TL;DR
Backing up to a remote encrypted APFS drive mounted through Samba can work, but it’s not the most secure or reliable solution. It introduces several potential weaknesses. We’ll outline how to do it if you must, and then discuss much better alternatives.
Is this a sound plan?
Generally, no. Mounting an APFS volume over Samba adds complexity and security risks compared to dedicated backup protocols like rsync over SSH or using cloud-based solutions designed for backups. Samba isn’t built with the specific requirements of data integrity and consistency that backups need.
If you *must* use Samba, here’s how (with warnings)
- Encryption: Ensure your APFS volume is encrypted using FileVault. This protects the data at rest on the remote drive.
- Samba Configuration (Server – Remote Drive): Configure Samba with strong user authentication and access controls.
- Use a dedicated backup user account with limited privileges. Do not use an administrator account.
- Restrict write access to only the specific share folder where backups will be stored.
- Enable SMB signing (
smb.conf):global security = domain signatures required = yes
- Samba Configuration (Client – Backup Machine): Configure the client machine to securely connect to the Samba share.
- Use a strong password for the backup user.
- Mount the share using your username and password, but consider storing credentials in a secure configuration file if scripting backups. Avoid hardcoding passwords directly into scripts.
- Backup Software: Use a robust backup software solution that supports incremental backups.
- rsync: This is the best option if you’re comfortable with the command line. It efficiently copies only changed files and can be scripted for automated backups.
rsync -avz --delete /source/folder username@remote_server:/path/to/backup/share - Time Machine (with caveats): Time Machine can back up to a network share, but it’s less reliable over Samba. Expect potential performance issues and data corruption risks. It’s not officially supported for Samba shares.
- rsync: This is the best option if you’re comfortable with the command line. It efficiently copies only changed files and can be scripted for automated backups.
- Regular Verification: Regularly test your backups by restoring files from the remote drive. This is crucial to ensure data integrity.
Why this isn’t ideal & Better Alternatives
- Samba Overhead: Samba adds overhead, slowing down backup speeds and increasing resource usage on both machines.
- Data Integrity Concerns: Samba doesn’t have the same data integrity checks as dedicated backup protocols. Network interruptions can lead to corrupted backups.
- Security Risks: Samba is a potential target for attacks. Misconfigurations or vulnerabilities could compromise your data.
Better Alternatives:
- rsync over SSH: This is the gold standard for local and remote backups. It’s secure, efficient, and reliable.
rsync -avz --delete /source/folder username@remote_server:/path/to/backup/share - Dedicated Backup Software: Solutions like Duplicati or BorgBackup offer advanced features like encryption, compression, and deduplication.
- Cloud Backups: Services like Backblaze, Carbonite, or cloud storage providers (with versioning enabled) provide offsite backups with built-in redundancy and security.
Final Thoughts
While backing up to a remote encrypted APFS drive via Samba is technically possible, it’s not recommended due to the inherent risks involved. Prioritize more secure and reliable backup solutions like rsync over SSH or dedicated backup software whenever possible.