After my old D-Link NAS died, I decided to move to FreeNAS and seriously improve my backup game. As a noob, I would love some guidance. I have several questions, but you know there are so many facets to a NAS/backup strategy.
Goals
Hardware/Cloud
Possible FreeNAS configuration
The big challenge is ransomware protection. How do I protect the NAS files from encryption launched from my PC?
There's a lot to plan and I'm grateful for your guidance.
Goals
- Copy data from my existing NAS drive to the new NAS
- Set up image & file backups of my PC to the new NAS
- Replicate the NAS to Backblaze B2 for full disaster recovery
- Irreplaceable files only; most media files I can re-download if needed
- Be protected against PC ransomware encrypting my backups
Hardware/Cloud
- I'm buying a 4-bay FreeNAS Mini-E.
- I'm buying 1 or 2 additional 3TB drives for parity. The four drives, in a ZRAID-2 configuration, will give me ~6TB total storage.
- I'm subscribing to Backblaze B2.
- I have one Windows 10 PC:
- Boot drive: 210GB SSD with various partitions like C: and a Macrium Reflect rescue partition. This drive sees few, small changes.
- D: Data drive: 2TB HDD; about 1.2TB used.
- I currently run Macrium Reflect on my PC for image (boot drive) and file (D: ) backups.
- My dead NAS (D-Link DNS-325) has 2× 3TB WD Red drives in a RAID-1 mirror, containing:
- Backups from various PCs over the years.
- A Plex media library not found on any PC. My best guess is that it's about 1 TB.
- The NAS drives are pretty much full. On the backup side, I aimed for 2-month retention of monthly full and daily incremental backups.
- The dead NAS is Linux-based.
- I have a Linux laptop and a USB-SATA adapter allowing me to mount one of the dead NAS's drives onto the laptop and copy files to the new NAS.
- Or can I stick the drive into my Mini-E and copy files to the newly-ZFS formatted drive?
- Because the Mini-E only has 4× 3.5"drive bays and I won't have any spare drives, can I, say, use one old-NAS drive + 2 new drives in a ZRAID-1 configuration, copy the data from the remaining old-NAS drive, then change my vdev from a 3-disk ZRAID-1 to 4-disk ZRAID-2 without data loss?
Possible FreeNAS configuration
- One area for the Plex library, split between:
- Replaceable files
- Irreplaceable files
- One area for archived backups from old PCs (can be read-only from PC)
- One area for backups of my current PC
- C: image backups
- D: file backups
- Replication to cloud: not all files, to save $
- Plex > Irreplaceable files
- C: image backups
- D: file backups
The big challenge is ransomware protection. How do I protect the NAS files from encryption launched from my PC?
- Scenario 1: run backups on the NAS, not the PC (a "NAS pull" model) so the NAS is read-only — but:
- That would only do file backups, not boot-drive image backups… correct? Or is there a way for FreeNAS to do a (VSS-aware) image backup on a remote PC?
- What about the Plex library? I need write access from my PC.
- Scenario 2: image backup run on PC, saved to PC; file backup run on NAS, pulled from PC
- Reflect has a MIG (Macrium Image Guardian) feature that only grants write access for backup files to Macrium Reflect and Macrium image tools. All other processes (e.g. ransomware) will be denied write access.
- This only works on local and USB drives attached to my PC
- So one possibility is to:
- Run the image backup on my PC and store the result on D:. Because it's a local drive, MIG will protect it.
- File backup runs on FreeNAS, pulling files off my D: drive (including the .mrimg image file)
- How do you feel about this idea?
- The Plex question still applies here.
- Reflect has a MIG (Macrium Image Guardian) feature that only grants write access for backup files to Macrium Reflect and Macrium image tools. All other processes (e.g. ransomware) will be denied write access.
- Scenario 3: something else?
- Snapshot size and retention: it seems the consensus here is "the answer to ransomware is snapshots, since snapshots are read-only". But if ransomware encrypts 1TB of files, will the new snapshots be about 1TB? Should I plan to have total NAS storage space 2× of my current and planned needs? The last thing I need is for the "clean" snapshots taken before a ransomware attack to be auto-deleted due to insufficient storage space.
- If the consensus is that people don't care if files backed up on the NAS are encrypted "because… snapshots", then I wouldn't have to do anything special to datasets like my NAS Plex library — leave it read/write from the PC because if it gets encrypted, snapshots will save me. Correct?
There's a lot to plan and I'm grateful for your guidance.
