(408) 943-4100               V   Commercial Support Toggle between Light and Dark mode

Backup Credentials

  11 minute read.

Last Modified 2021-10-05 10:03 EDT

The Backup Credentials section lets users integrate TrueNAS with Cloud Storage providers and set up SSH Connections and Keypairs.

BackupCredentialsSCALE

The Cloud Credentials window allows users to integrate TrueNAS with Cloud Storage providers.

To maximize security, TrueNAS encrypts cloud credentials when saving them. However, this means that to restore any cloud credentials from a TrueNAS configuration file, you must enable Export Password Secret Seed when generating that configuration backup. Remember to protect any downloaded TrueNAS configuration files.

We recommend users open another browser tab open and log in to the Cloud Storage Provider account you intend to link with TrueNAS. Some providers require additional information that they generate on the storage provider account page. For example, saving an Amazon S3 credential on TrueNAS could require logging in to the S3 account and generating an access key pair on the Security Credentials > Access Keys page.

To set up a Cloud Credential, go to Credentials > Backup Credentials and click Add in the Cloud Credentials window.

CloudCredentialsSCALE

Enter a credential Name and choose a Provider. The rest of the options change according to the chosen Provider:

Dolor sit, sumo unique …

NameDescription
Access Key IDAmazon Web Services Key ID. This is found on Amazon AWS by going through My account > Security Credentials > Access Keys (Access Key ID and Secret Access Key). Must be alphanumeric and between 5 and 20 characters.
Secret Access KeyAmazon Web Services password. If the Secret Access Key cannot be found or remembered, go to My Account > Security Credentials > Access Keys and create a new key pair. Must be alphanumeric and between 8 and 40 characters.
Maximum Upload PortsDefine the maximum number of chunks for a multipart upload. Setting a maximum is necessary if a service does not support the 10,000 chunk AWS S3 specification.

Amazon S3 Advanced Options

NameDescription
Endpoint URLS3 API endpoint URL. When using AWS, the endpoint field can be empty to use the default endpoint for the region and automatically fetch available buckets. Refer to the AWS Documentation for a list of Simple Storage Service Website Endpoints.
RegionAWS resources in a geographic area. Leave empty to detect the bucket’s correct public region. Entering a private region name allows interacting with Amazon buckets created in that region. For example, enter us-gov-east-1 to discover buckets created in the eastern AWS GovCloud region.
Disable Endpoint RegionSkip automatic detection of the Endpoint URL region. Set this when configuring a custom Endpoint URL.
User Signature Version 2Force using Signature Version 2 to sign API requests. Set this when configuring a custom Endpoint URL.
NameDescription
Key IDAlphanumeric Backblaze B2 Application Key ID. To generate a new application key, log in to the Backblaze account, go to the App Keys page, and add a new application key. Copy the application keyID string to this field.
Application KeyBackblaze B2 Application Key. To generate a new application key, log in to the Backblaze account, go to the App Keys page, and add a new application key. Copy the applicationKey string to this field.
NameDescription
OAuth Client IDThe public identifier for the cloud application.
OAuth Client SecretThe secret phrase known only to the cloud application and the authorization server.
Access TokenA User Access Token for Box. An access token enables Box to verify a request belongs to an authorized session. Example token: T9cE5asGnuyYCCqIZFoWjFHvNbvVqHjl.
NameDescription
OAuth Client IDThe public identifier for the cloud application.
OAuth Client SecretThe secret phrase known only to the cloud application and the authorization server.
Access TokenAccess Token for a Dropbox account. You must create a token from the Dropbox account before adding it here.
NameDescription
HostFTP Host to connect. Example: ftp.example.com.
PortFTP Port number. Leave blank to use the default port 21.
UsernameA username on the FTP Host system. This user must already exist on the FTP Host.
PasswordPassword for the user account.
NameDescription
Preview JSON Service Account KeyContents of the uploaded Service Account JSON file.
Choose FileUpload a Google Service Account credential file. The Google Cloud Platform Console creates the file.
NameDescription
OAuth Client IDThe public identifier for the cloud application.
OAuth Client SecretThe secret phrase known only to the cloud application and the authorization server.
Access TokenToken created with Google Drive. Access Tokens expire periodically, so you must refresh them.
Team Drive IDOnly needed when connecting to a Team Drive. The Team Drive’s top-level folder ID.
NameDescription
OAuth Client IDThe public identifier for the cloud application.
OAuth Client SecretThe secret phrase known only to the cloud application and the authorization server.
NameDescription
URLHTTP host URL.
NameDescription
Access TokenAccess Token generated by a Hubic account.
NameDescription
UsernameMEGA account username.
PasswordMEGA account password.
NameDescription
Account NameMicrosoft Azure account name.
Account KeyBase64 encoded key for Azure Account.
NameDescription
OAuth Client IDThe public identifier for the cloud application.
OAuth Client SecretThe secret phrase known only to the cloud application and the authorization server.
Access TokenMicrosoft Onedrive Access Token. Log in to the Microsoft account to add an access token.
Drives ListDrives and IDs registered to the Microsoft account. Selecting a drive also fills the Drive ID field.
Drive Account TypeType of Microsoft account. Logging in to a Microsoft account selects the correct account type. Options: Personal, Business, Document_Library
Drive IDUnique drive identifier. Log in to a Microsoft account and choose a drive from the Drives List drop-down to add a valid ID.
NameDescription
User NameOpenstack user name (OS_USERNAME) from an OpenStack credentials file.
API Key or PasswordOpenstack API key or password. This is the OS_PASSWORD from an OpenStack credentials file.
Authentication URLAuthentication URL for the server. This is the OS_AUTH_URL from an OpenStack credentials file.
Auth VersionAuthVersion - optional - set to (1,2,3) if your auth URL has no version (rclone documentation).

Advanced Options

NameDescription
Tenant NameThis is the OS_TENANT_NAME from an OpenStack credentials file.
Tenant IDTenant ID - optional for v1 auth, this or tenant required otherwise (rclone documentation).
Auth TokenAuth Token from alternate authentication - optional (rclone documentation).

Endpoint Advanced Options

NameDescription
Region NameRegion name - optional (rclone documentation).
Storage URLStorage URL - optional (rclone documentation).
Endpoint TypeEndpoint type to choose from the service catalogue. Public is recommended, see the rclone documentation.
NameDescription
OAuth Client IDThe public identifier for the cloud application.
OAuth Client SecretThe secret phrase known only to the cloud application and the authorization server.
Access TokenpCloud Access Token. These tokens can expire and require an extension.
HostnameEnter the hostname to connect to.
NameDescription
HostSSH Host to connect to.
PortSSH port number. Leave empty to use the default port 22.
UsernameSSH Username.
PasswordPassword for the SSH Username account.
Private Key IDImport the private key from an existing SSH keypair or select Generate New to create a new SSH key for this credential.
NameDescription
URLURL of the HTTP host to connect to.
WebDav ServiceName of the WebDAV site, service, or software being used.
UsernameWebDAV account username.
PasswordWebDAV account password.
NameDescription
OAuth Client IDThe public identifier for the cloud application.
OAuth Client SecretThe secret phrase known only to the cloud application and the authorization server.
Access TokenYandex Access Token.

Enter the required Authentication strings to enable saving the credential.

Automatic Authentication

Some providers can automatically populate the required Authentication strings by logging in to the account. To automatically configure the credential, click Login to Provider and entering your account username and password.

AutomaticAuthenticationSCALE

We recommend verifying the credential before saving it.

The SSH Connections window in the Backup Credentials screen allows users establish Secure Socket Shell (SSH) connections.

To begin setting up a SSH Connection, navigate to Credentials > Backup Credentials and click the Add button in the SSH Connections window.

Create a Connection

Semi-automatic simplifies setting up an SSH connection with another FreeNAS or TrueNAS system without logging in to that system to transfer SSH keys. This requires an SSH keypair on the local system and administrator account credentials for the remote TrueNAS. You must configure the remote system to allow root access with SSH. You can generate the keypair as part of the semiautomatic configuration or a manually created one in Backup Credentials.

SSHConnectionsSCALE

Name and Method

NameDescription
NameName of this SSH connection. SSH connection names must be unique.
Setup MethodManual requires configuring authentication on the remote system. This can include copying SSH keys and modifying the root user account on that system.

Semi-automatic only works when configuring an SSH connection with a remote TrueNAS system. This method uses the URL and login credentials of the remote system to connect and exchange SSH keys.

Authentication

NameDescription
TrueNAS URLHostname or IP address of the remote system. A valid URL scheme is required. Example: https://10.231.3.76
UsernameUsername for logging in to the remote system.
PasswordUser account password for logging into the remote system.
Private KeyChoose a saved SSH Keypair or select Generate New to create a new keypair and use it for this connection.

More Options

NameDescription
CipherStandard is most secure, but has the greatest impact on connection speed.

Fast is less secure than Standard but can give reasonable transfer rates for devices with limited cryptographic speed.

Disabled removes all security in favor of maximizing connection speed. Disabling the security should only be used within a secure, trusted network.
Connect TimeoutTime (in seconds) before the system stops attempting to establish a connection with the remote system.

Be sure to use a valid URL scheme for the remote TrueNAS URL. Leave the username as root and enter the account password for the remote TrueNAS system. You can import the private key from a previously created SSH keypair or create one with a new SSH keypair.

Saving the new configuration automatically opens a connection to the remote TrueNAS and exchanges SSH keys.

To manually set up an SSH connection, you must copy a public encryption key from the local system to the remote system. A manual setup allows a secure connection without a password prompt.

Adding a Public SSH Key to the TrueNAS Root Account

Log in to the TrueNAS system that generated the SSH keypair and go to Credentials > Backup Credentials. Click the . Open the keypair for the SSH connection and copy the text of the public SSH key or download the public key as a text file.

Log in to the TrueNAS system you want to register the public key on and go to Credentials > Local Users. Edit the root account. Paste the SSH public key text into the SSH Public Key field. AccountsUsersRootSSHKeySCALE

Start by generating a new SSH keypair in Credentials > Backup Credentials. Copy or download the value for the public key. Add the public key to the remote NAS. If the remote NAS is not a TrueNAS system, please see the documentation for that system for instructions on adding a public SSH key.

Manually Configuring the SSH Connection on the Local TrueNAS

Log back in to the local TrueNAS system. Go to Credentials > Backup Credentials and add a new SSH connection. Change the setup method to Manual.

SSHConnectionsManualSCALE

Name and Method

NameDescription
NameName of this SSH connection. SSH connection names must be unique.
Setup MethodManual requires configuring authentication on the remote system. This can include copying SSH keys and modifying the root user account on that system.

Semi-automatic only works when configuring an SSH connection with a remote TrueNAS system. This method uses the URL and login credentials of the remote system to connect and exchange SSH keys.

Authentication

NameDescription
HostHostname or IP address of the remote system. A valid URL scheme is required. Example: https://10.231.3.76
PortPort number on the remote system to use for the SSH connection.
UsernameUsername for logging in to the remote system.
Private KeyChoose a saved SSH Keypair or select Generate New to create a new keypair and use it for this connection.
Remote Host KeyRemote system SSH key for this system to authenticate the connection. When all other fields are properly configured, click DISCOVER REMOTE HOST KEY to query the remote system and automatically populate this field.

Discover Remote Host Key connects to the remote host and attempts to copy the key string to the related TrueNAS field.

More Options

NameDescription
CipherStandard is most secure, but has the greatest impact on connection speed.

Fast is less secure than Standard but can give reasonable transfer rates for devices with limited cryptographic speed.

Disabled removes all security in favor of maximizing connection speed. Disabling the security should only be used within a secure, trusted network.
Connect TimeoutTime (in seconds) before the system stops attempting to establish a connection with the remote system.

Select the private key from the SSH keypair that you used to transfer the public key on the remote NAS.