Security advice when sharing files?

Currently reading
Security advice when sharing files?

148
32
NAS
DS1621+, DS1019+, DS218+
Operating system
  1. Linux
  2. macOS
  3. other
Mobile operating system
  1. iOS
In the past I've had a domain pointed at my DiskStation (DS1019+) and accessed DSM, Drive etc. via the domain name/HTTPS, but now I have sensitive work files on there and don't want to expose the Synology to the internet.

So I no longer use the domain name and just use a VPN to access DSM, Drive etc. from different computers, devices etc. But I miss the ease of sharing files with friends and family via the domain name. I thought of setting up Virtual DSM, pointing the domain at that, and sharing files from there.

My thinking is that it would mean the 'main DSM' is still only accessible via a VPN, while being able to share files via VDSM and the domain name.

Does this sound like a secure/OK way of doing things?
 
Hi Jono,

I’m not basing my reply on anything scientific, just logic.
I think the idea is, as you said, “ok”. However, as usual, it’s all relative.

Essentially, both instances are on the same box. Having one “sandboxed” does not mean it’s 100% bullet proof in the overall scheme of things. But unless you can “afford” an isolated box (NAS and Network), I think this is the 2nd best option.

Let’s wait for more informative replies :)
 
Hi Jono,

I’m not basing my reply on anything scientific, just logic.
I think the idea is, as you said, “ok”. However, as usual, it’s all relative.

Essentially, both instances are on the same box. Having one “sandboxed” does not mean it’s 100% bullet proof in the overall scheme of things. But unless you can “afford” an isolated box (NAS and Network), I think this is the 2nd best option.

Let’s wait for more informative replies :)
Good point.

I have another older Synology (DS416play) that I use to backup the DS1019+. It has encrypted Hyper Backup backups on there as well as snapshots. So I guess if I exposed that to the internet then those backups could be at risk?
 
And your network. That’s why I said a separate network too, it’s not just the NAS.
If you keep going down that rabbit hole, it’ll never end :)

Let’s put it this way…
If you have the codes to the nuclear heads on your NAS then it’s not secure at all.
If you have your business spreadsheets and you usually don’t look back over your shoulder while going down the subway stairs, you should be fine.

You know what’s on your NAS :D
 
Good point.

I have another older Synology (DS416play) that I use to backup the DS1019+. It has encrypted Hyper Backup backups on there as well as snapshots. So I guess if I exposed that to the internet then those backups could be at risk?
Anything that is accessible from the Internet, has access to it, or is accessible from a device that has access to/from the Internet is at risk.

If anything I'd make sure that my backup devices have less exposure not more.
 
Using a VDSM will be a better solution, considering that it will "see" only one folder on your main device that you share as storage for your VDSM. You can then protect that shared folder with permissions and leave the rest of your nas "procted" on a separate layer.
 
If anything I'd make sure that my backup devices have less exposure not more.
Good point. Always protect the backups, they’re your last resort when things go belly up.

@jono
I’m sure you’ve gone through (and understand) all the security precautions discussed on the forum.

Provided that you don’t have the nuclear heads codes, mitigate as much risk as you can and accept whatever little remains for the convenience gained. That’s what we do every day as we go through life. Nothing is perfect.
 
Anything that is accessible from the Internet, has access to it, or is accessible from a device that has access to/from the Internet is at risk.

If anything I'd make sure that my backup devices have less exposure not more.
Right, I won't do that then.


Using a VDSM will be a better solution, considering that it will "see" only one folder on your main device that you share as storage for your VDSM. You can then protect that shared folder with permissions and leave the rest of your nas "procted" on a separate layer.
Yeah. What permissions do you mean, only allow myself to access?


Good point. Always protect the backups, they’re your last resort when things go belly up.

@jono
I’m sure you’ve gone through (and understand) all the security precautions discussed on the forum.

Provided that you don’t have the nuclear heads codes, mitigate as much risk as you can and accept whatever little remains for the convenience gained. That’s what we do every day as we go through life. Nothing is perfect.
I think I'll either use VDSM, or not bother at all :)
 
What permissions do you mean, only allow myself to access?
It depends on what account you want access to that shared folder in the 1st place. But yes, bottom line you can choose to not use your "default" account(s).
 
Last edited:
It depends on what account you want access to that shared folder in the 1st place. But yes, bottom line you can choose to not use your "default" account(s).
Thanks, I'll look at that.

How would you access/share the shared folder on VDSM with the main NAS? Sync via Synology Drive ShareSync, mount via NFS, or some other way?
 
Considering it’s a dsm machine on the network as your host nas is then access to files is the same principle as your host nas. All methods mentioned will work depending what services and packages you are running.
In the past I've tried Synology Drive ShareSync. It worked well, but seemed wasteful as the same data was on DDSM and the main NAS.

I also tried NFS, mounting one folder from DDSM on the main NAS. That worked well and didn't waste data, so I might go with that again.

I've read in the past that you have DDSM (or VDSM?) setup for various things. How do you do it with yours? :)
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Unless your home network is CGNAT, Tailscale offers no real advantage over VPN or HTTPS. Keep it simple...
Replies
3
Views
1,155
I'm unsure of which post that is. On my local network, I use the LAN IP, to connect to Plex without...
Replies
7
Views
2,470
  • Question
I completely missed the difference you meant when you said you’re using nginx reverse proxy. DSM uses...
Replies
14
Views
2,374
Try adding them one-at-a-time, saving, logging out, restarting* your computer, then logging back in until...
Replies
12
Views
1,004
I receive the reports monthly, just actually got them on 2/1 and verified for some reason this is still...
Replies
4
Views
538
It took a while to get iOS Syno Drive Client to reset and ask for my 2FA to log back in. It was set up...
Replies
2
Views
402

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top