It has been 6 weeks now with my NAS and it really changed everything about my digital life. In hindsight I was extremely lucky that I never lost any irreplicable data or that I never got hacked. My setup before that: Windows PC with no password, iPhone with 777777 as my PIN (FaceID enabled though), Gmail and Microsoft with the only unique password (the same one) and all my other logins with the same password I came up roughly 10 years ago. All my data like my entire photo/video collection of my life going back almost 20 years saved on my PC with a mirror image on OneDrive. I could have easily overwritten or deleted files by mistake, someone could have easily hacked all my accounts. I was basically at a constant risk of losing my entire digital life without realizing it. Fast forward to now and I learned so much about network and data security. I would be really interested in getting some feedback as there are several members here that work in IT. To summarize everything:
Data: Photos, videos, tax documents etc. are all stored on my RAID1 4TB NVME volume, so full redundancy. I sync (incremental backup) the entire volume with my PC 4TB NVME drive once a week and do also an incremental backup on my 4TB Samsung T7 Shield SSD which I update once a month. Iām keeping the external SSD locked in my office as an offsite backup.
Media: Movies and TV Shows (roughly 250 movies and 110 TV shows) are all stored on my RAID5 24TB HDD volume (4x 8TB Ironwolf Pro HDDs). So one of the HDDs can fail without me losing any data. I do an image backup on my external 24TB Seagate HDD when there are significant changes to the media collection. The external HDD is currently stored in my bedroom but Iām planning on buying an air-sealed and fireproof box to put the external HDD into the basement.
Passwords and logins: Windows PC now with a 10-digit password, iPhone as well with a 10-digit password. Unique password for my Gmail account (also using Google Authenticator as 2FA) and Bitwarden Password Manager with its own unique password. Both 20 characters long with numbers and special characters included. Bitwarden has 2FA enabled with an Authenticator. I made 2 encrypted backups of my Bitwarden Vault using 2 different USB sticks and VeraCrypt with AES-SHA-512 encryption and a slight variation of my Bitwarden master password. Both USB sticks are in my apartment right now but Iām thinking about storing one of them offsite (maybe at my parents place). I use Bitwarden on my PC, as a Chrome extension and on my iPhone. So I replaced all my logins (including stuff like Spotify, Steam, PSN etc.) with 20 characters long random passwords.
NAS and my network:
My NAS is exposed to the internet by opening ports 80/443. But itās not possible to remote access the NAS itself. Only if you have the admin password (stored in Bitwarden) and are either connected to my local network or remotely while being in my personal Tailscale VPN. Tailscale is running 24/7 on my NAS and my iPhone. Plus 2FA is enabled with an authenticator.
I selfhost a media streaming service (Jellyfin) and a file sharing service. Only the relevant volumes are mounted, so nothing personal can be accessed. Jellyfin accounts arenāt visible and all of my friends got a unique random password. I bought a domain on Hostpoint. Setup 2 subdomains too. Thinking about using CloudFlare to hide my IP, but Iām quite happy with being independent.
I use the NginX Proxy Manager as a reverse proxy. SSL certificates for my domain and subdomains with SSL being forced and HTTP/2 support and HSTS being enabled. So however you enter the address, youāre always directed to https://streaming.mydomain.ch or https://sharing.mydomain.ch.
I use Adguard Home to handle DNS and DHCP. So all my devices connected to my network get a free ad & traffic blocker (Iām using HaGeZiās TIF and Pro++ list). I can access webpages like 20min (which force you to turn off your Chrome adblocker) and still have not a single ad displayed. It also makes it possible to turn off my ISP modem DHCP and chose my own DNS servers which I got from Adguards Discord channel. Response time got significantly better by reducing it from ISP DNS (20-30ms) to now 5-10ms as a bonus.
Itās incredible how rewarding this whole journey for me was. I learned so much about data and network security, about installing Docker containers, about managing everything on my own. There were frustrating times where I just couldnāt get some things to work. But a good night sleep and a fresh retry on the next day usually made wit work. What started as āIām going to buy a NAS to replace my OneDrive backup and get more storageā got into something much bigger.
@nabalzbhf I actually started it that way with only my brother. He used my Jellyfin server and could only access it through Tailscale. But then I wanted an easier access by just typing in the server address and getting straight to the login page.
I did. I send my answer too early, decided to not finalize it and therefore deleted it (before you answered, but I guess itās still visible), as it wasnāt adding anything.
Your topic and enthusiasm about digital security are totally ok.
Thatās a great setup, I have something similar at home and know how rewarding it is to set it up and see it working and all the stuff you learn on this journey, especially if you donāt work in the IT field. So I completely understand your post I even took it one step further and have a small home server on an Intel NUC with about 20 LXC containers for various services, once you go down this rabbit hole, itās really deep ā¦
Regarding backup, I have another small NAS at my parents home and sync the personal data + a backup of my LXC containers (bitwarden, nextcloud, etc.) on a weekly basis. So in case my house burns down, I still have a backup of my most important data and can get my sytem up and running with all my configuratio s as soon as I got the new hardware.
PM me for furtger discussions with a fellow tech enthusiast.
Huh, I donāt get these comments?
Why weird? Because people realize they might have gaps in their own setup and that makes them uncomfortable?
I appreciate this thread personally, especially because Iām also thinking of stepping up the game here a bit. IMO it makes lots of sense and is very much different from something like a prepper who builds a bunker for atomic war.
Now I would propably not share all the details myself because Iām too paranoid, but I highly appreciate when others do and I can learn from it.
Now to the actual post content:
It seems quite well set up. Especially if you include the off-site backup. Not sure about the firebox and why off-site wouldnāt be easier though. Things like movies & tv shows I would also not try to save from loss, as these can be retrieved easily from the internet. But personal stuff cannot.
Good job @Cortana on getting into it. I know it can feel like an endless spiral once you start, but that setup would be good enough for me.
I was also thinking about this before actually posting. But I donāt think I shared anything that I shouldnāt have? Someone can correct me if Iām wrong.
There is only one thing bugging me. What if I get sick or have a terrible accident which leads to me forgetting all my passwords? Or how could my family access my stuff if I would die? Should I write instructions and all important passwords on a piece of paper and store it somewhere?
First you need to think about the data your family needs access to after you die. For me thatās only personal photos and videos, they donāt need to access my phone, computer or any online logins as thereās no relevant information there for them. For all the financial stuff I put my wife as a beneficary in case of my death and she knows where I have my accounts. The photos and videos are on my parentās NAS and on an external USB HDD and my wife has the password to decrypt it.
All the other stuff (nextcloud, bitwarden, jellyfin, etc.), my wife will learn to live with a bit less convenience, but I think thatās the least important thing when I die.
I recently went through a similar digital house keeping. I was previously worse than you in some ways (no backups at all) but better in others (all sites had separate unique passwords generated by password manager).
I would suggest:
Automating backups. I never had backups as it was a hassle. The only reason I have them now is that I setup an automatic system. Important things (invoices needed for tax returns etc.) get backed up every hour. And the whole computer gets backed up every night.
Have incremental backups so that you donāt consume massive disk space, only incremental changes are saved. Various backup programs have intelligent ways to manage this (Iām using restic)
Disable external access to minimize security risk. I allow only tailscale. I access internal sites via internal DNS or internal IP addresses, so no difference whether Iām on the internal network or tunneling in via tailscale.
Hi,
There is a nice feature in Bitwarden called āemergency accessā (accĆØs dāurgence en franƧais). You can set a trusted contact to read or take control of your account if something happen: https://bitwarden.com/help/emergency-access/
You could leave a letter with explanation for exemple..
First, do I understand correctly that you backup your data not more frequently than once a week? This is waaay too infrequent from my point of view.
Second, a behavioral aspect: a good backup solution should run by itself, without you starting it. You will be enthusiastically running your backup procedure for some weeks, maybe months, and it will become a boring task, so you gonna skip it. Ideally you should not even think about the backup regularly.
Considering these two points, I think a cloud storage or backup is still a good solution, at least as the first level, just not the one from Microsoft or Google or Dropbox.
I disagree here as why Iām doing it manually. Automatic backups mean that messed up files get copied to the backups too. With one weekly backup to the internal NVME of my PC and one monthly backup to the external SSD Iām making sure that I could reverse things in the worst case by having 3 different and independent states. Plus I use Snapshots as my NVME volume is in BTRFS anyway, so I can always go back as long as my NAS is working.
I use 4 NVME 4 TB drives as my prepper backup which is where I have my prepper stuff. Backing up every 4-6 weeks is possible with discipline and routine if you include other prepper checks. This is not possible with an automated solution. I do automated backups locally though.
(My wife and kids know how to handle the prepper stuff incl. passwords).
(btw 1: an automated solution destroyed at least twice my backups, luckily I could rebuild it, but with a lot of pain. Learning: having different kind of backups is good AND automated can spread failures to everything if not done right)
(btw 2: I had spideroak unlimited account where I backed up for years. They destroyed my data but gave me every single dollar I paid them back)
along with automated backups, you should have also automatic verification of backups. Iām not a trusting person, so I also sample test recovery of specific files.
i guess that could be a good business model: no infrastructure costs, but you just collect money from those who never have to recover.
How regularly do you snapshot? Iām not currently snapshotting.
I retain daily backups for past x days, then a weekly backup for the whole year. and monthly backups forever. this allows for point-in-time recovery of files.
Durch das Lesen und die Teilnahme an diesem Forum bestƤtigst du, dass du den auf http://www.mustachianpost.com/de/ dargestellten Haftungsausschluss gelesen hast und damit einverstanden bist.
I even took it one step further and have a small home server on an Intel NUC with about 20 LXC containers for various services, once you go down this rabbit hole, itās really deep ā¦
Shoot your questions or should I describe my setup?