcoPon]

Well, it's probably not the first use case I would think of, but it will surely work and I think I have mentioned splitting in the readme. Just as SBXScan can locate and collect all the good SBX blocks from different images/devices (imagine having a copy of the same SBX file on different media, to add physical redundancy), it can surely reassemble a container from different pieces. The only restriction is that the splitting need to happens on block boundaries (512 bytes by default), which should not really be a problem.
Then again, I'm not sure if/how this would be better than other splitting tools, but yes, it could used like that.

Apple Lisa/early-Mac "tags" on steroids

[davidwr]

The Lisa and early Macintosh drives supported 532-byte sectors. The extra sectors were used for "tags" - basically a less-sophisticated version of this scheme and without the "block 0."

For details on why "tags" were eliminated, see Macintosh Technote #94, "Tags," by Bryan Stearns, November 15, 1986.

Re:Apple Lisa/early-Mac "tags" on steroids

[MarcoPon]

Yes, it was a bit of a common things on older system, from the times where the mass storage hardware was far from precise and reliable, to do things like check that the drive seek really landed the head in the requested track. At least the Mac implementation still kept the usual 512 bytes of useful data per sector (at the price of less common hardware), while for example Amiga OFS end up with an odd 488 usable bytes per sector (but with common hardware).

Re:Apple Lisa/early-Mac "tags" on steroids

[davidwr]

Yes, it was a bit of a common things on older system, from the times where the mass storage hardware was far from precise and reliable, to do things like check that the drive seek really landed the head in the requested track.

"Modern" (probably mid-1980s and newer) hardware had firmware that would do that for you, and for hard disks at least, the firmware started keeping its own meta-data of a sort so that as far as the computer was concerned, the error rate was acceptably low unless there was an actual bad spot on the drive or some other "hard" failure.

Re:Beware padding oracle with compression& enc

[GNious]

Been struggling to understand this for the last 3 decades (not full time) ... :/

Re:Beware padding oracle with compression& enc

[K.+S.+Kyosuke]

I know about that, but what does that have to do with the fact that there's apparently already an extra compression step in the pipeline above?

Re: If you can compact encrypted images...

You've never worked in government, have you?

Re:Beware padding oracle with compression& enc

[raymorris]

My comment doesn't directly relate to having the *two* compression steps. I probably should have replied to the same person you replied to.

Re: If you can compact encrypted images...

Yes I have

Forget Agnostic!

[tmjva]

I want to storage that is File System Atheist!

(And would that be like Write Only Memory?)

Re: If you can compact encrypted images...

Creimer is that you?

xD

Also, that name, Seqbox

[raymorris]

I wrote three pieces of software:
Strongbox
Throttlebox
Clonebox

Then you chose Seqbox. :)

Re:Also, that name, Seqbox

[MarcoPon]

DOH! :)

Re: If you can compact encrypted images...

That s a real joke...

Re: If you can compact encrypted images...

Have you tried modeling the randomicity after encryption and regenerating with an according RNG? If it is lossy graphics algorithms, then maybe it would be enough, for a given encryption algorithm. No idea what that algorithm may be, though.

Cool! But...

I've starred SeqBox on GitHub and I think it's a really good idea, but I suggest you rewrite it in C, because:
1) C programs have much higher performance and a smaller memory footprint
2) More portable (C can be compiled virtually anywhere)
3) It could be used from languages other than Python (C libraries can be used from C++ and can be easily made to work with Java and C#)
4) The above points would make it much more attractive for use on servers and embedded systems.