Secure Self-Hosted Backups for Windows

Published on Sunday, March 13, 2016 and tagged with windows, backups, security.

Some time ago, I wrote up my data protection strategy. I’m no longer using most of what I describe in that article for two reasons:

For various reasons, we are now using Windows as our primary laptop computing platform.
Backing up to an external hard drive is not robust against ransomware such as CryptoLocker that encrypts your files and holds them hostage until you pay the criminal or organization deploying the attack.

This second point is particularly important: in addition general practices to keep from running ransomware (or other malicious software) in the first place, the best protection against CryptoLocker-style attacks is a good backup strategy where the backups are kept out of reach of the backed-up system. These attacks typically try to encrypt all the data files they can find, including on external drives and network shares, so if your backups are stored on such a drive they’ll be scrambled too.

However, if you have good backups out of reach of your computer, and you get hit, you can recover relatively easily: reset the computer from install media, restore data from backups, and go on your merry way. Being careful, of course, to avoid opening potentially-malicious files, as it’s quite possible that the infection arrived through some document that is saved in your backups.

For most users, I would recommend using a good encrypted cloud backup service such as Backblaze, CrashPlan, or Tarsnap. Particularly smart ransomware could still attack these services by attempting to read the credentials out of the installation and initiating a delete of your backups, but they are a good deal more secure in the face of ransomware than naïve local backups. Also, it is possible in principal for one of these providers to engineer their service to be more robust to ransomware. For one thing, using the operating system’s secure credential store, which they may already to, can make it harder for ransomware to extract the passwords needed to delete the backups. I would particularly like to see a cloud backup service provide a protection level where the user must personally log in and request for backups to be deleted, ideally using two-factor authentication, so that automated software can’t just delete the backups. This would make a very secure system. But even without that feature, using cloud backups make the ransomware author’s job harder.

For advanced users who want to self-host their backups, it is possible to build a system that is (pretty) secure against ransomware. The key is to store the backups somewhere that the computer creating them can’t overwrite or delete.

The front end of our backup system now is Cobian Backup ¹. It runs on our laptops and stores backups on a network share provided by our NAS. The backups themselves are standard AES-encrypted 7-zip archives², so the backups are well-protected from potential prying eyes on the server’s hard drives. This alone, however, is very vulnerable to ransomware — CryptoLocker will happily scramble all our backups.

The second piece is server-side snapshotting. Our NAS stores its data on ZFS, which allows us to take regular snapshots of the filesystem backing the network share. The result is that new backups are quickly saved in a snapshot, out of reach of the network: the only way to access or delete the snapshot is with root access on the NAS. It should be impossible for ransomware to affect backups after they are taken without somehow obtaining root access to the NAS and knowing what it’s looking for in order to delete the backups or scramble the filesystem.

Hope someone finds this useful. I would love to see NAS packages and cloud backup providers provide turn-key support for this kind of setup, as good backup strategies are the most effective protection against ransomware (and many other kinds of attacks and problems — being able to securely re-initialize your computing environment makes it much more resilient). I should also note that I am not a security expert; this is the work of an interested amateur who tries to understand & employ best practices. I believe this architecture is fundamentally sound and provides a reasonable level of protection, but caveat emptor.

[AES]: Advanced Encryption Standard [NAS]: Network-Attached Storage *[ZFS]: Zettabyte File System