Security advice when sharing files?

Currently reading
Security advice when sharing files?

144
32
jonohunt.design
NAS
DS1621+, DS1019+, DS218+
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
In the past I've had a domain pointed at my DiskStation (DS1019+) and accessed DSM, Drive etc. via the domain name/HTTPS, but now I have sensitive work files on there and don't want to expose the Synology to the internet.

So I no longer use the domain name and just use a VPN to access DSM, Drive etc. from different computers, devices etc. But I miss the ease of sharing files with friends and family via the domain name. I thought of setting up Virtual DSM, pointing the domain at that, and sharing files from there.

My thinking is that it would mean the 'main DSM' is still only accessible via a VPN, while being able to share files via VDSM and the domain name.

Does this sound like a secure/OK way of doing things?
 
2,238
945
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
Hi Jono,

I’m not basing my reply on anything scientific, just logic.
I think the idea is, as you said, “ok”. However, as usual, it’s all relative.

Essentially, both instances are on the same box. Having one “sandboxed” does not mean it’s 100% bullet proof in the overall scheme of things. But unless you can “afford” an isolated box (NAS and Network), I think this is the 2nd best option.

Let’s wait for more informative replies :)
 
144
32
jonohunt.design
NAS
DS1621+, DS1019+, DS218+
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
Hi Jono,

I’m not basing my reply on anything scientific, just logic.
I think the idea is, as you said, “ok”. However, as usual, it’s all relative.

Essentially, both instances are on the same box. Having one “sandboxed” does not mean it’s 100% bullet proof in the overall scheme of things. But unless you can “afford” an isolated box (NAS and Network), I think this is the 2nd best option.

Let’s wait for more informative replies :)
Good point.

I have another older Synology (DS416play) that I use to backup the DS1019+. It has encrypted Hyper Backup backups on there as well as snapshots. So I guess if I exposed that to the internet then those backups could be at risk?
 
2,238
945
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
And your network. That’s why I said a separate network too, it’s not just the NAS.
If you keep going down that rabbit hole, it’ll never end :)

Let’s put it this way…
If you have the codes to the nuclear heads on your NAS then it’s not secure at all.
If you have your business spreadsheets and you usually don’t look back over your shoulder while going down the subway stairs, you should be fine.

You know what’s on your NAS :D
 

fredbert

Moderator
NAS Support
Subscriber
4,188
1,667
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
  3. RT6600ax
Operating system
  1. macOS
Mobile operating system
  1. iOS
Good point.

I have another older Synology (DS416play) that I use to backup the DS1019+. It has encrypted Hyper Backup backups on there as well as snapshots. So I guess if I exposed that to the internet then those backups could be at risk?
Anything that is accessible from the Internet, has access to it, or is accessible from a device that has access to/from the Internet is at risk.

If anything I'd make sure that my backup devices have less exposure not more.
 

Rusty

Moderator
NAS Support
6,366
1,889
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Using a VDSM will be a better solution, considering that it will "see" only one folder on your main device that you share as storage for your VDSM. You can then protect that shared folder with permissions and leave the rest of your nas "procted" on a separate layer.
 
2,238
945
NAS
DS220+ : DS1019+ : DS920+ : DS118 : APC Back UPS ES 700 — Mac/iOS user
If anything I'd make sure that my backup devices have less exposure not more.
Good point. Always protect the backups, they’re your last resort when things go belly up.

@jono
I’m sure you’ve gone through (and understand) all the security precautions discussed on the forum.

Provided that you don’t have the nuclear heads codes, mitigate as much risk as you can and accept whatever little remains for the convenience gained. That’s what we do every day as we go through life. Nothing is perfect.
 
144
32
jonohunt.design
NAS
DS1621+, DS1019+, DS218+
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
Anything that is accessible from the Internet, has access to it, or is accessible from a device that has access to/from the Internet is at risk.

If anything I'd make sure that my backup devices have less exposure not more.
Right, I won't do that then.


Using a VDSM will be a better solution, considering that it will "see" only one folder on your main device that you share as storage for your VDSM. You can then protect that shared folder with permissions and leave the rest of your nas "procted" on a separate layer.
Yeah. What permissions do you mean, only allow myself to access?


Good point. Always protect the backups, they’re your last resort when things go belly up.

@jono
I’m sure you’ve gone through (and understand) all the security precautions discussed on the forum.

Provided that you don’t have the nuclear heads codes, mitigate as much risk as you can and accept whatever little remains for the convenience gained. That’s what we do every day as we go through life. Nothing is perfect.
I think I'll either use VDSM, or not bother at all :)
 
144
32
jonohunt.design
NAS
DS1621+, DS1019+, DS218+
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
Last edited:
It depends on what account you want access to that shared folder in the 1st place. But yes, bottom line you can choose to not use your "default" account(s).
Thanks, I'll look at that.

How would you access/share the shared folder on VDSM with the main NAS? Sync via Synology Drive ShareSync, mount via NFS, or some other way?
 
144
32
jonohunt.design
NAS
DS1621+, DS1019+, DS218+
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
Considering it’s a dsm machine on the network as your host nas is then access to files is the same principle as your host nas. All methods mentioned will work depending what services and packages you are running.
In the past I've tried Synology Drive ShareSync. It worked well, but seemed wasteful as the same data was on DDSM and the main NAS.

I also tried NFS, mounting one folder from DDSM on the main NAS. That worked well and didn't waste data, so I might go with that again.

I've read in the past that you have DDSM (or VDSM?) setup for various things. How do you do it with yours? :)
 

Rusty

Moderator
NAS Support
6,366
1,889
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Smb connect via File station. I use vdsm for 2 things only. vpn gateway and access to a single shared folder that’s temporary on vdsm. Then I just move files on my main host level. That’s it. But all in all, smb protocol for me.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I'm unsure of which post that is. On my local network, I use the LAN IP, to connect to Plex without...
Replies
7
Views
483
  • Question
I completely missed the difference you meant when you said you’re using nginx reverse proxy. DSM uses...
Replies
14
Views
1,100
Yep saw this too. Why it's best to manually update when the critical release schedule is set by Synology...
Replies
1
Views
338
Hello guys, I am sorry for my late response, but I was travelling due to work duties. Hello Rusty, I...
Replies
4
Views
462
Replies
2
Views
1,044
They sound like good options to set so well done on hunting them down. 👍 I probably prattle on about the...
Replies
7
Views
1,665
  • Locked
We already have the thread here: https://www.synoforum.com/threads/synology-sa-22-03-dsm.8069/ Thank you
Replies
1
Views
629

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top