We either need a TPM chip on the next Synology NAS or we need to manually mount the volume at boot with a password derivated key while the OS isn't encrypted to allow for a remote boot/reboot. That's that simple. @SpaceRex did you contact Synology to raise your concerns? I think your voice is worth thousands of support tickets to them :)

Very excited that you did the challenge with a reward to find the exploit so you could give us a more informed opinion on it. Honestly, I was worried you weren't taking this stuff seriously enough for me to rely on you as much as I have been for my Synology edification. Huge kudos. This helped me a lot.

I started the video with a "FINALLY!" , but soon became a "not yet". A solution is not hard for Synology to implement though and maybe there are already hacks from the CLI.

Nothing as awesome as your shirt. Definitely my favorite so far.

If Synology included the latest TPM, all would work fine.

Hi Will! If using a NAS for remote backup in hyperbackup, would you rather go for ”encrypt backup file” in hbk, or make a full volume encryption on the backup nas? Thanks

Is there a guide on how to migrate my existing volumes so I can do a fully encrypted volume?

Why not simply export the key to a USB drive rather than store it on the Synology? Achieves two things. The key is then never stored on the Synology, and it also means that you have to enter the USB drive plus password to mount the encrypted volume on boot up every time. Otherwise, encrypting the volume and having it automatically mount on boot up is fairly useless if physical theft is involved. Let me be more specific in the steps: 1. Export the Encryption Key: When you set up volume encryption on your Synology NAS, you'll be given the option to download or export the encryption key. Save this key to a USB drive instead of storing it directly on the NAS or any network location. 2. Use the USB Drive to Mount the Encrypted Volume: (a) After a system reboot or when the encrypted volume is unmounted, you'll need the encryption key to mount the volume again. (b) Connect the USB drive to a computer or the NAS (if it has USB ports and supports this functionality). (c) Through the DSM interface, navigate to the section where you mount the encrypted volume. You'll be prompted to provide the encryption key. (d) Select the encryption key file from the USB drive. This process is similar to entering a password, as it requires physical possession of the USB drive to access the encrypted data. 3. Enhancing Security: Keeping the encryption key on a USB drive and physically separate from the NAS adds a layer of security. It ensures that even if the NAS is stolen or accessed by unauthorised individuals, they cannot mount the encrypted volume without also having the USB drive. 4. Best Practices: (a) Keep the USB drive in a secure, accessible location to ensure you can easily mount the encrypted volume when needed. (b) Consider making multiple copies of the encryption key and storing them in different secure locations to prevent loss. (c) Regularly test the USB drive and the backup copies of the encryption key to ensure they are not corrupted. This method combines the convenience of having a "physical key" with the robust encryption capabilities of the Synology NAS, offering a good balance between security and usability for accessing encrypted volumes.

What happens if for example the motherboard on the NAS dies and I need to replace the NAS with a new one. If my volume is encrypted with full volume encryption, can I restore it from the new NAS without needing the old one as long as I have the key and the drives of course. Or is it tied to any hardware key as well?

To prevent auto mount on startup, I think it is possible to deselect the "Enable Encryption Key Vault" under "Global Settings". This will require that you activate the encrypted volumes manually upon restart without the need to reset the NAS. Worth to try.

Thank you so much for this video. You saved me so much time and nerves.

Your video tutorial is great! However, I am very disappointed that there is no possibility to manually mount the volume without having the keys stored on the Synology NAS. And I don't want to use a KMIP server. Just download the encryption key, save it in the preferred password vault and manually mount the volumes on each NAS startup. It could be that simple. And I guess this would be the preferred way for at least 25% of all Synology users: It would be the preferred way for all enterprise levels and for all sensitive data levels.

It would be cool if they supported using hardware security keys with the usb port. So basically a 2FA rather than the encryption key stored in a usb stick. this way you could even use the same admin login + the security key. Then you could register multiple security keys. I don't know of the security implications of this, though.

Thanks for the video. While the facts are correct, I highly disagree with the statement that decrypt on boot is ok for most usecases. If a person does break into your home, they either are after your data or just your hardware. In the first case expect them to have the expertise to decrypt the data with the current implementation. Usually users want to protect their data from LEA and other officials - usually those institutions are capable to recover the keys stored for „unlock on boot“. The only secure way is to have a password (and maybe a second token) required AFTER boot.

Volume encryption is designed to protect from theft, as you mention. But... What if someone robs the whole unit, and simply boots it? the volume will be automatically mounted, and shares will happily share the data, and the thief can mount them and read the data. What's the point of encryption if the unit automatically mounts the volume at boot?

What are your thoughts using FVE and Yubikey 2FA? In your video you mentioned using a hardware key, USB, etc. for another layer of protection. I am currently using a Yubikey for 2FA access for both of my NAS devices and I feel it is very secure along with a STRONG password. Thanks for a great summary of Synology FVE 😊

I have a RS1619xs+. Updated to the new DSM 7.2 and the Encrypt option does not display when creating volume. any ideas?

Does soft reset also delete/flush keys for share folders?

It seems that it is not possible to encrypt existing volume. Can you help with some video instructions how to create new encrypted volume if we have one unencrypted and MIGRATE all data to new one. Thanks in advance.

So... one of the leading NAS manufacturers has made full volume encryption but implemented it by storing the key on the very device that is encrypted. Was that designed and approved by people with zero imagination? Positive thoughts only - LOL. I was hoping they've made an out-of-the-box simple solution for securing your data (even in case of the whole device theft).

I love your investigation and your comments on how people would like to have it used. Just to allow self-improvement: the information would be far better consumed if you didn't repeated same items soooooo often. Telling something in 2 different ways and maybe at the end as wrap-up is more than enough. While trying to be very clear you're overdoing it and it's becoming more difficult for listeners to keep following you.

i always enjoy your videos and you really know what you are talking about. i second you on the point where you mentioned that the lack of option to NOT mount volume encryption on restart (the same way it does when sof reseting) when its not mounted there.. so how hard could that be to have that behaviour as an option :) From security point of view.. poweroutage isnt normaly happening on company NAS if you have secret information usage on it... so to auto mount on restart is a really a BIG NO.

Example. I have 1 storage pool of SHR with two volumes. Volume 1 - no encryption. Volume 2 - encryption. Do I have to worry about the encryption volume having a disk failure and not being able to get the encryption repaired

I likely am missing something, if the volumes are automatically decrypted on a reboot how is this a protection att all? if the power is cut does this make a difference? A smart actor (with time, i.e Law enforcement) will likely not power it of so I would rely on security via www, samba, ssh etc. I assume i can run a key server on my encrypted computer in a VM in a vera crypt container that I only boot when needed. An episode to hardening the NAS would be internering.

really finaly - this is the main reason I would buy QNAP. I will wait a bit though until its stable. Also qnap can encypt usb drive.

I love you Will. Your videos about Synology NAS are the best out there. Keep bringing new content please!

Hi Will, I set this up in the Global Settings as you suggested however, I didn't get an encryption key to download. Where can I download it so I can save it. Also, my volume does not show being encrypted. Oh, when I created my initial setup, I used the MAX volume available, so can that be encrypted? Thanks in advance for your response.

Anorher great Synology NAS video! I'm interested though how you will repair a full encrypted volume if one of the drives fails and how long will it take. I'm worried that if I have a full encrypted volume and one of the drives fails and I have to replace it, the whole encrypted volume may get corrupted during repair resulting in me loosing all my data. 😬

Hi, love the channel and it's been super helpful, nice and clear :) I've recently bought a DS423+ with currently 2 drives (about to add another 2 more drives). At the time I never enabled full volume encryption, it's not clear from the UI or their help docs as to whether if I enabled this once I have data already on the drives that it won't wipe the data already on there to encrypt it? I'm guessing like other implementations for example FileVault on the Mac, it allows you to encrypt the drives at a later date without losing the data? I'm backing up using HyperBack Up to S3 compatible "cloud" storage, but if it doesn't then I will also be getting an external drive for easier backups.

I reset my NAS synology DS923+ and deleted encrypted volume File now it warning Volume Critical and I can not assess to any folders or file what should i do?...

Hello, would you please make a video on why the synology is not hibernating ? I am a home user and my nas is connected to wifi, but it keep spining the discks even if i dont use it for days at times, its really annoying cause of the noise and the power usage , what seetings should i check and what can i do about it ? Im on ds411j and ds412+ , thank you in advance

Time to look at alternatives to Synology? I have used Synology since CS406e and for the last 18 years, still seem to be waiting for Synology to catch up on the options needed to make it a practical solution. DSM 7.2 looks great, but the full volume encryption isn't secure, an almost there solution. Repication - to have 2 systems each in geographically different offices but synced - limitations on numbers of files etc. makes it unusable. Great to run as a server, but my 920+ can't power much more than windows in a virtual environment. Just reset my 918+ to use the full volume encrypt - but that ones not supported - erased that for nothing (Where was that mentioned in bold! Bet I'm not the only one not realising that until after the system has been erased! 2FA - great, but I can't see how I can use Microsofts or Googles Authenticators, need to add another propriatory app.... For some reason I still love Synology, but there are just so many small limitations that add up to - just use it as a standard NAS and don't try anything advanced and you'll be OK. Just hurts to keep paying the advanced cash for what ends up as basic usecase....

Think i'll stick for a while to shared folder encryption. As i remember, in case a reset happens, the key is flushed from the key manager. I'm ok with the performances of encrypted volumes though.

Worm shared folder, cannot be selected in synology drive admin, please help, how to add the worm folder

Thanks for the video :) Does it affact performance ?

I'm not sure advertising to the internet that you hold your clients encryption keys is a good security move.

Hi, I am trying to find the answer... If I encrypt a Volume does it mean that I will not be able to open this Disc and the Volume on a different Synology if mine fails? I also do not know how to check if my existing Volume is encrypted (I cannot remember what I set up).

Great video, one question. I had to soft reset our DS1522 and then I found out I did not have the recovery key anymore. Is there any hope for me getting the data back?

So, I haven't understood whether the following method is available: after reboot, log in from remote, enter password to unlock the pool, done? In other words, is it possible to have a user-defined password rather than a keyfile to unlock a volume or pool?

With full volume encryption enabled, when I configure a Hyper Backup job to backup to an Azure blob storage account, DSM 7.2 warns that the encrypted volume needs to be unlocked before running the backup. Is this accurate?

Seriously by saving the encryption key on the disk is like putting the key of your car into a secret place in your garage right next to it. That's simply not how you implement it right but just security by obscurity. Qnap can do it the way it's done right - so why not Synology?

I wish there’s is option to not auto mount

Do you know if you encrypt the Nas during setup, can you un-encrypt it, and just start over?

Can you create encrypted shared folder on an encrypted volume? Encryption on top of encryption. Is this possible? The only reason I would attempt to encrypt a volume is to be able to have the WORM share folder natively encrypted since at the folder level it is not possible.

Regarding to encryption: can I change the key or the password after creating the volume? How to proceed if the key or password gets compromised? Can it be changed? And regarding to the key, if I select keeping it in the nas, can I change this later? Do I have to generate a new one, if it’s possible? Thank you. 😅

Wait... So the system itself is not encrypted, right? Only the volumes, not the HDDs? So if you keep your data in Syno's key manager, then it is not protected at all and is fully hackable while mounted somewhere even outside the Synology? I thought they will provide full system encryption with 7.2... Current solution is sooo disappointing. Best solution so far is using encrypted folders... Or I'm missing something?

So basically 2 reason I can't use Full encryption: It's not safe enough for PII data. And you can't convert an existion volume to encrypted, you need to create a new one. :( Freakin synology....

Thanks

Does that mean a stolen encrypted Synology Nas start freely sharing the shared fodlers through ethernet as soon as booted?

Great video, but I think you meant KMIP server, not KIMP server, yes?

I just got me a 40tb synology nas but I have like 20tb worth of files on my pc. What's the fastest way to get them onto the NAS?

It seems Synology has blocked the ability to use a 3rd party KMIP server and requires another Synology to be the KMIP server. I have an existing AKeyless KMIP server on my network that I use with my VMWare infrastructure already and the Synology will not play nicely with it. Severely disappointed with this limitation. Enterprise customers looking at Synology and volume encryption will be disappointed. If anyone gets a Synology talking to a 3rd part KMIP please post!

I think, I’ll give it a try. Only thing is, that I have to wipe my NAS and make a full new install. Is there a smarter way? I thought about making hyper Backup of my apps, especially docker, where by now some containers reside, setting up the NAS as if it’s new and then restore hyper backuped data. I only own d ds1621+ and a ds220+, not enough for testing.

So if a full volume encryption can be overcome if Synology is stolen… Hmm - how safe is it really? If somebody offered you a method to get through the encryption if Synology is stolen - for sure bad actors would be able to buy the solution on the dark web and thus access any Synology NAS that they are after. And that, basically, hardly makes it secure in case of a physical theft. Sounds like a Windows login password on a non-encrypted hard drive, where by simply taking out the drive and placing it into an external case - you can get to all the data straight away. It is clear that the case with Synology Full Volume Encryption it not as easy… but it does not sound like it is really hard either.

How can I migrate? I have one share that is encrypted and all the rest of my shares are non-encrypted. I have hyper backup going to Backblaze, can I just delete the root volume, re-create it with full-volume encryption and then import the Backblaze hyper backup? Would love to see a video on this.

but whats the advantage to an encrypted folder?

DSM 7.2 does not support the Itunes server.

@SpaceRexWill Unless I have misunderstood, you CAN now directly restore snapshots of an encrypted folder on DSM 7.2. I just did it. You have to unmount the encrypted folder first, but there is an option in the Recovery Actions to "Restore to this snapshot" which now works on encrypted folders. Is this new recently, as you seem to say this is not possible? You still cannot browse an encrypted snapshot, or make it visible for users, but you can certainly restore encrypted shared folder snapshots without making a clone. I'd be interested in your feed back on this.

What a piece of garbage of a solution. I will keep using Veracrypt and store the file on my NAS. Doubt anyone will hack that...

Its really that simple to get full access to whole NAS, just to make soft reset?