Security advice when sharing files?

Currently reading
Security advice when sharing files?

136
26
jonohunt.design
NAS
DS1019+, DS218+, DS416play, unRAID
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
In the past I've had a domain pointed at my DiskStation (DS1019+) and accessed DSM, Drive etc. via the domain name/HTTPS, but now I have sensitive work files on there and don't want to expose the Synology to the internet.

So I no longer use the domain name and just use a VPN to access DSM, Drive etc. from different computers, devices etc. But I miss the ease of sharing files with friends and family via the domain name. I thought of setting up Virtual DSM, pointing the domain at that, and sharing files from there.

My thinking is that it would mean the 'main DSM' is still only accessible via a VPN, while being able to share files via VDSM and the domain name.

Does this sound like a secure/OK way of doing things?
 
1,817
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
Hi Jono,

I’m not basing my reply on anything scientific, just logic.
I think the idea is, as you said, “ok”. However, as usual, it’s all relative.

Essentially, both instances are on the same box. Having one “sandboxed” does not mean it’s 100% bullet proof in the overall scheme of things. But unless you can “afford” an isolated box (NAS and Network), I think this is the 2nd best option.

Let’s wait for more informative replies :)
 
136
26
jonohunt.design
NAS
DS1019+, DS218+, DS416play, unRAID
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
Hi Jono,

I’m not basing my reply on anything scientific, just logic.
I think the idea is, as you said, “ok”. However, as usual, it’s all relative.

Essentially, both instances are on the same box. Having one “sandboxed” does not mean it’s 100% bullet proof in the overall scheme of things. But unless you can “afford” an isolated box (NAS and Network), I think this is the 2nd best option.

Let’s wait for more informative replies :)
Good point.

I have another older Synology (DS416play) that I use to backup the DS1019+. It has encrypted Hyper Backup backups on there as well as snapshots. So I guess if I exposed that to the internet then those backups could be at risk?
 
1,817
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
And your network. That’s why I said a separate network too, it’s not just the NAS.
If you keep going down that rabbit hole, it’ll never end :)

Let’s put it this way…
If you have the codes to the nuclear heads on your NAS then it’s not secure at all.
If you have your business spreadsheets and you usually don’t look back over your shoulder while going down the subway stairs, you should be fine.

You know what’s on your NAS :D
 

fredbert

Moderator
NAS Support
Subscriber
2,147
868
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Good point.

I have another older Synology (DS416play) that I use to backup the DS1019+. It has encrypted Hyper Backup backups on there as well as snapshots. So I guess if I exposed that to the internet then those backups could be at risk?
Anything that is accessible from the Internet, has access to it, or is accessible from a device that has access to/from the Internet is at risk.

If anything I'd make sure that my backup devices have less exposure not more.
 

Rusty

Moderator
NAS Support
3,410
1,010
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Using a VDSM will be a better solution, considering that it will "see" only one folder on your main device that you share as storage for your VDSM. You can then protect that shared folder with permissions and leave the rest of your nas "procted" on a separate layer.
 
1,817
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
If anything I'd make sure that my backup devices have less exposure not more.
Good point. Always protect the backups, they’re your last resort when things go belly up.

@jono
I’m sure you’ve gone through (and understand) all the security precautions discussed on the forum.

Provided that you don’t have the nuclear heads codes, mitigate as much risk as you can and accept whatever little remains for the convenience gained. That’s what we do every day as we go through life. Nothing is perfect.
 
136
26
jonohunt.design
NAS
DS1019+, DS218+, DS416play, unRAID
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
Anything that is accessible from the Internet, has access to it, or is accessible from a device that has access to/from the Internet is at risk.

If anything I'd make sure that my backup devices have less exposure not more.
Right, I won't do that then.


Using a VDSM will be a better solution, considering that it will "see" only one folder on your main device that you share as storage for your VDSM. You can then protect that shared folder with permissions and leave the rest of your nas "procted" on a separate layer.
Yeah. What permissions do you mean, only allow myself to access?


Good point. Always protect the backups, they’re your last resort when things go belly up.

@jono
I’m sure you’ve gone through (and understand) all the security precautions discussed on the forum.

Provided that you don’t have the nuclear heads codes, mitigate as much risk as you can and accept whatever little remains for the convenience gained. That’s what we do every day as we go through life. Nothing is perfect.
I think I'll either use VDSM, or not bother at all :)
 

Rusty

Moderator
NAS Support
3,410
1,010
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
What permissions do you mean, only allow myself to access?
It depends on what account you want access to that shared folder in the 1st place. But yes, bottom line you can choose to not use your "default" account(s).
 
136
26
jonohunt.design
NAS
DS1019+, DS218+, DS416play, unRAID
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
Last edited:
It depends on what account you want access to that shared folder in the 1st place. But yes, bottom line you can choose to not use your "default" account(s).
Thanks, I'll look at that.

How would you access/share the shared folder on VDSM with the main NAS? Sync via Synology Drive ShareSync, mount via NFS, or some other way?
 

Rusty

Moderator
NAS Support
3,410
1,010
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Considering it’s a dsm machine on the network as your host nas is then access to files is the same principle as your host nas. All methods mentioned will work depending what services and packages you are running.
 
136
26
jonohunt.design
NAS
DS1019+, DS218+, DS416play, unRAID
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
Considering it’s a dsm machine on the network as your host nas is then access to files is the same principle as your host nas. All methods mentioned will work depending what services and packages you are running.
In the past I've tried Synology Drive ShareSync. It worked well, but seemed wasteful as the same data was on DDSM and the main NAS.

I also tried NFS, mounting one folder from DDSM on the main NAS. That worked well and didn't waste data, so I might go with that again.

I've read in the past that you have DDSM (or VDSM?) setup for various things. How do you do it with yours? :)
 
136
26
jonohunt.design
NAS
DS1019+, DS218+, DS416play, unRAID
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
DDSM is deprecated so VDSM is the only way to go.
No, I meant how do you access/share the shared folder on VDSM with your main NAS? 😊
Sync via Synology Drive ShareSync, mount via NFS, or some other way?
 

Rusty

Moderator
NAS Support
3,410
1,010
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Smb connect via File station. I use vdsm for 2 things only. vpn gateway and access to a single shared folder that’s temporary on vdsm. Then I just move files on my main host level. That’s it. But all in all, smb protocol for me.
 
136
26
jonohunt.design
NAS
DS1019+, DS218+, DS416play, unRAID
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
Cool, thanks for the info! (y)
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top