Where does DSM store configuration credentials for Snapshot Replication?

Currently reading
Where does DSM store configuration credentials for Snapshot Replication?

2
0
NAS
DS218+, DS716+ii
Operating system
  1. macOS
Mobile operating system
  1. iOS
I'm using snapshot replication to backup my primary NAS to a secondary NAS. To do this, you have to set credentials on the primary NAS for an admin user on the target NAS. I'd prefer to use a service account that only has the required permissions, but according to Syno support this isn't possible, it must belong to the admin group. This makes sense considering the user must be able to do quite a lot in the background – create new shared folders, configure snapshot settings/schedule/retention on the target NAS, etc. I've not discovered a way to delete snapshots on the remote NAS through the UI on the primary NAS, and Syno support says this is correct – snapshots that are pushed to a remote NAS can only be deleted on the remote NAS (great!). But my theoretical concern is that if my primary NAS was compromised, the attacker would be able to discover the credentials for my secondary NAS and wipe out my remote backups. Searching and Syno support hasn't helped me uncover where and how credentials for snapshot replication are stored. I know that for Hyper Backup it's very easy to find the credentials for (example) an S3 destination and delete the backups there.

All in all, I'd like to be able to prove that my primary NAS being compromised doesn't inherently result in all backup targets being wiped or maliciously encrypted. Snapshot replication is generally marketed as protecting agains this, but white papers and conversation w Syno support isn't giving specifics on how this is achieved.

That's a lot of background to ask – does anyone know where and how DSM stores credentials for snapshot replication? Are the keys to decrypt these credentials locked to the hardware and inaccessible to DSM admin users? How is this chain protected?

Just trying to understand the process fully, if anyone can shed some light on this or my mis-understandings it would be much appreciated!
 
Hey Telos, thanks for replying. I’ve read that white paper a few times. I checked it again just now to see what I was missing, but I don’t see anything that sheds light on my concerns. Is there a specific section you’re referring to?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Apx 4 keys were generated, two were trying to see what was happening. 1 key did appear on the download...
Replies
4
Views
2,058
  • Question
Thank you! That works and never saw the option. Thank you.
Replies
2
Views
3,609
  • Question
The whole world agrees that https is the right and secure way to access web applications. The question is...
Replies
1
Views
2,358
QuickConnect Relay uses a client connection created from the NAS outbound to the Synology servers. This...
Replies
2
Views
3,591
@fredbert: Thanks for the clear explanation of the operation of the graphical interface in the DSM add-on...
Replies
3
Views
2,999
My auto-block was always set to block after multiple attempts. Since this login stuff was happening once...
Replies
15
Views
1,621
  • Question
Synology answered my ticket, will be fixed in DSM 7.2.1.
Replies
3
Views
1,670

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top