Signed URLs with Backblaze B2

Temporary access to private files in Backblaze B2 with secure links.

Backblaze B2 logo

I am looking for a simple and privacy-friendly way to share old home videos with my loved ones. YouTube is a hard no. I don’t want an algorithm analyzing videos of my family, nor have them potentially taken down because there is some unlicensed music playing in the background. Some cloud storage with a simple static site will be just fine.

Pre-Signed URLs

A public file bucket with videos would be easy enough but signed URLs (sometimes called pre-authorized or pre-signed URLs) that expire after some time would be even better. This adds a bit of security: shared links won’t linger around forever, limiting possible exposure.

Backblaze is known for their backup service but also offers cloud storage similar to Amazon’s S3, Microsoft’s Azure, or Google’s Cloud Storage. Backblaze B2 is API compatible with AWS S3 and is more affordable than the big players. Although API compatible with S3, Backblaze’s documentation is sparse, only has three datacenters (California, Arizona & Amsterdam), and doesn’t offer client libraries. Backblaze does have a command-line tool and all AWS S3 libraries should be usable as well (by changing the API endpoint). Note that you can only choose the datacenter on account creation. I had to close my old account and open a new one in their EU region since my family videos will only ever be watched form Europe (latency and GDPR reasons).

Download Authorization with Backblaze B2

I used singed URLs before on AWS S3 so the same should work for Backblaze B2.

Head over to the “App Keys” section in the Backblaze web interface and add a new application key. Write down the newly generated ‘keyID’ and ‘applicationKey’. Add a private bucket while you are at it, and upload a file.

Download and install their CLI client and authorize your account using the two keys generated before. List the buckets to check if it works.

  $ b2 authorize_account
  $ b2 list_buckets

Generate a signed pre-signed URL with the duration, bucket, and filename. The minimum duration is 1 second, the maximum is 604800 seconds (= one week).

  $ b2 get-download-url-with-auth --duration 60 bucketname filename.mp4

Voilà, a quick, simple, and reasonably secure way to share bigger files.

This post is open source. Did you spot a mistake? Ideas for improvements? Contribute to this post via Github. Thank you!