Hyper backup

Post Reply
User avatar
musicfreak
Getting the hang of things
Posts: 91
Joined: Sun Aug 08, 2010 6:33 pm

Hyper backup

Post by musicfreak » Sun Sep 22, 2019 8:06 pm

i have setup hyperbackup and it works.

I've than set the encryption of the file and enter a password etc. all seems fine i guess.

but when i do a restore it does not ask me for the password and just restores the files without any problem.

Should it not ask for the password i used to encrypt this backup ?

P3R
Guru
Posts: 12375
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Hyper backup

Post by P3R » Mon Sep 23, 2019 4:18 am

If you have a backup job selected and push the Restore button in the right upper corner I would assume that all parameters (including encryption password) from the corresponding backup job is used.

If you use the Wizard to create a Restore job I would assume that you need to add also the encryption password.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

StarDust21
New here
Posts: 2
Joined: Sat Oct 24, 2020 9:46 pm

Re: Hyper backup

Post by StarDust21 » Sat Oct 24, 2020 10:32 pm

Hi

But I am the ony one who thinks this is a big vulnerability

Doesn't that mean as long as you are admin or a backup user you can have access to all encryptet volumes/shared folders without any password, as long as you have access to the HBS backup job which I assume many people use.

Im trying to find a good and secure way to keep my backup files secure, and I cant say that HBS client-side encryption makes me safe.....

I have a TS-453D and a TR-004 as my backup ... so I guess my option is to encrypt the the whole TR-004 and turn off the client-side encryption or is there other good QNAP backup software with encryption than HBS

P3R
Guru
Posts: 12375
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Hyper backup

Post by P3R » Sun Oct 25, 2020 1:59 am

StarDust21 wrote:
Sat Oct 24, 2020 10:32 pm
Doesn't that mean as long as you are admin or a backup user you can have access to all encryptet volumes/shared folders without any password, as long as you have access to the HBS backup job which I assume many people use.
As far as I know, there are no backup users. Only admins have access to admin applications like backup. As an admin you're god on the system and have access to the original data on disk, so what would be the security issue with access to the backup copies of that data as well?

Client-side encryption protect against unauthorized access to backups on the backup media.

Please note: Hyper Backup, mentioned in the topic, is a Synology application but I would assume we're actually talking about Hybrid Backup Sync here.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

StarDust21
New here
Posts: 2
Joined: Sat Oct 24, 2020 9:46 pm

Re: Hyper backup

Post by StarDust21 » Sun Oct 25, 2020 3:31 am

Thanks for your reply and yes I can see your point that admin is God... ...

But when it comes to security I thougt it was an extra layer of security to encrypt a volume with a password that even admin didnt get/know.....so if the admin account where exposed my encryptet data was still inaccessible without the password. Since admin can't unlocking disk volumes without a password, but with the restore job he can restore the encryptet files to another volume....without any password...

So when QNAP say "If the password is forgotten or the encryption key is lost, the data cannot be accessed and cannot be recovered." it depends.... if you have a HBS backup with client-side encryption you are fine.....

So thats what I dont like, it save the password/encryption key without my awareness or maybe I should read the manual better....... I had hoped the backup job asked me if QNAP should save the password if I wanted automatic scheduled backups or write it for "manually backups" with extra security

Thats my thougts, but hopefully QNAP has good security to protect the admin user.... Im just a new kid in the QNAP world....

P3R
Guru
Posts: 12375
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Hyper backup

Post by P3R » Mon Oct 26, 2020 5:03 am

StarDust21 wrote:
Sun Oct 25, 2020 3:31 am
So when QNAP say "If the password is forgotten or the encryption key is lost, the data cannot be accessed and cannot be recovered." it depends.... if you have a HBS backup with client-side encryption you are fine.....
Yes if you have admin access to the system and at the same time have access to the backup copy.

If the system is still within your premises and you have an intruder with admin access, the volume encryption won't protect you anyway as the volumes are typically already unlocked. When the intruder have access to your original data then there's no need for them to access your backups.

If the system is physically stolen, the volume encryption is useful as an extra precaution if the encryption isn't stored on the system itself. If the system is physically stolen you would probably notice that in some way and can secure your backups.
So thats what I dont like, it save the password/encryption key without my awareness or maybe I should read the manual better....... I had hoped the backup job asked me if QNAP should save the password if I wanted automatic scheduled backups or write it for "manually backups" with extra security
Well it wasn't designed in the way you had hoped.

The intention of client-side encryption is to protect your data against being accessed directly on your backup media, not to protect the backup from a rouge admin in the Qnap. If you have failed to protect your admin account all bets are off as an admin can do absolutely anything.
Thats my thougts, but hopefully QNAP has good security to protect the admin user....
Well Qnap offer 2FA (2-factor authentication), brute-force protection and other security features. But nothing of that is enough if you configure the system or your network in a bad way.

The first thing to avoid if you want to mitigate risks is to avoid exposing your system on the internet.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

Post Reply

Return to “WebDAV-based Backup”