Idea: Offsite Backup Club - Free

[CacheCow]

Hello All,

This is an idea that I can’t stop thinking about and wanted to reach out here for feedback.

Many of us here have the same goal of protecting our data and providing redundancy. Of course you can accomplish this via several online backup solutions capable of syncing data from our NAS. I don’t know about you but I am tired of 98% of every solution to a problem requiring a paid subscription. I am probably showing my age a little when I say I miss the old days of buying software on disc and owning it forever. We live in a time where even that is long gone (cough…cough…Adobe, MS Office, the list goes on and on) I will stop the rant there. The subscription creep in our lives today is brutal and sometimes you want to draw the line based on principle if you can find a viable alternative.

I simply want to backup critical data from my NAS offsite in case of disaster. I feel strongly against using a 3rd party service to accomplish this due to several reasons. Some of these reasons include public data breaches, Google training their AI with your photo content, what if 3rd party is acquired by another company or stops service/raises prices. Some of these things feel like a privacy violation and potential variable I do not want to worry about. Many of us here have made the investment in hardware, have available bandwidth, and have the needed expertise for an alternative to these online solutions.

Here is where you ask…”Where does the FREE come in”. Why does every service need to have a monetary cost? I am not going to start a business with that tag line but you get the point. I want to accomplish a goal of secure offsite backup and not pay a penny for it which is likely also the goal of other technically inclined folks with some spare capacity. The solution is barter and linking up like-minded people that have the same goal of protecting their data. Those of you with a technically inclined sibling or family member should be setting up something like this together.

If you look at just what you need to backup offsite like documents, photos, video, memories, work or the things that cannot be replaced you may have a smaller amount to store offsite than you think. It may not be necessary to worry about that multi-terabyte movie collection in a backup solution.

How can we solve this problem by working together? I might have 750GB that I want to make sure it is backed up offsite and not use a traditional service. I would try to find someone that has a similar amount they would like to store in an offsite backup. Once an agreement is made between two parties the how kicks in without any funds changing hands. We all have similar tools/hardware to pull off something like this. In the event one of the participants wants to store more than the agreed amount they have some options.

• Ask the sync partner if they’re willing to accept more data and if they have a need to store more data.
• Find a new sync partner that has the capacity, (downside is a new initial sync is required)
• In any case where you do not have balance in the amount of data stored the person that has the overage would need to make it right with the person providing the additional capacity. Some potential easy alternatives would be Crypto payment, Amazon gift card, or other potential barter. Maybe the person has a business and can provide a service for the other to make up the difference.

Technical specifics of how this could be done:

• We all have similar hardware in place with the same base functionality.
• HyperBackup and HyperBackup Vault over a direct VPN with client side encryption enabled in the backup.
• Most people that would use a solution like this have a high bandwidth connection 1gb symmetrical would be ideal but would work with less.
• The permissions on the NAS to enable this could be set easily to segregate the user so they do not have any other access on the NAS.
• Firewall permissions can also be set so the user connected via VPN does not see any other devices on the network.
• I have also looked into a potential alternative to HyperBackup that could play nice with other hardware vendors…..Syncthing. Some nice things about that potential solution is that it could potentially work without a VPN over UPNP. Although client side encryption for this is currently in beta. It is worth exploring further though.
• I thought about potentially have a website that links up storage providers and storage consumers.
• In the long run we will have better options for online storage than a typical centralized company. These solutions will still cost something but I feel it will be easier to pull off an idea like this with decentralized data storage and possibly integrated payments. Some of these solutions could consist of Storj, Sia, Maidsafe and several other emerging crypto/blockchain technologies.
• User quotas can easily be used to make sure the sync partner is not going over what has been agreed upon.

So I just wanted to get some feedback on this to see if there are any like-minded people out there. I assume that this idea might be more appealing to those with a couple or more gray hairs. It is just changing times where it seems younger generations do not have a problem utilizing/paying for any online data storage provider and the associated risks are acceptable. This same group of people also share everything online and might not value privacy as much as someone who is a little older.

 

[Walter]

That could get you in trouble for hosting illegal files. I never would store files from someone I dont know and trust 100%.

 

[CacheCow]

That could get you in trouble for hosting illegal files. I never would store files from someone I dont know and trust 100%.

How do all of the paid backup solutions that allow encrypted backups get around this?

It is the same thing, the provider does not know what they're storing as it is encrypted. The storage provider cannot see what is inside the encrypted backup.

 

[Telos]

How do all of the paid backup solutions that allow encrypted backups get around this?

That's not my problem, or concern.

But files on my NAS are my responsibility. What assurance have I that those files are encrypted? What if a user streams mp3's from your site? Or shares links to mp3/mp4's for others to stream?

This "idea" has all the risk of running a Tor exit.

As a legit user... what assurance is there of file availability/integrity/access bandwidth?

Good luck!

 

[Deleted member 673]

I've been using a similar concept successfully for many years. In my case, with a larger volume of data and a few tweaks that might please @Telos:

#1: The backup NAS locations are with HIGHLY TRUSTED friends or family members. Their locations are about as geographically diverse from mine as possible. So there are no shared risks from natural disasters such as weather/flooding or earthquake/tsunami.

#2: I own the backup NASs (currently, DS420s w/ 4x10TB RAID5).

#3: For simplicity, I just use QuickConnect (vs. VPN) to manage the remote NASs and for weekly replacement of encrypted personal data backups (~ 10MB per week).

#4: I mail a USB thumb drive to the remotes via the Postal Service for monthly updates - updates are (almost) all additions (~500GB per month).

#5: I mail a USB raid drive (2x16TB RAID0) via the Postal Service for a more-or-less annual rebuild of all backups on the NAS (~20TB+).

This is in addition to a master and two daily backups maintained locally.

This works well for my situation: a large media library and a few personal spreadsheets, etc. Admittedly, it will take a few days to ship an offsite NAS to me for a full ~20TB+ restore. I've done this just once, years ago, when a perfect storm of failures corrupted all local copies of data. And I've been a firm believer in offline and remote backups ever since.

"Payments" to helpful friends and family are made informally, by occasional favors and/or holiday gifts.

Ron

 

[CacheCow]

That's not my problem, or concern.

But files on my NAS are my responsibility. What assurance have I that those files are encrypted? What if a user streams mp3's from your site? Or shares links to mp3/mp4's for others to stream?

This "idea" has all the risk of running a Tor exit.

As a legit user... what assurance is there of file availability/integrity/access bandwidth?

Good luck!

I think for the solution to be effective you need to have some base comfort level with the person you're setting this up with. As you can imagine this type of solution is not quick to implement and some technical knowhow is needed.

A requirement of any solution like this should be making sure any files sent are encrypted. I mentioned two different solutions that have this capability, HyperBackup and SyncThing are both capable of client side encryption. You of course need to keep an eye on bandwidth but this can also be handled at the network level to only provide so much bandwidth as well as a specific storage quota. In no way should anyone do something like this without solid encryption in use.

As for the question of what if a user does this.......that is not possible as the only thing they can do is use your storage space as a HyperBackupVault......no files are accessed in any way directly by anyone. When setting up an offsite backup solution like this you're not giving access to any files like you would if running your own NAS, it would strictly store encrypted files which could only be decrypted by the user setting this up.

I put this out there as "Idea" because like this I want to hear from others or those that have set something up like another post here. I also feel something like this is ideal for family members to setup together. Not everyone has family members that could get this going due to bandwidth or other reasons.

-- post merged: 23. Nov 2022 --

I've been using a similar concept successfully for many years. In my case, with a larger volume of data and a few tweaks that might please @Telos:

#1: The backup NAS locations are with HIGHLY TRUSTED friends or family members. Their locations are about as geographically diverse from mine as possible. So there are no shared risks from natural disasters such as weather/flooding or earthquake/tsunami.

#2: I own the backup NASs (currently, DS420s w/ 4x10TB RAID5).

#3: For simplicity, I just use QuickConnect (vs. VPN) to manage the remote NASs and for weekly replacement of encrypted personal data backups (~ 10MB per week).

#4: I mail a USB thumb drive to the remotes via the Postal Service for monthly updates - updates are (almost) all additions (~500GB per month).

#5: I mail a USB raid drive (2x16TB RAID0) via the Postal Service for a more-or-less annual rebuild of all backups on the NAS (~20TB+).

This is in addition to a master and two daily backups maintained locally.

This works well for my situation: a large media library and a few personal spreadsheets, etc. Admittedly, it will take a few days to ship an offsite NAS to me for a full ~20TB+ restore. I've done this just once, years ago, when a perfect storm of failures corrupted all local copies of data. And I've been a firm believer in offline and remote backups ever since.

"Payments" to helpful friends and family are made informally, by occasional favors and/or holiday gifts.

Ron

Ron, thanks for the feedback. This is exactly what I was looking for to see how others might be doing this.

I am not a fan of QuickConnect if I can avoid it by using a direct VPN connection which is fine if only I am connecting. Is the annual rebuild necessary? I would think that once you have everything setup incremental sync should work fine. Are you using HyperBackup.

It is very impressive that you have this solution tailored to the needs of you and family members and it has been running for multiple years.

 

[Telos]

The backup NAS locations are with HIGHLY TRUSTED friends or family members.

This sounds well-thought-out. I've always advocated sharing backup storage with a trusted friend or family member. It also sounds as you are the overall administrator... another plus.

Sharing storage with a random user, or even a forum member who is not a closer personal friend, is off the table for me.

 

[Deleted member 673]

Responding to @CacheCow - The weekly backups via QuickConnect are total replacement. The incremental backup of media files uses a script to copy added files to a USB thumb drive; which goes to remote by mail. The home system and local backups are no longer on NAS. I'm currently using a Mac mini with Thunderbolt-3 drives - running Serviio DLNA server and MAMP for hosting PHP apps - Carbon Copy Cloner for local backups. So no more HyperBackup.

The annual rebuild ensures integrity of the remote backup at that point in time. Also, that's a habit I acquired years ago to mitigate "bit rot" on magnetic media.

 

[Rusty]

I have the same situation setup with more then a few people that I know. None are familiy members, but close friends or people from work.

The setup is simple. Custom DSM account with 0 access to any folder other then a dedicated one for that person. The folder is under a random generated name for example bucket-xxxxx-yyyyy-zzzzz.

The app in use is HB with client side encryption (so it is using the Synology's "database" propriatery format).

To get to the destination there is a custom DNS record for each user (as there is a before mentioned folder).

This is for users that are not going over VPN. For other cases there is a site-to-site vpn setup in effect that mimics the previous setup apart from the fact that the traffic is not using an fqdn name.

In any event, there is a folder quota in effect, and number of backups are setup from the "client" side as needed.

Also, the content is replicated to another RS unit, as well as towards Syno C2 as a 3rd backup.

Zero issues so far.

 

[Gerard]

I have the same situation setup with more then a few people that I know. None are familiy members, but close friends or people from work.

The setup is simple. Custom DSM account with 0 access to any folder other then a dedicated one for that person. The folder is under a random generated name for example bucket-xxxxx-yyyyy-zzzzz.

The app in use is HB with client side encryption (so it is using the Synology's "database" propriatery format).

To get to the destination there is a custom DNS record for each user (as there is a before mentioned folder).

This is for users that are not going over VPN. For other cases there is a site-to-site vpn setup in effect that mimics the previous setup apart from the fact that the traffic is not using an fqdn name.

In any event, there is a folder quota in effect, and number of backups are setup from the "client" side as needed.

Also, the content is replicated to another RS unit, as well as towards Syno C2 as a 3rd backup.

Zero issues so far.

I have the same setup with two others that backup to me. Each have their own user account and folder destination. The account has 0 privileges other than dumping the data into their respective folder. Their account can’t even log into dsm.

In addition I use an opnsense router and the one thing I like about it is that for each of the two, I have a firewall rule on the port forward for hb. Opnsense allows for a dns name as a source ip essentially. Considering most residential account are dynamic public ip’s , opnsense will do a dns name lookup of their domain name and then only that source ip is allowed on the hb port forward. Essentially hb is closed to the world with the exception of those two close friends public ip’s. Since it’s always doing a dns lookup I don’t have to worry if their public ip changes.

I had told synology they should incorporate a dns resolution into their firewall for source ip’s I’d switch in a heartbeat. But this one feature here is why I ended up doing an opnsense router; pfsense would do the same I’d assume.

 

[CacheCow]

I have the same situation setup with more then a few people that I know. None are familiy members, but close friends or people from work.

The setup is simple. Custom DSM account with 0 access to any folder other then a dedicated one for that person. The folder is under a random generated name for example bucket-xxxxx-yyyyy-zzzzz.

The app in use is HB with client side encryption (so it is using the Synology's "database" propriatery format).

To get to the destination there is a custom DNS record for each user (as there is a before mentioned folder).

This is for users that are not going over VPN. For other cases there is a site-to-site vpn setup in effect that mimics the previous setup apart from the fact that the traffic is not using an fqdn name.

In any event, there is a folder quota in effect, and number of backups are setup from the "client" side as needed.

Also, the content is replicated to another RS unit, as well as towards Syno C2 as a 3rd backup.

Zero issues so far.

Awesome feedback.

I am happy to hear of others that have refined this process without using a typical paid solution. Half of the battle is figuring out all of the technical specifics as many different ways to set it up and lock it down.

I will probably put another synology at a family members house with the highest bandwidth. I will have to take on the headache of setup at both locations as nobody else in family has the needed technical expertise.

It seems like many here are doing this each a little differently. Due to all of the configuration needed to secure it, something like this is not a simple setup but once it is setup it sounds like an effective alternative to paid storage.

 

[EAZ1964]

As a nuance on the word Free:
I have setup a cross - hyper backup with a family member between two synologies.
But for sure it is not free. I am sure that if I calculate the true cost (currently 80 Euro electricity cost/nas/year) plus depreciation of the disks and nas, that my (additional) external encrypted cloud is much cheaper.