looking for a NAS box

[Simon]

Except if i encryp the hard drives.

[tszaboo]

i am looking at this: https://www.amazon.co.uk/Synology-DS119j-Bay-Desktop-Enclosure/dp/B07KTCHKH1/ref=sr_1_18?keywords=nas&qid=1568393950&s=computers&sr=1-18&th=1

Ntere is a 2 bay version but I am in two minds. I do not need/want Raid for speed or capacity, only backup. But what happens if the NAS box itself fails. So really it looks like for proper security I'd need 2 boxes to back each other up?

All the common NAS boxes run Linux and use normal Linux disk formats.

If the NAS box fails, you can take out the disk drives and connect them to a PC running Linux to access your data.

So, just having a RAID 1 NAS will protect you from most failures.

Sorry to burst your bubble, but RAID (despite its name) isnt for redundancy, it is for availability. If the first is the goal, you want your data on something else, somewhere else. Nothing prevents the raid controller trashing the data, or accidental deleting all your stuff.

[Kjelt]

Or build your own with some linux nas distro (never done it myself but some friends did) or what I would recommend buy a new Synology NAS.
I would not recommend the cheapest, because if you are used to it you will do more and more but start with the plus series, they have some more ram and cou power.
The DS2xx+ is a great starter also if you want outside access since it needs to be secure.
I have four Synologys at the moment 34TB total, only one is on all the time for my software repository, datasheets etc. My previous nas acts as backup, Synology has backup software that you can schedule or manually backup to another nas or backup your pc to the nas.
Couple of things to keep in mind if you connect it to the outside, read on security best practices, like delete the admin account (ofcourse after you made another account with a long difficult name admin) and best put it in a DMZ.

[Simon]

My problem is that if i am going to have this thing in my house staring a burglar in the face I'd rather encrypt the contents. this means that if the NAS itself fails the drives are useless. Sounds like I need two singles.

[edavid]

My problem is that if i am going to have this thing in my house staring a burglar in the face I'd rather encrypt the contents. this means that if the NAS itself fails the drives are useless. Sounds like I need two singles.

Nope, they use standard Linux encryption too (LUKS):

https://www.linux-howto.info/mount-qnap-encrypted-volume/

[Simon]

Well i have bought the single bay. i will need to make seperate backups anyway in case of theft anyway so the second drive would only give me the convenience of instant-ish backups.

[Kjelt]

Make sure the backup drive is a nice part bigger (1,5 or so) than the original, since it is nice to have dayly, weekly, monthly backup to revert to in some cases and although they only store the deltas it can add up.

[linux-works]

I have 2 WD 4 bay nas boxes that I can recommend.  they've been pretty good the last year or so that I've had them.

one has a video card inside (chip) for transcoding.  I don't need that but you might.

the other is ARM based and good for i/o but not transcoding.

https://www.amazon.com/gp/product/B00TB8XMR0
https://www.amazon.com/gp/product/B01GLRX6C4

arm one is cheaper and fine for most people.

runs pure linux inside and you can ssh to it and do stuff if you need.  changes are not saved, though, as it boots fresh each time.

one feature that has no gui is 'root squash' for nfs; but if you ssh to the box, you can edit the config file and change it; again, until reboot time.

works great for nfs and smb.  web gui is fine.  reliability is fine.

neat features: lcd for ip address (and status), DUAL PSU ABILITY (!!) and dual ethernet ability.

dual psu is what sold me

[edavid]

I have 2 WD 4 bay nas boxes that I can recommend.  they've been pretty good the last year or so that I've had them.

[ WD My Cloud Expert and My Cloud Pro ]

runs pure linux inside and you can ssh to it and do stuff if you need.  changes are not saved, though, as it boots fresh each time.

changes are not saved, though, as it boots fresh each time

It's hardly "pure Linux", since WD has hacked it in an ugly way.

It's somewhat OT for this thread, but you can easily (?) overcome the booting issue:
1. Some config files are stored in flash in /usr/local/config, so you can just edit them there
2. Otherwise you can install Entware, and overwrite whatever you need to in /opt/etc/init.d/rc.unslung

[linux-works]

all vendors 'hack' (customize) their linux.

I would have done things a bit differently but I didn't have to jump thru hoops to login and the filesystem was not hard to discover.  it was nothing like ubuntu or redhat or any of the others, but its highly customized and embed-oriented.

they could have done much worse.  and from the outside, it works pretty well with good speed, good feature set and md-raid is pretty much left as-is, so that's nice.

[techman-001]

I have two HP Microserver Gen 8 servers and they are great.

I run FreeNAS on one of them and FreeBSD on the other one. Moreover, if you need more CPU muscle compatible low power Xeons are cheap now.

I think this is the best possible NAS considering the low price of the HP Microservers and the bulletproof performance of free FreeBSD with ZFS raid.

This Intel i7 FreeBSD Workstation is about 5 years old, has 12TB of Hitachi hard disks and has never suffered data loss after ~50 power failures with no UPS.

[techman-001]

p.s. from which kernel version have you started trusting btrfs?

Not sure. For years, Netgear ReadyNAS was running a BTRFS version 0.26 from memory. Never had a problem with 4 different NAS boxes running in businesses. As I said, Netgear do not use RAID mode on BTRFS which was where a lot of the problems were.

My NAS virtual machine is running on Arch Linux kernel version 5.2.9 on a Proxmox virtual machine host using kernel 2.6.32. Runs great.

It's good to see BTRFS progressing as Linux really does need a ZFS class file system, but as ZFS is CDDL licensed (which is not GPL compatible) it can't be used in Linux Distro releases only added post install which is easy for a filesystem (after installing the ZOL package), but not trivial in the case of bootable ZFS.

The latest (Sep19) https://btrfs.wiki.kernel.org/index.php/Main_Page  indicates that the "Online filesystem check" is still in development, is that correct, does it mean that it can't do a online "scrub' yet ?

A search for 'boot' on that page didn't find anything. I find bootable ZFS very convenient as one may have a "system" ZFS raidz1 (mirror), and a separate ZFS mirror for data.

So I imagine that a BTRFS system still has to boot from a EXTx partition which cannot have RAID protection at this time unless one wanted to use MDADM for the system drives?

[borjam]

My problem is that if i am going to have this thing in my house staring a burglar in the face I'd rather encrypt the contents. this means that if the NAS itself fails the drives are useless. Sounds like I need two singles.

Another issue is, how do you dispose of a broken hard drive. Some can be recovered or at least would allow some of the data to be recovered. Serious encryption means you shouldn't worry about that either. Same thing if you return the drive to the manufacturer for warranty replacement.

[soldar]

My problem is that if i am going to have this thing in my house staring a burglar in the face I'd rather encrypt the contents. this means that if the NAS itself fails the drives are useless. Sounds like I need two singles.

I have thought of setting up NAS at home although I never got around to it. One thing I was considering was locking up the NAS in some hard/safe box where it would be safe from casual burglars. As you do not need physical access often it works well. One consideration is heat dissipation but you could provide some small ducts.  It is really easy to do something like that although I can understand it might not be convenient for someone renting short term.  I have built in safe boxes in every place I have lived. I always used a not too expensive box but well hidden.

Regarding encryption, if you use Full Encryption Drives tied to a TPM module on the board then you can consider drive and board as a single unit and the drive will not work with another board. For this reason my backups go into a PGP virtual disk which is a file you can copy as much as you like and will always work provided you have the key. I always have my PGP keys safely stored separately from the computer in a memory card or a USB drive. Plug it in and everything works transparently.

You could even implement something similar by having the usb drive secured to a desk or wall and plugged in using a USB cable. If they take the box they unplug the USB cable and leave the keys behind.

There are other ways of keeping the encrypted data and the keys separate. Even using WIFI so the perps can't even follow a cable.

[Jeroen3]

Is you just want some easy storage. Definitely get a Synology. If you intend to use encrypted volumes, get a + model. Two bays is recommended, either for speed or availability.
Combine this with Synology C2 for versioned offsite backup. (encryption takes place on your nas)
Bonus feature is their Cloud Station, which is a self-hosted dropbox like experience that you can just put your entire user folder in for continuous backups.

If you want some storage, plus a whole range of other features to play with. Including virtual machines, and other things. Are ok with maintaining it yourself and stuff.
Definitely get the HPE Microserver of build a NAS yourself.

Disposing of broken hard drives is not hard. Just take the 10mm drill and poke a few holes in the drive.

[soldar]

A hard disk using Full Disk Encryption does not need to be physically destroyed as it is irrecoverable without the key.

[legacy]

Regarding encryption, if you use Full Encryption Drives tied to a TPM module on the board then you can consider drive and board as a single unit and the drive will not work with another board.

Is there any SATA electro-mechanical harddrive in 3.5" size with a build-in encryption engine that can fit inside a hot-swap bay? 

[soldar]

Is there any SATA electro-mechanical harddrive in 3.5" size with a build-in encryption engine that can fit inside a hot-swap bay? 

AFAIK FDE disks are the same size as any other HDD. I have some in a couple laptops and they fit right in.

https://www.esecurityplanet.com/mobile-security/buyers-guide-to-full-disk-encryption.html
https://www.seagate.com/as/en/support/kb/full-disk-encryption-faqs-presales-206011en
https://www.seagate.com/as/en/support/internal-hard-drives/laptop-hard-drives/momentus-laptop/
https://www.seagate.com/files/docs/pdf/datasheet/disc/ds_momentus_7200_fde.pdf

Or am I missing something?

[Simon]

I have a USB encrytion caddy that i have my current data on. I drag it around with me and it needs a password inputting to work. No performance impact and after 10 goes your are locked out forever and each caddy has it's own key so you can't keep putting the drive in another caddy.

[soldar]

I have a USB encrytion caddy that i have my current data on. I drag it around with me and it needs a password inputting to work. No performance impact and after 10 goes your are locked out forever and each caddy has it's own key so you can't keep putting the drive in another caddy.

I use PGP Disk encryption. No need for caddy and you can make duplicates of the backup. Just keep the key elsewhere.

This works for data backups; it does not work for system disks where you want the OS encrypted because for that you would need pre-boot authentication (which FDE does provide).

[legacy]

Or am I missing something?

nope, with my friends we are on home-made Nas, which uses common sata hard-drives made in the late 2012, so FDE disks are new interesting feature for me. Never heard before. Thanks for the info.



They are super interesting especially because ... making software encryption is a bit complex for our hardware (possible, but .. it adds a second layer of things to do, test, and debug), and we need disks able to fit these two sata Bays.

FDE disks look perfect 

[Simon]

Reminds me of my portable fibre glass PC case that included the monitor.

[legacy]

That case was chosen only because it was the only one found that fits the three PowerPC nodes stacked one on the top of the other, and the mod was suitable because it only required us to cut-off a piece of plastic. We tried with aluminum cases, and we ended with a lot of problems, like how to cut the metal without catrastropic results

[soldar]

Never heard before. Thanks for the info.

Around 2009 I bought on eBay several Dell laptops and they were probably from military or government surplus and came with all the security measures like TPM and some strange smartcard reader that I never really got it to work.

The HDD in the photo is only 7 mm thick and is fully encrypted.  When connected and running it is completely transparent to the OS but once powered down the password needs to be supplied by the MoBo pre-boot. The MoBo needs to support this feature but many do. I believe my HP Compaq Elite 8300 desktop box running Linux supports it.

If one day you want to get rid of the disk there is no need to erase it.

[legacy]

The HDD in the photo is only 7 mm thick and is fully encrypted.  When connected and running it is completely transparent to the OS but once powered down the password needs to be supplied by the MoBo pre-boot. The MoBo needs to support this feature but many do.

Tomorrow I will investigate deeper 

I wonder if these hard drives use the SMART protocol for passing the passphrase to the encrypt engine, or if not, which is the mechanism to pass it.

The above machine in the picture is composed by four PowerPC nodes running u-boot as firmware and Linux as OS, so I have to know this detail in order to support FDEs.