I currently want to get more security and privacy for my data. My backup strategy before was actually terrible and I never took it seriously. Luckily nothing happened during that time, but I no longer want to stress my luck and I want to keep my data private, at least the sensitive stuff.
I already bought a small Synology NAS with 2 bays and opened an Azure account for offsite backup. So I at least follow the 3-2-1 rule to some degree with the NAS being a backup for the PC and the Azure the offsite backup.
Some of the problems I now have which bother me and Iām not happy with:
General management of credentials and password. Obviously a password manager is needed (I donāt have one yet), but I cannot decide what is the best setup that has the needed flexibility, is open(-source?) and maintainable.
My PC explicitly does not use the NAS actively and keeps and uses a local copy, which then gets copied to the NAS so I have at least 2 copies, but this is obviously flawed and a big hassle to maintain and not a good solution.
Data consistency between all the different backups
Fear of forgetting a password which is non-recoverable, because good encryption is so unforgiving.
Synology Hyper Backup is proprietary software, which kind of works but if either Synology, my NAS or anything else messes up a tiny bit, even with a perfect copy from Azure, you have no chance in getting that data back, because the software is so shit-tier and closed. The problem is that I have not found any alternative for it.
These are some of the most important issues I currently have no answer to. If you have any suggestions, ideas or want to share your own backup/password manager or general setup, please do so! I would really like to hear your solutions to these problems.
password manager: Use bitwarden, self hosted option is available.
For backup, play around with rsync scheduled with cron first, for local.
Some people suggested rclone for backing up to multiple cloud provider,
Iāve never use it before
what matters in any backup system using public transport is always encryption, and I never researched scrypt compared to sha512 or rsa512, so keep that in mind when considering backing up to internet ācloudsā.
I use rclone to backup to Google drive quite a lot. Itās quirky, but it works. You can encrypt the backups and it supports pretty much every major cloud storage provider. If you try it out and run into any roadblocks, you can @ me.
Synology has rsync and a cloud backup utility which might actually be rclone under the hood.
What advantages do you see from using Azure? Iāve never used it, so just curious.
For the password manager I kinda shy away from self-hosted solutions, because of cost and maintenance, and also I would have to rent a server for that which would drive the cost up and Iām not from the USA, so itās not as cheap as over there. Also I donāt want to have the server at home since I donāt trust my networking skills that much to do it properly. I had an idea to store a Keepass database on an Azure fileshare or something. That seems to be possible, but if anyone has done that before I would like to hear about that.
The problem with rsync + cron is that Iām not on Linux Yes, there are Windows alternatives and rclone will most likely my choice for that. But I donāt know if I can run that on the Synology NAS. I would like it to be self-contained on the Synology so that I donāt have to worry about timing and leaving the PC running and so on. Otherwise rclone might actually be a valid solution, if I want to get rid of the Hyper Backup thingy.
As mentioned in the previous answer, yes, rclone has come to my attention as well, but running something like this on a NAS, I donāt know. I have not done the research for that yet.
Synologyās backup utilities are either public-cloud based like with GDrive sync or Hyper Backup. I think only Hyper Backup supports encryption, but its proprietary and the utility if you have restore is actually quite trashy and database-based (if it fails youāre done) and so on. Thatās what I described above. I wish it was rclone below that, even though rclone does not encrypt the folder structure and Hyper Backup also supports a retention scheme, which is kinda cool.
The reason why I opted for Azure is because it is the only reasonably priced storage option here with data centers in Switzerland and support from enterprise tools. My files to backup are way below 100GB and in an Azure blob this costs less than a dollar per month and ingress is free. If I have to take it out of the blob I pay around 10 bucks for bandwidth, but I since this is a backup copy for disaster recovery this should hopefully only happen a few times in years. And the other reason is that I kinda trust Azure more than a Dropbox or a Google Drive. I would get 1 TB or more without bandwidth limits for just a few bucks more, but I donāt need it currently and I want to keep my data as private as possible. Also the lockout policy for Azure seems way more friendly than what Google provides. If you get locked out from Google for whatever reason and this has happened to people, youāre actually screwed. Azure keeps your data for 3 month after you donāt pay anymore or whatever and let you download the data, because they cannot risk you being a company which gets ruined, because they just delete all your data. I might add, Iām not paid by Azure Itās really just me being sensitive to these things which may lead to unconventional requirements, but usually they work out in my favor
Synology is a server, itās not just an overpriced JBOD enclosure. I mean yes itās overpriced but they offer their OS & app ecosystem to compensate that
I havenāt deal with Synology for a long time, but itās supposed to do all the work in encrypting & syncing/sending the copies. Your online backup in Azure storage is just that, an encrypted backup.
You just have to figure out how to get automation working for your devices whenever you need files backed up, either by sharing & mounting your folder in Synology then trigger the sync or have an installed software to sync/send them to your NAS ala Dropbox/Google Drive.
River theme ā¦ Everyone will say something different because here a lot depends on individual preferences.
I use KeePass 2.
I protect the database with a password and a key (file). I have the password in my head, the key file on a dedicated flash drive is always with me and I do not part with it even when I go to the shower.
I backup using acronis true image + AES encryption, then the files end up in the veracrypt container and then reach the NAS. The container is protected by a password and key (file)
I donāt like to keep such a database somewhere. But apparently itās quite popular with people.
KeePass and synchronization of the database file on different devices with the help of syncthing and I do not see the need to use any cloud / hosting solutions for the database.
Iām not endorsing either approach, I just wanted to clarify that self-hosting isnāt the only option for bitwarden for @SkryptX . Full-disclosure, I havenāt used it.
How?!? What kind of flash drive is this that you donāt have to worry about corrosion???
Acronis True Image is a cloud offering or not? I canāt find out from their website since it seems to be both(?). And what is your solution for the offsite backup?
Well if I go Keepass then the database would not be āsomewhereā. It would be on a password protected network share, which I can access from anywhere. But youāre right. I also would like the file not to be just somewhere in the cloud. How do you manage the synchronization of them? Does it automatically sync once you are in your home-wifi or how does that work?
Itāll help inform proper answers to know a bit more about how much āmoreā is to you.
For example. What security and privacy issues do you have, how much are they to actually affect you?
(this is partially a trick question. As it usually leads to questions to clarify if the security and privacy concerns you have are fully controlled across your whole life. e.g. have you focused on the leaf while forgetting the rain forest. But its useful to go through that process)
What kind of devices do you need a password manager on?
What kind of features would be useful to you?
How much effort and money do you want to put into it?
Thereās a lot of options, they all have their positives and negatives.
Since it sounds like you dont want a lot of cost, dont want cloud based options, your only real option is likely keepass and putting something together if you need it across multiple devices.
Are you on Windows? Why not make use of windows backup.
Windows backup will keep history. Also most NASā will have some sort of version history, snapshot ability, etc.
Back up your key. Get a safe and put it in there on paper. Put it on a yubikey and have another backup copy. This is more about infosec and having a process in place that you actually follow. Get a process in place to protect your valuable info (in this case your master passwords) and there should be no need to worry.
maybe a yubikey or similar. Their not prone to corrosion as far as im aware. Or some other encased usb.
I tried 1Password (they sometimes give out 1 year free trials) and it is kinda cool, but also not really what I wanted. Keepass is just that little bit more likeable to use and gives myself the better peace of mind Maybe not objective, but most of the stuff we use is based on our trust, since we are unable to verify ourselves.
As Iāve delved into the topic I got overwhelmed quickly and questions all around Some of them I answered, but I realized that I need to make a drawing of sorts to really understand the process where my data should be and how it gets there. I will develop that next, but it will take some time. The current state is already a HUGE improvement over what was before, not just for me but also the rest of my family.
This will most likely be the solution. Iāll prototype something once @TimHolus shares some of his secrets with synchronization of Keepass databases
Yes, I am. I actually did not think of that, but that could actually be a solution, if it customizable enough. But a scheduled task with rclone might also do the trick.
Interesting. This is something that would a nice feature, indeed. But was not priority number one.
I need to incorporate that into my drawing of my backup strategy. And define processes and all that. I always find it ridiculous, that once you had some education on how to run a company, that you suddenly realize how many best practices you donāt follow in your personal life even though you have the same problemsā¦ How do non-techy people even manage, I completely forgotten by this point
This could be a next step, if I want to get multi-factor authentication to some of the crucial things like Keepass. But that also requires you to store even more backups of security keys which you cannot loose under any circumstances I even thought about renting a bank safe just for one piece of paper with the passwords and keys on it
Iāve used Keepass for probably 5 or so years now. No real complaints. I wanted a password manager, and didnāt want them stored in the cloud. Went with Keepass due to it being open source.
My biggest problem is keeping the password DB synced between my devices. I would end up with 3 different versions between my desktop, laptop, and work laptop. Never had it on my phone which kinda sucked. I was just bad at keeping an updated version on the flash drive I keep on my key ring.
I just recently bit the bullet, and dove into Bitwarden a few months ago. Giving up my concern with having my password āin the cloudā, and signed up for their hosted service. Only thing that made me feel better () about it is that itās an open source project and the files are encrypted. If I ignore the fact I now have my passwords hosted, itās awesome. I have app on my phone, and the browser extension on my other machines. If I use a password that has been found in any leaked DBās it will alert you when you use it, which is cool. No issues with out of sync dbās between machines.
Only thing is I somehow forgot my password within a week of using it, and there was no way for me to recover it. I just had to wipe everything to get access again. I had recently stored passwords for my kids accounts in it, and I didnāt have those in Keepassā¦ so next time we have to login to those they will need to be reset.
My mistake, I could explain more precisely;)
I donāt take him to the water, of course
Saying that I am taking him under the shower, I meant for the bathroom and put it on the cabinet. I meant that I just never let him out of my sight and never farther away from me than two meters. To take him away from me, you would have me KO unconscious. Because I always have it in my pocket fastened on a leash.
Acronis has a cloud available but probably paid extra, I donāt remember. I personally donāt use it. I just use it either directly on the OS or as a standalone boot OS. For this it has the ability to plan copies and decide whether full or incremental. It can save them locally, to usb, smb, ftp, cloud. Has AES256 encryption.
There are also several other options such as an emergency special boot manager and a hidden backup partition.
I have been using Acronis for quite some time and I have no problems with it when it comes to full disk backups. But of course $$$ ā¦
For āoffsiteā I use a dispersed infrastructure based on Odroid HC1 and HC2. Friends / family and other trusted places.
But for you it can be uncomfortable and not cheap at all. As an alternative to the cloud, you can always think of your own dedicated server. Like kimsufi.com and keep your backups there, of course encrypted.
It would certainly work, but I donāt think it is the best way. Itās not a flexible solution, the KeePass file just sits on your server. But I have to admit that I myself have this problem and not a solution yet.
I recently heard about Syncthing Untrusted which lets a server act as a relay with zero knowledge of the synced files. That would maybe work. But its early thoughts on that.
Iām a bit further than when I wrote the first post here, but not nearly enough. Also my goals shifted. I want for example to also degoogle my life way more with self hosted email, calendar, contacts and so on. I have to design my strategy on a larger scale and define data paths and stuff. Especially important is to define a security and share level for all the elements in the system. For the KeePass file it would be maximum security, but also shareable. But that leaves the question when and how to share. Is it enough to sync just in your local network? Do you need to edit it on the fly? Does it need to merge changes? I find it really hard to come up with a solution. There are many many easy ones, but they all feel inadequate for the literal key to my whole life. Maybe Iām too anxiousā¦
Yes, there are Windows alternatives and rclone will most likely my choice for that. But I donāt know if I can run that on the Synology NAS. I would like it to be self-contained on the Synology so that I donāt have to worry about timing and leaving the PC running and so on. Otherwise rclone might actually be a valid solution, if I want to get rid of the Hyper Backup thingy.
Itās really just me being sensitive to these things which may lead to unconventional requirements, but usually they work out in my favor 
I even thought about renting a bank safe just for one piece of paper with the passwords and keys on it 
) about it is that itās an open source project and the files are encrypted. If I ignore the fact I now have my passwords hosted, itās awesome. I have app on my phone, and the browser extension on my other machines. If I use a password that has been found in any leaked DBās it will alert you when you use it, which is cool. No issues with out of sync dbās between machines.