Synology Shared Folder Encryption

While I’m religious about encrypting my data when I move it offsite I do nothing to protect it in my house. If someone steals my Home Server it’s fairly trivial to get the data. It’s just a matter of finding it. The home server (and it’s backups) are the only places my important files reside and they are a small subset of my files, so folder encryption seems like a good fit.

Image of Synolog DeskStation 212jWhile I’m religious about encrypting my data when I move it offsite I do nothing to protect it in my house. If someone steals my Home Server it’s fairly trivial to get the data. It’s just a matter of finding it. The home server (and it’s backups) are the only places my important files reside so folder encryption seems like a good fit.

I never really wanted to go the Bitlocker route with full disk encryption. My MicroServer wouldn’t like the overhead and only a small subset of files need encryption. The alternatives, such as encrypting files, or having a encrypted container just had too much friction for me to use them.

Synology can encrypt shared folders so I decided to give it a try. All the files I want encrypted are already on a single Windows Home Server 2011 share so it was just a matter of moving the share to Synology. We’re not talking state or corporate secrets here so I’m not going to worry about scrubbing the disk once the files are deleted.

For the record, I’m using DSM 4 for this.

Creating An Encrypted Share

Unfortunately home folders can’t be encrypted since this would be the logical place for my files. Certain other system shares also can’t be encrypted. I’ll create a new encrypted share by logging onto the Synology web console and opening Control Panel –> Shared Folder (click any image for full size)

Synology Control Panel Shared Folders

Then Click the Create button and fill in the information.

Create a new share

Shared Folder creation dialog

 

I do not check “Mount automatically on startup” so I’ll need to do it manually when I reboot. I figure it’s more likely the entire Synology box will be stolen than just the hard drives. It’s I little more work for me but a little more secure. I don’t reboot very often anyway.

You’ll get a warning about protecting your encryption key. Acknowledge it.

Encryption warning

The share will be created and you’ll be prompted to download a file that has the encryption key in it. If you save the file, keep it in a safe place. Anyone with the file can mount the share.

Then you’ll be prompted to give the appropriate users access to the share.

Edit folder priviledges

 

Click OK to give permissions and your done.

Using the Encrypted Share

When the share is mounted anyone with the privileges to the share can access it without using the key. The encryption key is only needed to mount the share.

If you need to mount or unmount the share return to the Shared Folder section of Control Panel, select the share and click the encryption button.

Mount of unmount the share

If mounting the share either type the encryption key or browse to the exported key file saved when the share was created.

Mount an encrypted folder

If the share is mounted you’ll also have the option to export the key to a file.

Tips & Notes

Don’t save the file with the encryption key on the NAS itself. No sense making it easy for the thief. I need the key so infrequently I don’t use the file at all. I save the key is LastPass, my password manager, and cut & paste when needed.

Encrypted shared folders cannot be moved to a new volume unless it’s unencrypted first.

Any Synology NAS administrator can export the key assuming the share is already mounted so don’t expect this to keep a secret from other admins.

The encrypted share does need to be mounted before it can be unencrypted. This provides protection against decryption since the key is needed to mount it. But back to my previous point, if it is mounted any administrator can decrypt it.

I was hoping to attach an external USB drive and encrypt the files on it so I could use it for offsite backup. Unfortunately the USB share is created automatically and it’s one of the system shares that can’t be encrypted. Oh well, my current process using Truecrypt works well enough.

Finally, I did have to change by backup plan to encrypt the backup destination for these files. No point having an encrypted share if the backups are sitting out there . (I use Cloudberry Backup on my WHS to back up this share locally.)

Anyone have any simple encryption options for Windows Home Server shares?

7 thoughts on “Synology Shared Folder Encryption”

  1. Thanks for covering this topic.

    As you’re backing up your encrypted files to WHS, are you able to un-encrypt them in the absence of the Synology box (let’s assume it’s been stolen – obviously you have the key safe in LastPass).

    I believe Synology uses industry standard encryption alogorithms, but when I tested it sometime ago, I seem to remember it encrypted on a file-by-file basis, also changing the file names in the process which further complicated a restore procedure.

    1. @John – When the share is mounted anyone who has access to the share can see the files. The way I do the backups is to connect to the share over the LAN and copy them off. The backup program does it’s own encryption. If the Synology is stolen I need the backup program and its key to do the restore.

      You are right, directory names are encrypted on Synology. I assume file names Re encrypted too but I couldn’t even enter the directories when Connected via terminal. (The folder is available unencrypted through terminal when mounted)

      As you say, the biggest problem is the loss of the key or the program that encrypted the files and understands how to unencrypted them. I’ve only started using Cloudberry with encryption so don’t trust it completely on the encryption side and I’m still doing a backup using TrueCrypt which I’ve used long enough to trus.

      While I understand some people want to be comfortable being able to get at the raw files should hardware fail My philosophy is to have multiple copies rather than hope I can rearrange the bits on the drive, so it doesn’t bother me that I would need the original encryption tool to get at the files. But I do have to admit, one reason I avoided encryption locally for so long was the fear of losing the keys or having some minor corruption make everything inaccessible.

      Thanks for stopping by.
      Ray

  2. Hi Ray.

    If have a related question – if my Synology NAS has an encrypted share thats mounted, would someone be able to read the data off my NAS if its running, but they dont have the password? Could they for instance reset the admin password and log onto the NAS itself and access the data?

    1. @Charley,
      If the encrypted share is mounted it can be accessed by any ID that is given access to the share. So if one of those IDs is compromised the person could access the share. The admin ID doesn’t have to be given access to the share, but the admin ID has the ability to modify these permissions and give itself access without having to un-mount the share. So yes, if the admin ID is compromised and the share is mounted then they could get access.

      If the share happened to be unmounted then the encryption password is needed to either un-encrypt or mount it. It can be deleted without the encryption password.

      Thanks for stopping by.
      Ray

  3. Hello Ray and Charley,

    I performed the following test:
    – mounting an encrypted shared folder on my Synology DS213+
    – once mounted, pressing reset button during 4 seconds

    Results:
    – I could log on using “admin” account with no password
    – Encrypted shared folder is not mounted anymore. Need to re-enter the password or give the key file. Reassuring !
    – Ports for accessing DSM are resettled to default values (ports 5000 http and 5001 for https). Because it is forwarded on my router to access files from internet (iOS, Android, computer at work) it is a security issue. Worrying..

    So I set up ports on 5100 and 5101 on DSM, and on my router I set port redirection so that it does not includes 5000 and 5001 ports, so they will remain only accessible from local network in case of handling error on reset button. Hope this tip could be helpful,

    Remi

  4. If I have a shared folder that is encrypted, can I take encryption off without hurting the data currently in the share? Thanks

Comments are closed.