Encryption in Synology NAS: How Secure is the New DSM 7.2 Update?
The new version of the DSM 7.2 operating system for Synology NAS has a long-awaited ability to encrypt volumes. How convenient, reliable and safe is it? Let’s figure it out!
Network Folder Encryption
A few years ago, Synology NAS used network folder encryption using the Linux-standard eCryptFS cryptographic file system. This approach had many limitations and inconveniences, and the management of encryption keys was implemented in a straightforward and insecure manner. If the user enabled automatic mounting of network folders, then the encryption keys stored on the device itself or on an external USB drive were protected by a fixed known password, which made the protection ineffective.
Volume Encryption
The new version of the Synology DSM 7.2 operating system introduced the long-awaited encryption at the volume level. According to the developers, the new data protection method works faster than the network folder encryption mechanism and at the same time got rid of the limitations inherent in file-by-file encryption. At the same time, the key management mechanism is again implemented in such a way that on most devices the actual data security is far from desirable.
Development of events Within eight hours of the release of DSM 7.2, the protection provided by volume encryption with mandatory storage of keys on the same drive, managed to bypass. To do this, it is enough to mount the DSM system partition in Linux (it is stored unencrypted and unsigned in a mirrored RAID on all disks installed in the NAS) and edit several text files. Between the writing and publication of this article, Synology developers managed to release two updates to DSM 7.2, in the last of which the problem with third-party KMIP servers was fixed. Details about the work of KMIP in Synology are described in the publication on Reddit, and you can download a working open-source KMIP server from the repository on GitHub.
Encryption in Synology NAS: How Secure is the New DSM 7.2 Update?
The new version of the DSM 7.2 operating system for Synology NAS has a long-awaited ability to encrypt volumes. How convenient, reliable and safe is it? Let’s figure it out!
Network Folder Encryption
A few years ago, Synology NAS used network folder encryption using the Linux-standard eCryptFS cryptographic file system. This approach had many limitations and inconveniences, and the management of encryption keys was implemented in a straightforward and insecure manner. If the user enabled automatic mounting of network folders, then the encryption keys stored on the device itself or on an external USB drive were protected by a fixed known password, which made the protection ineffective.
Volume Encryption
The new version of the Synology DSM 7.2 operating system introduced the long-awaited encryption at the volume level. According to the developers, the new data protection method works faster than the network folder encryption mechanism and at the same time got rid of the limitations inherent in file-by-file encryption. At the same time, the key management mechanism is again implemented in such a way that on most devices the actual data security is far from desirable.
Synology NAS users have been eagerly awaiting the introduction of volume encryption for a long time, and the release of DSM 7.2 was met with great enthusiasm. However, the excitement was short-lived, as within eight hours of the release of DSM 7.2, the protection provided by volume encryption with mandatory storage of keys on the same drive, managed to bypass. To do this, it is enough to mount the DSM system partition in Linux (it is stored unencrypted and unsigned in a mirrored RAID on all disks installed in the NAS) and edit several text files.
Fortunately, Synology developers reacted quickly to this vulnerability and released two updates to DSM 7.2, in the last of which the problem with third-party KMIP servers was fixed. Details about the work of KMIP in Synology are described in the publication on Reddit, and you can download a working open-source KMIP server from the repository on GitHub.
Conclusion
The introduction of volume encryption in Synology NAS was a long-awaited event, but the security of this encryption method is still questionable. Fortunately, Synology developers have reacted quickly to the vulnerability and released updates to fix the problem. However, users should be aware of the potential risks of using volume encryption and take steps to ensure the security of their data.