Skip to content

Synology: 7 Things You Need to Know About Encrypted Folders

Synology offers a variety of solid storage systems and comes with software that offers a wide variety of features. One great feature is the ability to create encrypted folders. In this post, I would like to talk about Synology encrypted folders and what you need to know.
synology

Synology

While I have not blogged much about Synology, I have been using Synology products for years now and I have become quite a fan. In the consumer / SMB storage market there is a ton of competition, but Synology is easily one of the if not the top provider in the market today.

Encrypted Folders

With more and more news coming out about security breaches you really need as many security features at your disposal as possible. One such feature that Synology provides is encrypted folders. As the name implies, this feature provides encryption at rest. Clearly data at rest is not the only place you need to be concerned with when it comes to protecting your data, but it is an important foundation on which other security features can be built — more on this in a future post.
So what does having encryption at rest buy you? Here are a few things:

  • Unless you are an administrator user you cannot access encrypted folders without the encryption key: For consumer users who typically have a single administrator user this is a great benefit.
  • If you do not mount encrypted folders on startup then if someone physically steals your Synology your data is protected: An unlikely scenario for many, but not out of the realm of possibility.
  • If someone steals or get access to the physical drives they cannot access the data: While stealing is unlikely, giving up your physical drive is possible like when the drive breaks and you have to replace it. This is a significant value add for everyone.

What You Need to Know

When it comes to encrypted folders on Synology there are several things you need to know BEFORE you start. Without this information you may run into a variety of issues along the way.

  1. Creating encrypted folders requires administration permissions: In the consumer market I do not foresee this being a big issue, but in the SMB it could be a potential pain point.
  2. A folder must be created with encryption initially: It is not possible to convert an existing folder into an encrypted folder or an encrypted folder into a regular folder. Plan accordingly!
  3. Encrypted folders do not support file-level backups: You can either backup the entire folder or nothing. This does limit some functionality depending on your particular use-cases.
  4. Encrypted folders will have reduced performance: Security comes with a price and part of that price is the overhead of encrypting/decrypting data. Do not expect maximum performance numbers on encrypted folders. Plan accordingly!
  5. Encrypted folders are not available via NFS: Depending on the use-case this can be a significant issue — more on this in a future post.
  6. There is a maximum character limit: For English the limit is 143 while for Asian the limit is 43 characters. More on this in a future post.
  7. If you lose the encryption key then you lose access to the encrypted folder: During encryption you specify an encryption key (i.e. passphrase) and at the end of the process get an encryption key (i.e. file) for safe keeping. If you lose both and the folder becomes unmounted then there is no way to mount (i.e. decrypt) the folder nor get your data out of the folder. Plan accordingly!

Summary

Synology is a great consumer/SMB storage provider that provides a rich set of features. Encrypted folders are part of that rich feature set. If you are considering leveraging encrypted folders be sure to check out the 7 things I listed above. For more information about encrypted folders, see my future posts or the official Synology KB.

© 2015, Steve Flanders. All rights reserved.

Published inSystem Administration

2 Comments

  1. HenkW HenkW

    On 3: true, but the good news is that the backup is also automatically encrypted (with the same key) without special needs
    On 6: that’s about the file/folder name length (which is actually the only real pain of using this scheme IMO)
    On 7: that’s the whole point of encryption, right?
    General: the newest DSM has a the concept of the ‘keystore’ – a directory structure that holds unlock keys of the encrypted folders (in turn, encrypted with a master password), allowing encrypted shares to be mounted at startup. I have these stored on an external USB stick which is tucked away and unaccessible by anyone by a long USB cable, so that when the NAS is stolen, the keystore is not.

    • Thanks for the comment! On all points I agree, for #7 you would be surprised the number of people who lose the key and ask how to get access to their data 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *