NAS build for medical data

In the near future, my wife will open her own business (one woman show) in the medical field. She will be storing confidetial patient data. And she will need to have access to that data without any downtime.

She needs backup space for 2 Windows PCs (1 Desktop and 1 Laptop) + space for PDFs and text-documents.

We would be doing a proper 3-2-1 backup strategy with a cloud provider, aswell as
using a UPS in case of power loss. The NAS would need to be as quiet as possible.

She will need to have access to that data from from home (VPN).

I was thinking of using a A2SDi-4C-HLN4F as a base.

For the pool layout I was thinking a 3-way mirror with a mirrored boot pool.
Pool would be encryted against physical theft.

For the case JONSBO N1 Mini-ITX NAS Chassis with an external power brick.

Any thoughts, ideas, pittfalls ?

1 Like

The case seems to support only 5 3,5 hdd, but if I undestand well you want 6 (data) + 2 (boot).
Best Regards,

1 Like

Sorry, I mean 3 data discs. All mirrored. Or maybe mirror + 1 spare.

1 Like

Dubious chassis, in my opinion (others disagree violently), but the A2SDi is a solid choice. Since this is for work, “solid” beats any other considerations.

If you’ll be using ZFS encrypted send/recv to store the encrypted data on someone else’s computer, be sure to really take a deep dive in the documentation and over on Github, because encryption can still be a bit rough around the edges and needs to be handled with a lot of care, especially if send/recv is involved.

1 Like

Thank you. Any recommendation for a small and quite NAS case ?
Speaking of encryption, if I “replicate” to a cloud provider, wouldnt that mean that my pool is unlocked, therefore transmitted in a unencrypted state ?

I am not that worried of a man in the middle attack. But theft of the NAS.

1 Like

You probably do not need a mirrorred boot pool. Replacing a failing boot device is a quick operation if you have saved the configuration file; and mirroring the boot drive does not guarantee that the BIOS would behave as expected in case of failure.

As for the case, anything which could hold 3-4 drives…
A Fractal Design Node 304 can be reasonably quiet, depending on your definition of “acceptable”, but may require some blanks for airflow with less than the full six drives.
I’m unsure what @ericloewe finds “dubious” in the Jonsbo N1. A 140mm fan blowing sideways through a HDD stack looks like a reasonable cooling model—at least, better than the N2.

Strictly replicating to a cloud provider implies that the provider uses ZFS. If that is the case, the remote ZFS host receives encrypted data and can scrub by veryfing the checksums of the encrypted blocks—no decryption key is ever required.


My Node 304 Build.

I go into some detail on cooling and cable management


True, but this is a professional setting. The added cost is small and provides flexibility.

1 Like

Thank you all so far.

After reading some reviews of the JONSBO N1, it seems that the airflow is suboptimal in that case.

1 Like

You might need a case that supports redundant power supply - just in case, power supply goes bad - otherwise you will have downtime if power supply fails.

1 Like

I would personally go for a case which allows an internal PSU as I think it less likely that the cable will be knocked out.

Aside from encryption of the disks, you need to think about physical security e.g. having a reasonably secure lockable cabinet with airflow that is physically bolted to the floor or wall. You probably already have a security alarm on the office, but this is also essential.

If you are using SMB, then data on the LAN will be encrypted. A VPN to home also sounds OK providing that you set it up correctly.

I would recommend that you requested fixed IP addresses for your home from your ISP so that you can VPN limit access through your firewall to that specific IP address. A fixed IP address for your office might also be helpful (otherwise you will need to set up dynamic DNS).

You will also need to encrypt the hard drives of your PCs in the office and at home - which may require new PCs with a TPM if they don’t already have one - because temporary copies of patient data will be held in temporary files and in memory (and so the swap/paging files).

Also for patient data you should think about enabling auditing so that you keep a record of which users access which data and at what date & time. And perhaps you should consider 2FA (perhaps physical authentication i.e. a dongle) as well as a password for PC access and VPN access and admin access to the NAS.

You might also want to consider putting some sort of centralised logging on your NAS (e.g. syslog) and sending logs from the firewall there, and then implementing some sort of monitoring of those logs and alerting for security events.

You are probably already considering the encryption characteristics of your cloud backups - but in particular you might want to consider how to hold the data in the cloud in an encrypted form without the encryption key being in the cloud. In other words, you should ship encrypted versions of files across the internet to the cloud provider and store these encrypted files rather than (or in addition to) having an encrypted disk subsystem there.

Finally you will need to store copies of the various encryption keys (in hard copy or on a USB flash drive) in case the electronic versions are lost (because of a fire or because the NAS is physically stolen) and you need to recreate them. And since these need physical security you will need a physical safe or similar to hold them.


P.S. Remember to design for failures in the process - this probably also means buying and administering spare dongles for administrator to use to do administration and to give to a user of they lose theirs. These will also need to be physically secured in a safe when not being used.

1 Like

If there are compliance concerns in play, I always recommend buying something rather than making it. Have you looked at the TrueNAS Mini R?

TrueNAS Mini R - Hyper-converged Storage Solution - TrueNas


Truenas comes with the tailscale application that gives you VPN access to your server from outside the network with end-to-end encryption.

1 Like

I did look into the Mini (R). However these would be overkill IMO, as the business will be small (one room), needed storage space minimal (txt and PDFs only) and speed above 1Gbit/s not needed.

Im concerned about data leaks / theft, non availability and ransomware.

I was even looking into a synology 723+ :scream:

Edit: anyway, thanks for all the ideas :+1:

1 Like

Maybe more a Mini X, or a small QNAP NAS with QuTS Hero (ZFS) then.
The question is: Is there a legal issue about compliance and certification (=> vendor pre-built), or is it a personnal (and laudable) effort to build a NAS whose content will remain reasonably safe in case of theft?

1 Like

It is the latter.
Since the adoption of the EU data protection law, it has become more strict. But where I live civil lawsuits that can ruin you are not a thing.

1 Like

Personal rule of mine. Any PII for something I am professionally liable for is on a system I have from a reputable vendor and on a support contract. In this case, I think not having the support contract is probably fine but I would still not deploy a roll your own piece of kit if I was housing HIPPA data.

Also if its small enough, in this instance I would more likely consider a Microsoft 365 subscription, you get 1TiB per user fo $12 a month and you can get your own professional email address. There’s an up charge for data compliance tools of another $12 a month.
Microsoft 365 for Business | Small Business | Microsoft 365
Microsoft 365 E5 Compliance | Microsoft Security

Well worth the cost IMO to offload some of the risk. Also local laws vary so before you make a decision you should understand what you are liable for in the event of a breach.


On the other hand there have been data leaks world wide from major companies and organisations, including the White House. And they probably all were running gear from reputable companies and had support contracts :wink:.

All emails in my case will be handled by a proprietary encripted email system for the medical field where every user is clearly identified and it is not open to the public.

But I appreciate your input. :ok_hand:

1 Like

Usually due to user error, and just because they leak data, does not mean you want to. Those larger companies can afford to take those hits, a small business like this could be ended over night if something leaked.

Segmentation, auditing, governance of everything that happens on that device needs to be in place as @Protopia noted above. May seem like overkill for a SMB, but if something does happen, better to show you made efforts to protect and govern the data.