Encrypted volumes should be implemented in right way: enter key in preboot web interface (like setup or recovery web interface) or KIMP for enterprises. If it will store keys on nas it will be useless in security perspective.
tx a lot for clear explanation of Vault and Volume key use. I agree with you - vault should be OPTIONAL and in case I do not want to store volume keys on DSM, it should offer me option to just download the key and NOT USE vault - so stolen NAS with volumes could not be available.
So the volume encryption is needless. I was hoping it will work same like today the SharedFolders, where I can put the Key on an USB Stick. If I leave the office/home, I will take the USB Stick with me and after a reboot nobody can access my encrypted shared folders. It looks like that isn´t the way :( ok it´s beta, so let us hope^^. Big thx for your Video
Right, it should work like the existing file share encryption where you can choose to have to re-enter the password after every reboot to mount it. When someone steals your whole box, they will have full access to the volumes with the new vault. The encryption is kinda worthless for that scenario.
I have been waiting patiently for this feature for a long time. It is better than the current feature but like you I do think that it should be possible to force the key to be required upon each boot. Still, it is only a Beta release so Synology may be listening to the feedback. I'm not going to hold my breath though.
Not having an option to manually provide encryption key every time Synology is starting is laughable. I would imagine it is some kind of bug. I hope it is.
Eddie is working on exactly this with a previous gen QNAP managed switch (still running same QuSwitch software). Half the difficulty of a video on security is redacting information through the video, or bleaching our setup in order to make a disposable one for UA-cam, then bleeching/resetting it again after. Hugely time consuming and a bugger to schedule. Then something like the DAM 7.2 beta, Samsung SSD failures, WD SMR issue or any high profile new release arrives, which then wrecks the workflow again. Sorry this is taking so long bud!
I've been waiting for this feature so long, but it's a disaster. I thought it would ask for a password after booting and will unlock everything. I really don't understand whats the point to store the key near the door :(.
'Disaster' is a little bit strong, but yes, I'm not exactly thrilled by the way the key management is being handled..remote network key or strict local.
@@nascompares I have a couple of questions left. I didn't get the point where the local key is stored. 1. Let's say we have one drive with data. If I move this drive to a new NAS, will it boot with the key? 2. If someone steels my NAS and decides to grab my data from the drives, can they read the key from the "vault" and decrypt the drive somehow?
Seems like an arbitrary cutoff for anything older than the 20 series. I hope the supported model list expands post beta. If not my next refresh might be TrueNAS. Between the branded drive requirement for higher end models and this planned obsolescence, Synology seems to be going in the wrong direction.
AFTER this video was recorded yesterday, I tested exactly that. The difference was so small that it was hard to identify of tho was just an avg perf drop or in any way related to the Encryption. Ultimately, even if it was - it's was teeny tiny!
To keep any drive or set of drives secure should they be removed from the NAS. If you have ever moved drives from one Synology NAS to another you will find that they mount and work perfectly with all the folders and files accessible. The volume encryption will make entire volumes unusable if moved to another NAS unless you have the key. It is not a perfect solution as it won't protect you if the entire NAS is stolen but it is an improvement.
What happens if you store the key in the encryption key vault and you reset the admin password using the hardware button? Does it still have access to the vault and mount encrypted volumes or will it require you to enter the vault password before you will have access to the encrypted volume?
I haven't tested this, but should be the same as for encrypted shares. In case of admin PW reset, the shares are not mounted automatically since the vault is reset during this action as well. Thus you'd have to enter the encryption key in to the vault to enable auto mounting again.
Why would you want to encrypt your NAS? In case it grows legs! (it is sooooooo sad that the VAST majority of people simply do not care if people snoop in their personal business) You don't just let people walk around your home uninvited.... why in the world would you let ANYONE look through your stuff whether it be your underwear drawer or your cabinets or file storage. It simply is no-ones business what you have or how much of it you have.
Encrypted volumes should be implemented in right way: enter key in preboot web interface (like setup or recovery web interface) or KIMP for enterprises. If it will store keys on nas it will be useless in security perspective.
tx a lot for clear explanation of Vault and Volume key use. I agree with you - vault should be OPTIONAL and in case I do not want to store volume keys on DSM, it should offer me option to just download the key and NOT USE vault - so stolen NAS with volumes could not be available.
So the volume encryption is needless. I was hoping it will work same like today the SharedFolders, where I can put the Key on an USB Stick. If I leave the office/home, I will take the USB Stick with me and after a reboot nobody can access my encrypted shared folders. It looks like that isn´t the way :( ok it´s beta, so let us hope^^. Big thx for your Video
Now we just have to wait for the real thing to come out
Right, it should work like the existing file share encryption where you can choose to have to re-enter the password after every reboot to mount it. When someone steals your whole box, they will have full access to the volumes with the new vault. The encryption is kinda worthless for that scenario.
Super informative video. Thank you 👍
I have been waiting patiently for this feature for a long time. It is better than the current feature but like you I do think that it should be possible to force the key to be required upon each boot. Still, it is only a Beta release so Synology may be listening to the feedback. I'm not going to hold my breath though.
Not having an option to manually provide encryption key every time Synology is starting is laughable.
I would imagine it is some kind of bug. I hope it is.
Any chance of doing an in-depth walkthrough of setting up a managed switch? QNAP in particular......🤔
Eddie is working on exactly this with a previous gen QNAP managed switch (still running same QuSwitch software). Half the difficulty of a video on security is redacting information through the video, or bleaching our setup in order to make a disposable one for UA-cam, then bleeching/resetting it again after. Hugely time consuming and a bugger to schedule. Then something like the DAM 7.2 beta, Samsung SSD failures, WD SMR issue or any high profile new release arrives, which then wrecks the workflow again. Sorry this is taking so long bud!
@@nascompares Thanks pal. You honestly don't have to explain yourself though! You guys work hard and we all appreciate the content! 👍
I've been waiting for this feature so long, but it's a disaster. I thought it would ask for a password after booting and will unlock everything. I really don't understand whats the point to store the key near the door :(.
'Disaster' is a little bit strong, but yes, I'm not exactly thrilled by the way the key management is being handled..remote network key or strict local.
@@nascompares I have a couple of questions left. I didn't get the point where the local key is stored.
1. Let's say we have one drive with data. If I move this drive to a new NAS, will it boot with the key?
2. If someone steels my NAS and decides to grab my data from the drives, can they read the key from the "vault" and decrypt the drive somehow?
Not only on the Realtek devices but also on the DS918+ the volume encryption and WORM features are not available with the 7.2 beta.
Seems like an arbitrary cutoff for anything older than the 20 series. I hope the supported model list expands post beta. If not my next refresh might be TrueNAS. Between the branded drive requirement for higher end models and this planned obsolescence, Synology seems to be going in the wrong direction.
Would have loved to know the speed hit this encryption will cause the volume, or is that something we shouldn’t worry about?
AFTER this video was recorded yesterday, I tested exactly that. The difference was so small that it was hard to identify of tho was just an avg perf drop or in any way related to the Encryption. Ultimately, even if it was - it's was teeny tiny!
@@nascompares awesome.
Have you tested M.2 NVME Cache on an encrypted volume? How does this work. Is the Cache also encrypted? Special setup?
Can you do some benchmarks for us?! Volume encryption vs not?
Thank you for the video, however, I am still really confused. If it unlocks automatically on boot up, then what is the point of having it encrypted?
To keep any drive or set of drives secure should they be removed from the NAS. If you have ever moved drives from one Synology NAS to another you will find that they mount and work perfectly with all the folders and files accessible. The volume encryption will make entire volumes unusable if moved to another NAS unless you have the key. It is not a perfect solution as it won't protect you if the entire NAS is stolen but it is an improvement.
7.2 came out of RC but it seems I can't convert a volume encrypted. I have to undo all my SHIBs to create an encrypted volume!
Can you point the way to find out how to remove encryption on the volume? Not to mount, to remove the encryption, forever.
Would you be able to look at SMB Multi-channel?
So, I have an DS1817+ and I don't have the ability to do volume encryption even though i am on 7.2
If you're Synology NAS dies and you buy another and put those same drives in it, how easy is it to open that encrypted vault on the new NAS?
WTF that defeats the whole purpose of volume encryption, having them auto-mount/decrypt with a key in a vault?????
Make video on best ps5 ssd for 2023 summer according to prices and transfer speed
So hackers can encrypt ours existing volumes but we are not able to....
What happens if you store the key in the encryption key vault and you reset the admin password using the hardware button? Does it still have access to the vault and mount encrypted volumes or will it require you to enter the vault password before you will have access to the encrypted volume?
I haven't tested this, but should be the same as for encrypted shares.
In case of admin PW reset, the shares are not mounted automatically since the vault is reset during this action as well.
Thus you'd have to enter the encryption key in to the vault to enable auto mounting again.
First as always. :)
Why would you want to encrypt your NAS?
In case it grows legs!
(it is sooooooo sad that the VAST majority of people simply do not care if people snoop in their personal business)
You don't just let people walk around your home uninvited.... why in the world would you let ANYONE look through your stuff whether it be your underwear drawer or your cabinets or file storage.
It simply is no-ones business what you have or how much of it you have.