Security

Backups are a prime ransomware target — treat the backup system as critical infrastructure.

Checklist

• TLS everywhere between Director, Storage Daemon, File Daemon and Console; enable TLS Authenticate for mutual auth.
• Encrypt at rest with AES-256-GCM and guard the PKI private keys (back them up separately). See Encryption & TLS.
• Immutability / WORM so a compromised admin can’t delete backups before retention. See Immutability & WORM.
• Active ransomware detection to catch and stop attacks in real time. See Ransomware detection.
• Least privilege — scope Console access with Console ACLs (see the Console reference).
• Separate credentials per daemon; rotate passwords; restrict network access to ports 9101–9103.
• Multi-factor authentication on the Console where available.