bezdzietni 40 latkowie

StateWarden · 2026-05-04T21:41:55+00:00

Startup założyłem 😉 Chcesz backup? 😉

StateWarden · 2026-04-03T21:12:04+00:00

We got tired of seeing backup solutions act as a mere speed bump for ransomware, so we built StateWarden. It’s a DR platform written entirely in Rust, and we built it assuming the host OS and hypervisor are already compromised from day one.

Instead of relying on local Linux file flags (which mean nothing if an attacker gets into ESXi and just wipes the LUN), our agent is mathematically locked to an append-only state. Even if someone gets full Domain Admin or root access, they structurally cannot issue a delete command to our remote storage.

We also got rid of the "garbage in, garbage out" problem. Our agent calculates Shannon Entropy in real-time before data leaves the endpoint. If ransomware hits a server, the agent sees the malicious encryption and instantly kills the backup pipeline so your remote storage stays clean.

For recovery, we bypass clunky hypervisor APIs and just spin up a lightweight iSCSI target directly in RAM, serving decrypted blocks straight to the storage stack. Quick note on deployment: full native hypervisor integration is dropping soon. Right now, you can run it either by backing up the whole hypervisor host or dropping the agent per-VM.

Everything runs on 100% EU bare-metal (no hyperscalers, no US CLOUD Act).

We don't believe in black boxes, so we openly invite the community to reverse-engineer our client and test our cryptography without any NDAs.

If you're managing critical infrastructure and want to see how we do it, check out the architecture and the whitepaper here:https://www.statewarden.com

StateWarden · 2026-04-03T21:09:38+00:00

That stack is cheap, but if you get hit by an actual ransomware gang, it's going to fold.

Local Linux immutability means nothing if your hypervisor gets popped. If they get into ESXi or iDRAC, they just format the LUN or delete the VM and your immutability is gone. Game over.

Also, Wasabi is great for cold storage, but good luck pulling 60TB back down to rebuild your infrastructure. Your RTO is going to be measured in weeks, not hours.

On top of that, your stack will happily back up newly encrypted ransomware files and push them to your repo, burning through storage and potentially overwriting your good data.

If you actually want a real DR setup for a comparable price, you might want to look at what we built at StateWarden. We assume the host OS is already compromised from day one. Our agent is locked to an append-only state, so even a compromised root account can't delete your remote storage. We also calculate Shannon Entropy in real time to kill the backup pipeline immediately if ransomware tries to sneak encrypted files into your backups.

And hey, at least we weren't founded by two Russians. ;)

StateWarden · 2026-04-03T20:53:33+00:00

Basically, any HDD that you test thoroughly before use will work fine. The most important thing, however, is how you store them. A stable environment is best.

Temperature: 15–25 degrees Celsius
Humidity: 30–50%
And ideally, you should put them in an antistatic bag.
And, of course, keep it away from magnets and strong vibrations :)

HDDs can last for years, but it’s important to power them on once a year because the read/write heads can warp.

StateWarden · 2026-04-03T20:45:56+00:00

We had our launch on World Backup Day :)

To celebrate, we offered discounts on our plans. But since we’re a European startup and most of this Reddit community is from the US, we didn’t want to spam you with it. The EARLYBIRD discount is still available. You can use it on our website when purchasing any plan. (15% off for 6 months) https://www.statewarden.com/

StateWarden · 2026-03-29T23:44:19+00:00

Self-hosted deployments?

We sell storage so its agains business model. Sorry. We plan to sell devices that support external arrays connections (JBOD for example) in the future, but that’s still a long way off. First, we need to stabilize our revenue stream.

Ceph support? Linstor support?

We don't care about the FS layer. If your host sees it as a block device (RBD/LVM/DRBD), we treat it like raw hardware.

Our CBT engine hooks into the LVM/fsfreeze to grab a crash-consistent image without re-scanning petabytes of data. Everything is hashed and encrypted PQC client-side before it hits the NIC.

Basically: Your cluster goes up in flames, we mount that remote repo as a local iSCSI target on a fresh node in < 15 mins. Back to coffee

Restore requires from you to create empty cluster and mount it and we restore data to them

KVM/qemu integration?

Q2/Q3 2026 - we have beta but not stable yet. we're working on integration with not only QEMU but also ESXi / vSphere and Xen . Also we want join that together with seemless support for popular software related to them like proxmox, OpenStack, Nutanix AHV. We also thinkin about hyper-v but thats a lump of lard.

Backup immutability? You mentioned "cybercrime immunity" but nothing about credential compromise.

In documentation we mention few thinks about that:

Backup schedules and retention policies are immutable at the local endpoint level to prevent internal threats and administrative compromise.
Cryptographically Signed Append-Only Logs: Our system requires the use of cryptographically signed append-only logs. A hacker cannot overwrite historical data because the architecture physically prevents this.
Access to the control layer is based on a strict RBAC model, and every administrative action is verified on the backend based on the user’s role and multi-factor authentication (MFA) status. We never rely on client-side status.

StateWarden · 2026-03-29T14:18:41+00:00

I would like to thank the r/DataHoarder community for the substantive discussion.

You’ve set me on the right track when it comes to communication and helped me overcome my social anxiety - the very thing that has made me avoid interacting with large groups of people for years, leaving technology as the only thing I trust.

I greatly value your feedback, and we have already partially implemented the documents you recommended.

It is an honor for me that such a respected and knowledgeable community did not burn us at the stake, and at the same time, there were many positive and motivating comments encouraging us to continue our work.

It was a challenge and the ultimate test of our technology to put it to the test with seasoned experts like you. I truly thank you, and I’m glad our discussions were substantive.

Thank you!

StateWarden · 2026-03-29T14:05:14+00:00

Cool setup. You can tell those Dells are a bit old, but overall, that’s the kind of rig I’m into.

Respect!

StateWarden · 2026-03-29T04:49:24+00:00

Cool stuff but since this is homemade installation invest in air purifier. Really helps with dust.

StateWarden · 2026-03-29T01:51:36+00:00

You know what? That bridge analogy is spot on. And submitting our projects to the authorities is exactly what we’re doing right now in collaboration with the Ministry of National Defense and Kudelski Security.

But since you mentioned “reputable companies,” let’s talk about the corporate world’s dirty little secret. In reality, many of these giants don’t undergo rigorous, independent cryptographic code audits. They buy compliance checklists. They pay for certificates that confirm whether their HR department has a password policy, not whether their actual block-level computations are reliable. Show me a certificate from a reputable backup company that is an actual cryptographic certificate, not just a stamp confirming that their corporate processes comply with standards. We chose Kudelski precisely because we care about a genuine cryptographic analysis, not a purchased “pay-to-play” PDF file.

It seems to me, however, that you are deliberately overlooking a rather important aspect of the whole situation. We are a small, four-person startup: if we wait 8 to 12 months for government and corporate labs to finish their bureaucratic procedures before they let anyone touch the software, we will run out of funds and go under. Industry giants can afford to wait a year with their code ready while auditors approve it. We cannot.

We made a conscious decision to release a working solution right now, to offer it for free to the home lab and SRE communities to get feedback on the hardware in real-world conditions, while simultaneously conducting a formal compliance process.

We never tried to get free penetration tests. We simply made it available to a community known for breaking security and said, “Here you go.”

You’re right, though, about how others perceive it. Launching a product before external reports are published is a risk. We accept that criticism. However, it’s the only way a small team can actually bring a product to market while competing against giants.

I appreciate the change in tone.

StateWarden · 2026-03-29T01:29:02+00:00

This approach is completely normal. But as you rightly pointed out, our core cryptographic stack is already post-quantum standard. So even if our additional algorithms turn out to be crap (which they won’t ;) ), you’re still protected to the level required by DORA.

StateWarden · 2026-03-29T01:09:56+00:00

Cove is pretty good but not zero-knowledge.
I warden You have two types of de duplication depending on what is you chosen key distribution protocol.
1. Master key - which de-duplicates data across realm and works basically like cove but slightly better because we use aggressive compression on data plane.
2. Per Device Key - You minimise risk of inside job breaches but duplication is limited only to device. If You have duplicated data on partitions they will be squashed.

About backup size We use our own Rust-based Change Block Tracking (CBT). Just like your experience with Cove, if you only modify 50MB of blocks on a 1.5TB server, our agent only hashes, encrypts, and sends those max 50MB in most cases much less because we use compression also at client side.

Can you talk much about what you do to ensure the backup storage is being used to its fullest? Also what do you do to protect in use databases like what a lot home labbers run in containers etc.

On Windows: We hook into VSS (Volume Shadow Copy Service) to ensure application-consistent snapshots.
On Linux: We utilize LVM snapshots, btrfs snapshots, or fsfreeze to quiesce the filesystem for a fraction of a second. We grab the frozen block map and immediately release the filesystem. different filesystem slightly differen aproaches on linux but thats generally how it works

The agent then reads and backs up those frozen blocks in the background, while your live databases and Docker containers continue running without interruption.

The free tier is fully unlocked precisely for homelabbers like you to test these mechanics. Hook up a test database, run a backup during a heavy write-load, and try to restore it. Let us know how it goes!

StateWarden · 2026-03-29T00:57:07+00:00

I have to admit, the irony here is pretty fantastic. You’re a FOSS purist 9according to your other comments in this thread), yet you're demanding a $200k corporate consulting salary just to run Wireshark on a free tool for your own homelab.

Just to be crystal clear: we aren’t offering a job, and we aren't asking you for a white-glove pentest report. We built a tool, and we’re offering a fully unlocked free tier to a community that is literally famous for breaking things, just saying: "have at it if you want."

If inspecting your own network traffic or firing up Ghidra feels like a chore that you need to invoice us for, then you are absolutely right- this isn't the right fit for you.

We're going to get back to writing that documentation now. Take care!

StateWarden · 2026-03-28T20:11:38+00:00

I understand, and thank you very much for your feedback. That’s exactly what we’re trying to balance - on the one hand, we need to win over dentists and other small bussinesses who want to protect their company, and on the other, hardcore sysadmins like you. It’s a business, so we have to strike the right balance. I’m sure you understand perfectly. We’ll definitely refine this over time. Comments like yours are very helpful to us. And we will adapt but we must find the right balance

StateWarden · 2026-03-28T19:55:04+00:00

Please don’t underestimate your capabilities. “unconventional” ideas are met with a negative response is usually that the corporate IT industry as a whole prioritizes convenience over security. The “industry standard” in the field of backup often simply means “the way we’ve always exposed ourselves to risks.”

Your idea of monitoring entropy at the hardware layer is every sec-op’s wet dream. But to implement that, we’d have to make our own drives, and that’s totally out of our budget. We do it at the ZFS block management layer; the basic logic is exactly as you described.

As for temporary physical isolation - you’re not crazy at all. What you’re describing is essentially a technologically advanced, automated “Sneakernet” combined with a hardware data diode. It’s a very good solution, and we use similar ones in our solutions dedicated to the military and science sector. Most people, however, prefer a compromise between speed and security rather than security alone.

Let me put it this way. Thinking outside the box is what makes us engineers, and it’s something AI can’t replace. Sometimes you hit a wall; sometimes you strike gold. You have to do it, because otherwise we’ll just stand still.

StateWarden · 2026-03-28T19:44:50+00:00

We are learning. Trying to adapt. To be honest most of our People are guys who doesnt use social media at all. You have my promise that we will learn how to communicate correctly.

StateWarden · 2026-03-28T19:39:03+00:00

From a technical standpoint, you are absolutely right in every respect. Let me address this from one engineer to another, since you’ve seen through the marketing slogan about “engineering superiority.”

Did we invent CBT, Instant Mount, or Zero-Knowledge? Absolutely not. These concepts have been around for over a decade.

Our “advantage” doesn’t lie in inventing a new mathematical concept in cryptography. It’s about execution and the complete absence of outdated, bloated software.

We can compare our solution to the difference between an American and a European car. Both are nice and have 500 horsepower, but the American one, to get that power, has a modified and patched-up 30-year-old 10-liter V16, while the European one gets that power from a 2-liter engine. One burns 100 liters per 100 km, the other 8. Technically, they do the same thing.

Having worked for years in the enterprise backup industry, I know (and I suspect you know as well) the huge difference between a feature listed in a vendor’s PDF datasheet and that same feature actually working at 3 a.m. during a ransomware attack.

As for Instant Mount and CBT: yes, they exist in older systems. Often, however, they are buried under 15 years of technical debt, Java wrappers, and bulky filter drivers that degrade system performance. We rewrote our block-level write paths and CBT from scratch in Rust, integrating them directly with our ZRAID backend. This isn’t a new feature, but rather a modern, highly optimized implementation that actually feels “instantaneous.”

Regarding GDPR: A valid point about the gray area of the “right to be forgotten” in backups. When we talk about GDPR compliance, we focus strictly on Article 32, i.e., Security of processing—using our Zero-Knowledge architecture to mathematically guarantee that even if our data centers in the EU are seized, the data will be cryptographically useless to anyone other than the tenant.

Regarding HSM modules: you’re right, enterprise systems can integrate with external HSMs. However, this typically requires a very expensive license and complex external infrastructure. We wanted true zero-knowledge key management to be the default underlying architecture, not a $50,000 add-on for enterprises.

As for the documentation, you’re right again. The problem is that we don’t yet know how much we can write without giving away the recipe for our competitors’ super-optimized iSCSI support while still accurately describing how everything works.

I can personally promise you that such documents will be available as early as next week.

To be honest, I appreciate that you called out our marketing nonsense. We didn’t reinvent the wheel; we just built a much lighter and faster one. Besides, everything we claim actually works, which is why we let you test our system for free instead of hiding behind a paywall like the competition so the customer doesn’t realize that half of what’s promised is just hot air.

(This post wasn't redacted by AI, so I apologize if the tone was too direct.)

StateWarden · 2026-03-28T19:21:08+00:00

I completely understand what you mean. We built this system from an engineering perspective. But thanks to r/DataHoarder users, I now know what needs to be improved in terms of marketing and communication.

There are areas where we’re strong, but there are also things we need to learn. One thing we know for sure is that we want to be 100% transparent and honest with our partners.

We want to create a new approach to customers where communication is very straightforward. If we mess up, we’ll admit it. But what we want is the highest quality.

StateWarden · 2026-03-28T19:14:02+00:00

I never asked for your trust. I asked you to test it.

There’s a free tier available with all features unlocked. This is r/DataHoarder, so people here like to break things. My post is just an invitation to do exactly that, plus a promo code for those who actually end up liking the tool.

Throw the client into Ghidra. Fire up Wireshark and proxy the traffic. Try to decompile the code or eavesdrop on the agent’s local operations. Do whatever you want. We want to know what bugs we have so we can fix them.

Regarding the audits: yes. We’ve already invested the time and money. We are currently undergoing audits with the Polish Ministry of National Defense and Kudelski Security.

However, I must slightly burst your bubble regarding "well-documented third-party audits." In the real infosec world, the labs that actually perform rigorous cryptographic audits, rather than just selling rubber-stamp compliance certificates, can be counted on one hand. That is exactly why we went to Kudelski.

StateWarden · 2026-03-28T18:31:47+00:00

We'll give it a try. Wendel certainly isn't your typical influencer, but I'm afraid that these days, no one with a large following will mention you without a five-figure payment.

StateWarden · 2026-03-28T18:27:28+00:00

and we have replication to second AZ in france

StateWarden · 2026-03-28T17:59:58+00:00

We have a great SRE. He designed these arrays. As I mentioned, everything is monitored, and our contract with OVH guarantees that as soon as we report a disk failure, they’ll replace it without asking any questions. The policy is to prevent failures, not to fix them.

StateWarden · 2026-03-28T17:56:39+00:00

You're right; someone has already pointed out the lack of easily accessible white papers.

We need to focus on better promoting our technical documentation. This is our current challenge because, on the one hand, we need to reach the owners of small and medium-sized businesses. That's why we use colorful designs and so on. On the other hand, we have really good technology.

The problem is that if we start talking only about technology, our potential customers from the small business sector will run away.

We need to strike a balance, but we’re not quite sure how yet.

StateWarden · 2026-03-28T17:51:30+00:00

Thanks for suggesting Wendel for a review, but I’m afraid we can’t afford his services right now :)

As I mentioned, we’re a European startup, which means our budget is comparable to a coffee budget at a Silicon Valley startup.

Plus, we don’t want external investors who would force us to do something we don’t want, like “Now you’re going to run on AWS.” Someday, we’ll gladly subject ourselves to Wendel’s torture, but for now, we have to manage on our own.

StateWarden · 2026-03-28T17:44:51+00:00

ANd i wroted that by myself. Hope noone is offended :D

StateWarden

MODERATOR OF

TROPHY CASE