Hi,
I'm looking to create a disaster recovery backup job to have a remote copy on a private cloud.
Because I want to avoid prying eyes, I saw it offers "Client-Side Encryption", where it says data is encrypted before being sent remotely...
So from my understanding (english it's not my native language), this means that my NAS stored data won't be encrypted at all, right? only the copy which is being sent remotely...
Thanks in advance,
[Question] HBS3 - Client-Side Encryption
-
sentinelvdx
- Know my way around
- Posts: 115
- Joined: Sat Dec 19, 2015 5:28 am
- Location: Buenos Aires - Argentina
[Question] HBS3 - Client-Side Encryption
NAS: TS-251+ 16GB DDR3L 1600mhz CAS11
Firm: QTS 5.0.0.xxxx
HDD's: 2x 4TB HGST Deskstar NAS - RAID0
Port Trunk: 802.3ad w/ Systimax CAT6a
Firm: QTS 5.0.0.xxxx
HDD's: 2x 4TB HGST Deskstar NAS - RAID0
Port Trunk: 802.3ad w/ Systimax CAT6a
-
Moogle Stiltzkin
- Guru
- Posts: 11445
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Re: [Question] HBS3 - Client-Side Encryption
viewtopic.php?p=726520&sid=6787ce865ebb ... c077336690
You can also use client side encryption for a backup on another device on same lan (in my case a 2nd qnap NAS). In this scenario i cannot just simply browse the contents of the backed up data because it's encrypted. I have to restore the data first to decrypt it. This is how the tech works.
It's highly recommended especially when storing your backup offsite. Or if you are backing up an encrypted share to a backup, hence you would obviously want that backup to be encrypted and not be a sitting duck (exposed/unencrypted) on the backup location.
so that is the purpose for what client side encryption does (in HBS)
Credits to Jon2288
oo and another thing. your encryption is only as good as your encryption password. Don't use a short or overly simplistic password because that could possibly reduce the encryption strength.
And ALWAYS test that your decryption WORKS. Don't simply assume it will. TEST back ups actually work, ESPECIALLY if they are encrypted and require a password to decrypt.
Client-side encryption is the cryptographic technique of encrypting data on the sender's side, before it is transmitted to a server such as a cloud storage service.[1] Client-side encryption features an encryption key that is not available to the service provider, making it difficult or impossible for service providers to decrypt hosted data. Client-side encryption allows for the creation of applications whose providers cannot access the data its users have stored, thus offering a high level of privacy.[1] Those applications are sometimes marketed under the misleading term "zero-knowledge"
You can also use client side encryption for a backup on another device on same lan (in my case a 2nd qnap NAS). In this scenario i cannot just simply browse the contents of the backed up data because it's encrypted. I have to restore the data first to decrypt it. This is how the tech works.
It's highly recommended especially when storing your backup offsite. Or if you are backing up an encrypted share to a backup, hence you would obviously want that backup to be encrypted and not be a sitting duck (exposed/unencrypted) on the backup location.
so that is the purpose for what client side encryption does (in HBS)
Credits to Jon2288
https://www.qnap.com/en-us/how-to/tutor ... tion-note/Client site encryption: when enabled, your files will be encrypted before being transferred to the cloud storage, and your data will remain encrypted in the cloud storage. The encryption key is derived from the password you enter for this job. Without your password to decrypt the file, your original data cannot be decrypted. This prevents unauthorized access to your confidential data even if your credentials of the cloud storage are compromised or if your cloud storage provider tries to access your data. As standard openssl is used for encrypting the files, you can use it to decrypt your files after you download the files using other utilities without using a Turbo NAS. Please note that you cannot change this setting after a job is created.
oo and another thing. your encryption is only as good as your encryption password. Don't use a short or overly simplistic password because that could possibly reduce the encryption strength.
And ALWAYS test that your decryption WORKS. Don't simply assume it will. TEST back ups actually work, ESPECIALLY if they are encrypted and require a password to decrypt.
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
-
P3R
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [Question] HBS3 - Client-Side Encryption
It depends on if you use encryption on the NAS or not. It support volume and shared folder encryption but it need to be configured with that and it need to be properly managed to be useful.sentinelvdx wrote: ↑Fri Nov 15, 2019 3:05 am So from my understanding (english it's not my native language), this means that my NAS stored data won't be encrypted at all, right? only the copy which is being sent remotely...
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
-
sentinelvdx
- Know my way around
- Posts: 115
- Joined: Sat Dec 19, 2015 5:28 am
- Location: Buenos Aires - Argentina
Re: [Question] HBS3 - Client-Side Encryption
Thanks that's exactly what I was expecting. Just encrypting data which will be stored offsite.Moogle Stiltzkin wrote:viewtopic.php?p=726520&sid=6787ce865ebb ... c077336690
Client-side encryption is the cryptographic technique of encrypting data on the sender's side, before it is transmitted to a server such as a cloud storage service.[1] Client-side encryption features an encryption key that is not available to the service provider, making it difficult or impossible for service providers to decrypt hosted data. Client-side encryption allows for the creation of applications whose providers cannot access the data its users have stored, thus offering a high level of privacy.[1] Those applications are sometimes marketed under the misleading term "zero-knowledge"
You can also use client side encryption for a backup on another device on same lan (in my case a 2nd qnap NAS). In this scenario i cannot just simply browse the contents of the backed up data because it's encrypted. I have to restore the data first to decrypt it. This is how the tech works.
It's highly recommended especially when storing your backup offsite. Or if you are backing up an encrypted share to a backup, hence you would obviously want that backup to be encrypted and not be a sitting duck (exposed/unencrypted) on the backup location.
so that is the purpose for what client side encryption does (in HBS)
Credits to Jon2288https://www.qnap.com/en-us/how-to/tutor ... tion-note/Client site encryption: when enabled, your files will be encrypted before being transferred to the cloud storage, and your data will remain encrypted in the cloud storage. The encryption key is derived from the password you enter for this job. Without your password to decrypt the file, your original data cannot be decrypted. This prevents unauthorized access to your confidential data even if your credentials of the cloud storage are compromised or if your cloud storage provider tries to access your data. As standard openssl is used for encrypting the files, you can use it to decrypt your files after you download the files using other utilities without using a Turbo NAS. Please note that you cannot change this setting after a job is created.
oo and another thing. your encryption is only as good as your encryption password. Don't use a short or overly simplistic password because that could possibly reduce the encryption strength.
And ALWAYS test that your decryption WORKS. Don't simply assume it will. TEST back ups actually work, ESPECIALLY if they are encrypted and require a password to decrypt.
Sorry but didn't understand you...P3R wrote:It depends on if you use encryption on the NAS or not. It support volume and shared folder encryption but it need to be configured with that and it need to be properly managed to be useful.sentinelvdx wrote: ↑Fri Nov 15, 2019 3:05 am So from my understanding (english it's not my native language), this means that my NAS stored data won't be encrypted at all, right? only the copy which is being sent remotely...
My NAS is not encrypted and I'm just looking to encrypt what it's going to be stored offsite. That's why I was asking.
Sent from my SM-G965F using Tapatalk
NAS: TS-251+ 16GB DDR3L 1600mhz CAS11
Firm: QTS 5.0.0.xxxx
HDD's: 2x 4TB HGST Deskstar NAS - RAID0
Port Trunk: 802.3ad w/ Systimax CAT6a
Firm: QTS 5.0.0.xxxx
HDD's: 2x 4TB HGST Deskstar NAS - RAID0
Port Trunk: 802.3ad w/ Systimax CAT6a
-
P3R
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [Question] HBS3 - Client-Side Encryption
Okay, then it was me that misunderstood you.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!