Synology offers a variety of solid storage systems and comes with software that offers a wide variety of features. One great feature is the ability to create encrypted folders. I want to talk about Synology encrypted folders and what you need to know in this post.
Synology
While I have not blogged much about Synology, I have been using Synology products for years now, and I have become quite a fan. There is a ton of competition in the consumer / SMB storage market, but Synology is easily one of the if not the top providers in the market today.
Encrypted Folders
With more and more news coming out about security breaches, you really need as many security features at your disposal as possible. One such feature that Synology provides is encrypted folders. As the name implies, this feature provides encryption at rest. Clearly, data at rest is not the only place you need to be concerned with when it comes to protecting your data, but it is an important foundation on which other security features can be built — more on this in a future post. So what does having encryption at rest buy you? Here are a few things:
- Unless you are an administrator user, you cannot access encrypted folders without the encryption key: For consumer users who typically have a single administrator user, this is a great benefit.
- If you do not mount encrypted folders on startup, then if someone physically steals your Synology, your data is protected: An unlikely scenario for many, but not out of the realm of possibility.
- If someone steals or gets access to the physical drives, they cannot access the data: While stealing is unlikely, giving up your physical drive is possible, like when the drive breaks and you have to replace it. This is a significant value add for everyone.
What You Need to Know
When it comes to encrypted folders on Synology, there are several things you need to know BEFORE you start. Without this information, you may run into a variety of issues along the way.
- Creating encrypted folders requires administration permissions: In the consumer market, I do not foresee this being a big issue, but in the SMB, it could be a potential pain point.
- A folder must be created with encryption initially: It is not possible to convert an existing folder into an encrypted folder or an encrypted folder into a regular folder. Plan accordingly!
- Encrypted folders do not support file-level backups: You can either back up the entire folder or nothing. This does limit some functionality depending on your particular use-cases.
- Encrypted folders will have reduced performance: Security comes with a price, and part of that price is the overhead of encrypting/decrypting data. Do not expect maximum performance numbers on encrypted folders. Plan accordingly!
- Encrypted folders are not available via NFS: Depending on the use-case, this can be a significant issue — more on this in a future post.
- There is a maximum character limit: For English, the limit is 143, while for Asian, the limit is 43 characters. More on this in a future post.
- If you lose the encryption key, then you lose access to the encrypted folder: During encryption, you specify an encryption key (i.e., passphrase) and at the end of the process, get an encryption key (i.e., file) for safekeeping. If you lose both and the folder becomes unmounted, then there is no way to mount (i.e., decrypt) the folder nor get your data out of the folder. Plan accordingly!
Summary
Synology is a great consumer/SMB storage provider that provides a rich set of features. Encrypted folders are part of that rich feature set. If you are considering leveraging encrypted folders, be sure to check out the 7 things I listed above. For more information about encrypted folders, see my future posts or the official Synology KB.
© 2015 – 2021, Steve Flanders. All rights reserved.
On 3: true, but the good news is that the backup is also automatically encrypted (with the same key) without special needs
On 6: that’s about the file/folder name length (which is actually the only real pain of using this scheme IMO)
On 7: that’s the whole point of encryption, right?
General: the newest DSM has a the concept of the ‘keystore’ – a directory structure that holds unlock keys of the encrypted folders (in turn, encrypted with a master password), allowing encrypted shares to be mounted at startup. I have these stored on an external USB stick which is tucked away and unaccessible by anyone by a long USB cable, so that when the NAS is stolen, the keystore is not.
Thanks for the comment! On all points I agree, for #7 you would be surprised the number of people who lose the key and ask how to get access to their data 🙂
“Unless you are an administrator user you cannot access encrypted folders without the encryption key”
How would the administrator access encrypted folders without the key?
This was written a long time ago on a much older version of DSM — not sure exactly, but in theory you are correct that without the key or passphrase you cannot access the data.
Even if is a rather old post, I would add that encrypted folders on BTRFS does not allow direct access to snapshots.
When a shared folder is encrypted, there’s no direct access to the #snapsht folder, nor it’s possibile to access previous versions through Windows Previous Versions (as in QNap).
Administrators can still manually mount and share a clone of the snapshot to gain access to single files, but it’s not as easy as accessing Shadow Copies!
Great information — thanks for sharing!
What about the fact that Synology devices (and seems that QNAP too) use unencrypted swap? It’s a security risk. The unencrypted (eCryptFS) information from RAM could be leaked to unencrypted swap space (mirrored on disk partitions). I find it odd that virtually nobody is talking about this glaring hole in NAS systems.
Good point. Unfortunately, all systems have security issues — some known, many unknown. While this is a risk, compared to the alternative solutions I am willing to accept it (though wish it would get fixed).
This article could do with some major revision… it turns up high on the list of searches, but important information no longer applies as of 2020.
Items:
2. Folders can be encrypted at time of creation, or later. If you encrypt it later, what actually happens is that an encrypted copy is made, then the unencrypted original deleted (so you need available space to do it). At the start of the process, the user is warned that various settings are lost in the process (e.g. client drive-sync settings), and must be re-created afterwards (on each client, which can be quite time-consuming).
3. Hyper Backup does file-level backups of files, including those in encrypted folders. All files are read (and so decrypted), then stored in the backup. So if you want your backed-up data to be secure, it needs to be encrypted as well (Hyper Backup client-side encryption).
Unfortunately, Synology seems to use the words “key”, “cypher” and “passphrase” often to mean the same thing, and “key” and “key file” also. It can make for some hard reading, making things overly-complicated.
When you encrypt a folder, you are prompted to provide an encryption key. What is meant, is a password/passphrase. You are prompted to save a key file, which is actually the password/passphrase you entered, encrypted using a standard Synology passphrase, and stored in a file. You need this file only if you can’t remember the passphrase. All of the passphrases for the encrypted folders can be stored together in a “key store”, which is useful for mounting all the encrypted folders at the same time or for auto-mount during system startup. The key store is just an encrypted database containing all the keys, and is managed by the “Key Manager”. To auto-mount, the key store has to be encrypted by the system’s unique “cypher”/passphrase, and stored on the system or on a connected USB-device. Anybody who takes the USB-device along with your NAS, has access to your encrypted data, so make sure it’s hard to take!
2021 and this is still a well-informing, accurate Article. Definitely worth a bookmark or Citation to anyone’s Knowledge Base.
Encrypted Folders also do not support fast copying on Btrfs, which may be a significant problem for some needs. This means that when you copy a file, instead of the process being near instantaneous, it has to read and write a whole new copy of the file to disk, which can take several minutes for large files.