Backup Credentials

11 minute read.

Last Modified 2022-05-17 08:02 EDT

The Backup Credentials section lets users integrate TrueNAS with Cloud Storage providers and set up SSH Connections and Keypairs.

BackupCredentialsSCALE

Cloud Credentials

The Cloud Credentials window allows users to integrate TrueNAS with Cloud Storage providers.

Is this secure?

To maximize security, TrueNAS encrypts cloud credentials when saving them. However, this means that to restore any cloud credentials from a TrueNAS configuration file, you must enable Export Password Secret Seed when generating that configuration backup. Remember to protect any downloaded TrueNAS configuration files.

We recommend users open another browser tab open and log in to the Cloud Storage Provider account you intend to link with TrueNAS. Some providers require additional information that they generate on the storage provider account page. For example, saving an Amazon S3 credential on TrueNAS could require logging in to the S3 account and generating an access key pair on the Security Credentials > Access Keys page.

To set up a Cloud Credential, go to Credentials > Backup Credentials and click Add in the Cloud Credentials window.

CloudCredentialsSCALE

Enter a credential Name and choose a Provider. The rest of the options change according to the chosen Provider:

Amazon S3

Dolor sit, sumo unique …

Name	Description
Access Key ID	Amazon Web Services Key ID. This is found on Amazon AWS by going through My account > Security Credentials > Access Keys (Access Key ID and Secret Access Key). Must be alphanumeric and between 5 and 20 characters.
Secret Access Key	Amazon Web Services password. If the Secret Access Key cannot be found or remembered, go to My Account > Security Credentials > Access Keys and create a new key pair. Must be alphanumeric and between 8 and 40 characters.
Maximum Upload Ports	Define the maximum number of chunks for a multipart upload. Setting a maximum is necessary if a service does not support the 10,000 chunk AWS S3 specification.

Amazon S3 Advanced Options

Name	Description
Endpoint URL	S3 API endpoint URL. When using AWS, the endpoint field can be empty to use the default endpoint for the region and automatically fetch available buckets. Refer to the AWS Documentation for a list of Simple Storage Service Website Endpoints.
Region	AWS resources in a geographic area. Leave empty to detect the bucket’s correct public region. Entering a private region name allows interacting with Amazon buckets created in that region. For example, enter us-gov-east-1 to discover buckets created in the eastern AWS GovCloud region.
Disable Endpoint Region	Skip automatic detection of the Endpoint URL region. Set this when configuring a custom Endpoint URL.
User Signature Version 2	Force using Signature Version 2 to sign API requests. Set this when configuring a custom Endpoint URL.

BackBlaze B2

Name	Description
Key ID	Alphanumeric Backblaze B2 Application Key ID. To generate a new application key, log in to the Backblaze account, go to the App Keys page, and add a new application key. Copy the application keyID string to this field.
Application Key	Backblaze B2 Application Key. To generate a new application key, log in to the Backblaze account, go to the App Keys page, and add a new application key. Copy the applicationKey string to this field.

Box

Name	Description
OAuth Client ID	The public identifier for the cloud application.
OAuth Client Secret	The secret phrase known only to the cloud application and the authorization server.
Access Token	A User Access Token for Box. An access token enables Box to verify a request belongs to an authorized session. Example token: T9cE5asGnuyYCCqIZFoWjFHvNbvVqHjl.

DropBox

Name	Description
OAuth Client ID	The public identifier for the cloud application.
OAuth Client Secret	The secret phrase known only to the cloud application and the authorization server.
Access Token	Access Token for a Dropbox account. You must create a token from the Dropbox account before adding it here.

FTP

Name	Description
Host	FTP Host to connect. Example: ftp.example.com.
Port	FTP Port number. Leave blank to use the default port 21.
Username	A username on the FTP Host system. This user must already exist on the FTP Host.
Password	Password for the user account.

Google Cloud Storage

Name	Description
Preview JSON Service Account Key	Contents of the uploaded Service Account JSON file.
Choose File	Upload a Google Service Account credential file. The Google Cloud Platform Console creates the file.

Google Drive

Name	Description
OAuth Client ID	The public identifier for the cloud application.
OAuth Client Secret	The secret phrase known only to the cloud application and the authorization server.
Access Token	Token created with Google Drive. Access Tokens expire periodically, so you must refresh them.
Team Drive ID	Only needed when connecting to a Team Drive. The Team Drive’s top-level folder ID.

Google Photos

Name	Description
OAuth Client ID	The public identifier for the cloud application.
OAuth Client Secret	The secret phrase known only to the cloud application and the authorization server.

HTTP

Name	Description
URL	HTTP host URL.

Hubic

Name	Description
Access Token	Access Token generated by a Hubic account.

Mega

Name	Description
Username	MEGA account username.
Password	MEGA account password.

Microsoft Azure Blob Storage

Name	Description
Account Name	Microsoft Azure account name.
Account Key	Base64 encoded key for Azure Account.

Microsoft One Drive

Name	Description
OAuth Client ID	The public identifier for the cloud application.
OAuth Client Secret	The secret phrase known only to the cloud application and the authorization server.
Access Token	Microsoft Onedrive Access Token. Log in to the Microsoft account to add an access token.
Drives List	Drives and IDs registered to the Microsoft account. Selecting a drive also fills the Drive ID field.
Drive Account Type	Type of Microsoft account. Logging in to a Microsoft account selects the correct account type. Options: Personal, Business, Document_Library
Drive ID	Unique drive identifier. Log in to a Microsoft account and choose a drive from the Drives List drop-down to add a valid ID.

OpenStack Swift

Name	Description
User Name	Openstack user name (OS_USERNAME) from an OpenStack credentials file.
API Key or Password	Openstack API key or password. This is the OS_PASSWORD from an OpenStack credentials file.
Authentication URL	Authentication URL for the server. This is the OS_AUTH_URL from an OpenStack credentials file.
Auth Version	AuthVersion - optional - set to (1,2,3) if your auth URL has no version (rclone documentation).

Advanced Options

Name	Description
Tenant Name	This is the OS_TENANT_NAME from an OpenStack credentials file.
Tenant ID	Tenant ID - optional for v1 auth, this or tenant required otherwise (rclone documentation).
Auth Token	Auth Token from alternate authentication - optional (rclone documentation).

Endpoint Advanced Options

Name	Description
Region Name	Region name - optional (rclone documentation).
Storage URL	Storage URL - optional (rclone documentation).
Endpoint Type	Endpoint type to choose from the service catalogue. Public is recommended, see the rclone documentation.

pCloud

Name	Description
OAuth Client ID	The public identifier for the cloud application.
OAuth Client Secret	The secret phrase known only to the cloud application and the authorization server.
Access Token	pCloud Access Token. These tokens can expire and require an extension.
Hostname	Enter the hostname to connect to.

SFTP

Name	Description
Host	SSH Host to connect to.
Port	SSH port number. Leave empty to use the default port 22.
Username	SSH Username.
Password	Password for the SSH Username account.
Private Key ID	Import the private key from an existing SSH keypair or select Generate New to create a new SSH key for this credential.

WebDav

Name	Description
URL	URL of the HTTP host to connect to.
WebDav Service	Name of the WebDAV site, service, or software being used.
Username	WebDAV account username.
Password	WebDAV account password.

Yandex

Name	Description
OAuth Client ID	The public identifier for the cloud application.
OAuth Client Secret	The secret phrase known only to the cloud application and the authorization server.
Access Token	Yandex Access Token.

Enter the required Authentication strings to enable saving the credential.

Automatic Authentication

Some providers can automatically populate the required Authentication strings by logging in to the account. To automatically configure the credential, click Login to Provider and entering your account username and password.

AutomaticAuthenticationSCALE

We recommend verifying the credential before saving it.

SSH Connections

The SSH Connections window in the Backup Credentials screen allows users establish Secure Socket Shell (SSH) connections.

To begin setting up a SSH Connection, navigate to Credentials > Backup Credentials and click the Add button in the SSH Connections window.

Create a Connection

Semi-Automatic

Semi-automatic simplifies setting up an SSH connection with another FreeNAS or TrueNAS system without logging in to that system to transfer SSH keys. This requires an SSH keypair on the local system and administrator account credentials for the remote TrueNAS. You must configure the remote system to allow root access with SSH. You can generate the keypair as part of the semiautomatic configuration or a manually created one in Backup Credentials.

Name and Method

Name	Description
Name	Name of this SSH connection. SSH connection names must be unique.
Setup Method	Manual requires configuring authentication on the remote system. This can include copying SSH keys and modifying the root user account on that system. Semi-automatic only works when configuring an SSH connection with a remote TrueNAS system. This method uses the URL and login credentials of the remote system to connect and exchange SSH keys.

Authentication

Name	Description
TrueNAS URL	Hostname or IP address of the remote system. A valid URL scheme is required. Example: `https://10.231.3.76`
Username	Username for logging in to the remote system.
Password	User account password for logging into the remote system.
Private Key	Choose a saved SSH Keypair or select Generate New to create a new keypair and use it for this connection.

More Options

Name	Description
Cipher	Standard is most secure, but has the greatest impact on connection speed. Fast is less secure than Standard but can give reasonable transfer rates for devices with limited cryptographic speed. Disabled removes all security in favor of maximizing connection speed. Disabling the security should only be used within a secure, trusted network.
Connect Timeout	Time (in seconds) before the system stops attempting to establish a connection with the remote system.

Be sure to use a valid URL scheme for the remote TrueNAS URL. Leave the username as root and enter the account password for the remote TrueNAS system. You can import the private key from a previously created SSH keypair or create one with a new SSH keypair.

Saving the new configuration automatically opens a connection to the remote TrueNAS and exchanges SSH keys.

Manual

To manually set up an SSH connection, you must copy a public encryption key from the local system to the remote system. A manual setup allows a secure connection without a password prompt.

Adding a Public SSH Key to the TrueNAS Root Account

Log in to the TrueNAS system that generated the SSH keypair and go to Credentials > Backup Credentials. Click the . Open the keypair for the SSH connection and copy the text of the public SSH key or download the public key as a text file.

Log in to the TrueNAS system you want to register the public key on and go to Credentials > Local Users. Edit the root account. Paste the SSH public key text into the SSH Public Key field.

Start by generating a new SSH keypair in Credentials > Backup Credentials. Copy or download the value for the public key. Add the public key to the remote NAS. If the remote NAS is not a TrueNAS system, please see the documentation for that system for instructions on adding a public SSH key.

Manually Configuring the SSH Connection on the Local TrueNAS

Log back in to the local TrueNAS system. Go to Credentials > Backup Credentials and add a new SSH connection. Change the setup method to Manual.

Name and Method

Name	Description
Name	Name of this SSH connection. SSH connection names must be unique.
Setup Method	Manual requires configuring authentication on the remote system. This can include copying SSH keys and modifying the root user account on that system. Semi-automatic only works when configuring an SSH connection with a remote TrueNAS system. This method uses the URL and login credentials of the remote system to connect and exchange SSH keys.

Authentication

Name	Description
Host	Hostname or IP address of the remote system. A valid URL scheme is required. Example: `https://10.231.3.76`
Port	Port number on the remote system to use for the SSH connection.
Username	Username for logging in to the remote system.
Private Key	Choose a saved SSH Keypair or select Generate New to create a new keypair and use it for this connection.
Remote Host Key	Remote system SSH key for this system to authenticate the connection. When all other fields are properly configured, click DISCOVER REMOTE HOST KEY to query the remote system and automatically populate this field.

Discover Remote Host Key connects to the remote host and attempts to copy the key string to the related TrueNAS field.

More Options

Name	Description
Cipher	Standard is most secure, but has the greatest impact on connection speed. Fast is less secure than Standard but can give reasonable transfer rates for devices with limited cryptographic speed. Disabled removes all security in favor of maximizing connection speed. Disabling the security should only be used within a secure, trusted network.
Connect Timeout	Time (in seconds) before the system stops attempting to establish a connection with the remote system.

Select the private key from the SSH keypair that you used to transfer the public key on the remote NAS.