Tarsnap - Online backups for the truly paranoid

Navigation menu

The spiped secure pipe daemon

Spiped (pronounced "ess-pipe-dee") is a utility for creating symmetrically encrypted and authenticated pipes between socket addresses, so that one may connect to one address (e.g., a UNIX socket on localhost) and transparently have a connection established to another address (e.g., a UNIX socket on a different system). This is similar to 'ssh -L' functionality, but does not use SSH and requires a pre-shared symmetric key.

Spiped uses strong and well-understood cryptographic components: The initial key negotiation is performed using HMAC-SHA256 and an authenticated Diffie-Hellman key exchange over the standard 2048-bit "group 14"; following the completion of key negotiation, packets are transmitted encrypted with AES-256 in CTR mode and authenticated using HMAC-SHA256. The simplicity of the code — about 6000 lines of C code in total, of which under 2000 are specific to spiped (the rest is library code originating from kivaloo and Tarsnap) — makes it unlikely that spiped has any security vulnerabilities.

On the author's 2.5 GHz Intel Core 2 laptop, spiped operates at approximately 300 Mbps.

Example usage

Diagram of spiped protecting SMTP

To set up an encrypted and authenticated pipe for sending email between two systems (in the author's case, from many systems around the internet to his central SMTP server, which then relays email to the rest of the world), one might run

dd if=/dev/urandom bs=32 count=1 of=keyfile
spiped -d -s '[0.0.0.0]:8025' -t '[127.0.0.1]:25' -k keyfile

on a server and after copying keyfile to the local system, run

spiped -e -s '[127.0.0.1]:25' -t $SERVERNAME:8025 -k keyfile

at which point mail delivered via localhost:25 on the local system will be securely transmitted to port 25 on the server (which is configured to relay mail which arrives from 127.0.0.1 but not from other addresses).

Diagram of spiped protecting ssh

You can also use spiped to protect SSH servers from attackers: Since data is authenticated before being forwarded to the target, this can allow you to SSH to a host while protecting you in the event that someone finds an exploitable bug in the SSH daemon — this serves the same purpose as port knocking or a firewall which restricts source IP addresses which can connect to SSH. On the SSH server, run

dd if=/dev/urandom bs=32 count=1 of=/etc/ssh/spiped.key
spiped -d -s '[0.0.0.0]:8022' -t '[127.0.0.1]:22' -k /etc/ssh/spiped.key

then copy the server's /etc/ssh/spiped.key to ~/.ssh/spiped_HOSTNAME_key on your local system and add the lines

Host HOSTNAME
    ProxyCommand spipe -t %h:8022 -k ~/.ssh/spiped_%h_key

to the ~/.ssh/config file. This will cause ssh HOSTNAME to automatically connect using the spipe client via the spiped daemon; you can then firewall off all incoming traffic on port tcp/22.

The spiped project

Development of spiped takes place in the spiped git repository.

Mailing list

The spiped secure pipe daemon is discussed on the [email protected] mailing list.

Official releases

The following versions of spiped are available:

Version Release date SHA256 hash
spiped 1.6.2 2021-12-24 05d4687d12d11d7f9888d43f3d80c541b7721c987038d085f71c91bb06204567
spiped 1.6.1 2020-04-05 8d7089979db79a531a0ecc507b113ac6f2cf5f19305571eff1d3413e0ab33713
spiped 1.6.0 2017-04-29 e6f7f8f912172c3ad55638af8346ae7c4ecaa92aed6d3fb60f2bda4359cba1e4
spiped 1.5.0 2015-02-22 b2f74b34fb62fd37d6e2bfc969a209c039b88847e853a49e91768dec625facd7
spiped 1.4.2 2014-10-11 dcb668f98a6bd761ff542f7079034f828f792259300eeb16aab53b687a805bde
spiped 1.4.1 2014-09-07 0eeb4b8a94df985cfb60f452ced75f30509105a120ca09f740507c496c15c4f8
spiped 1.4.0 2014-08-28 d8fa13a36905337bec97e507e0689f7bbc9e5426b88d588f3ddd3d6c290dcf5f
spiped 1.3.1 2013-04-13 8a58a983be460b88ed5a105201a0f0afacb83382208761837a62871dcca42fee
spiped 1.3.0 2013-04-06 6f3d512dbdc8e5e893fb533908d4f8bcd1fd23db783f63c7bc37cf5660c139d0
spiped 1.2.2 2012-11-15 a9eb4681e4ccd5d86b8a2d4e16785db8ba10d8a9f7f732485511fd4b92dff1ec
spiped 1.2.1 2012-08-31 4e2e532b2a7df8e9a771c27a1bc2889f0d834e986d4f4a02a2a12174560ea44b
spiped 1.2.0 2012-08-30 46fb94da62bf1f074513047519f2d4f5faf103e5b8555e14a375a42b74508a6b
spiped 1.1.0 2011-09-10 b727b902310d217d56c07d503c4175c65387ff07c9cd50a24584903faf9f3dc3
spiped 1.0.0 2011-07-04 82df05533bf8d8580f57e6dbec7d7e2966eabd3ea7a0a0bb06f87000947969a3

Third-party helper scripts

Warning

This list is provided for informational purposes and inclusion in this list do not constitute an endorsement by Tarsnap Backup Inc. Use at your own risk, and check the source code if you are dealing with sensitive data!

Software deployment tools

Scripts have been written to deploy spiped to various configuration management and software deployment tools.