Multi Tier Data Management With Ransomware Protection

In the following article we outline a way how to mange your own data, completely with a backup strategy and a snapshot/versioning approach protecting you against ransomware or your own mistakes.

Our data is most of the time not in our control. It is stored in the cloud under the control of different companies, in different jurisdications with ever changing terms of services and privacy policies. GDPR, the European data protection directive and the California Privacy Rights Act (CPRA), an extension of CCPA are definitely a step into the right direction, but not all encompassing and not applicable in all jurisdictions.

NOTE before your start: This article is technical and scratches only the surface. If you are not familiar with production-ready self-hosting you are better off using cloud services, at least from a security perspective.

Most of the technologies outlined here are also used by enterprises to manage their data at scale and in compliances with data privacy and other regulations. The main difference is the underlying hardware.

What do you need?

Before you can get started you need at least the following things.

  • Some basic knowledge about ZFS and the used terminology
  • Hardware for a NAS that can run TrueNAS. This will be our main local storage.
  • Cloud provider where we store our encrypted off-site backups, see rclone providers for supported providers. In this article we use Backblaze B2
  • One or more of those backup and sync tools used in this article, alternatives such as borg or others work in a similar way.
    • SyncThing for data synchronization to your computer
    • restic for encrypted, space-efficient and verifiable backups

Everything should run behind a robust and secure firewall without any public exposure. If you need access to your data from a remote location use a VPN, such as Wireguard.

Designing the architecture

Before the get started with installing TrueNAS and implementing our data management strategy we want to have a clear idea what the result will be and assess if it seamless integrates in our day to day workflow. Furthermore, we want to make sure that this solution protects against specific attack vectors.

Our most important data, such as personal documents or family photos and videos, should be protected against the following scenarios:

  • Protection against hard disk failures (up to two for RAIDZ2 or one for RAIDZ1)
  • Protection against complete NAS failure (off-site backups)
  • Accidentally deletion by us or someone that has legitimate access to the original data (versioning/snapshoting)
  • Ransomware attack on one or more of our clients (versioning/snapshoting with off-site backups)

Tier 0: RAIDZ2 configuration of our TrueNAS pool

In order to protect our most sensitive data against at most two random hard disk failures we setup our ZFS pool in RAIDZ2 configuration.

ZFS RAIDZ2

The picture above is not 100% correct. Technically there are not two specific parity drives, but any two drives in the vdev can fail.

Tier 1: Periodic ZFS snapshots

TrueNAS is based on ZFS and comes with all the amazing features of this file system. One of those features are snapshots that can be configured via the TrueNAS web interface to run periodically. A snapshot, as the name indicates, is a version of the dataset in time. It can be created in a matter of seconds or even less and only takes up the space of the delta between previous snapshots and/or the live data.

If you are exposing your data via Samba or NFS to your clients and in the unfortunate event that one or more of your clients are targeted by a ransomware you can rollback your data to a previous snapshot in a matter of seconds and with one click from the TrueNAS web interface.

Another very useful feature is that those snapshots can be exposed to Windows in such a way that they show up as shadow copies. You can inspect previous snapshots and even versions of specific sub-directories via your Windows file explorer. Either you roll back to a previous version or copy single files that you need. The screenshot below shows the Windows shadow copy interface.

Windows Shadow Copes

Given that the snapshots are running on your TrueNAS machine and assuming that this machine is protected well, e.g., with a unique and strong password with 2-factor authentication, exposes only the necessary ports to the clients, the snapshots can not be directly compromised by the clients.

Tier 2: Off-Site backups via TrueNAS Cloud Sync (rclone)

Off-site backups assure that we have access to our most important data also if the local NAS completely fails and loses all the data. TrueNAS provides under the name of Cloud Sync a web interface for rclone.

Make sure that your backups are encrypted by providing a password and salt. Do NOT forget both of those values otherwise you lose permanent access to your data.

Those encrypted backups can be directly accesses via rclone, as long as you have credentials for the cloud provider where you stored the data and you have the password and salt for the encryption. This is very important when your TrueNAS fails and you need quick access to your data. You can use a locally installed rclone and access the data via your clients.

You should setup your client rclone configuration the same time you setup your Cloud Sync tasks. This allows you to test your backup and be ready in times of crisis.

Tier 3: Versioning of data during synchronization

The first tier of protection is versioning during data synchronization. The most important data that is synchronized from the clients to the TrueNAS with the help of SyncThing. As outlined in the screenshots below the TrueNAS SyncThing instance is set to receive-only with staggered versions. If a file is deleted or modified by mistake and a previous version was fully synchronized we can always roll back to this previous version.

SyncThing Staggered Versioning SyncThing Receive-Only Share

Tier 4: Space-efficient, encrypted and verifiable backups

Backups are very important, especially if there is data involved that can not be replaced. Do you really want to lose your family photos just because you didn’t have a comprehensive backup strategy in place!?!

For data not synchronized directly via SyncThing or mounted via a shared drive via NFS/Samba we use restic, it comes with all the rclone providers.

All the backups are encrypted and only the delta, i.e., the changes of the data is stored. That, combined with the rclone backend support makes it the perfect backup tool. By choosing the TrueNAS as storage server and using the S3 compatible storage backend minio we get all the data protection and security features outlined earlier in this article.

Author

Alex Oberhauser

Alex Oberhauser is a tech-entrepreneur, innovator and former C-level executive. He is currently working on user controlled identities and the empowerment of the end-users, with privacy and security as part of the value proposition, not as an afterthought.