While I’m religious about encrypting my data when I move it offsite I do nothing to protect it in my house. If someone steals my Home Server it’s fairly trivial to get the data. It’s just a matter of finding it. The home server (and it’s backups) are the only places my important files reside so folder encryption seems like a good fit.
I never really wanted to go the Bitlocker route with full disk encryption. My MicroServer wouldn’t like the overhead and only a small subset of files need encryption. The alternatives, such as encrypting files, or having a encrypted container just had too much friction for me to use them.
Synology can encrypt shared folders so I decided to give it a try. All the files I want encrypted are already on a single Windows Home Server 2011 share so it was just a matter of moving the share to Synology. We’re not talking state or corporate secrets here so I’m not going to worry about scrubbing the disk once the files are deleted.
For the record, I’m using DSM 4 for this.
Creating An Encrypted Share
Unfortunately home folders can’t be encrypted since this would be the logical place for my files. Certain other system shares also can’t be encrypted. I’ll create a new encrypted share by logging onto the Synology web console and opening Control Panel –> Shared Folder (click any image for full size)
Then Click the Create button and fill in the information.
I do not check “Mount automatically on startup” so I’ll need to do it manually when I reboot. I figure it’s more likely the entire Synology box will be stolen than just the hard drives. It’s I little more work for me but a little more secure. I don’t reboot very often anyway.
You’ll get a warning about protecting your encryption key. Acknowledge it.
The share will be created and you’ll be prompted to download a file that has the encryption key in it. If you save the file, keep it in a safe place. Anyone with the file can mount the share.
Then you’ll be prompted to give the appropriate users access to the share.
Click OK to give permissions and your done.
Using the Encrypted Share
When the share is mounted anyone with the privileges to the share can access it without using the key. The encryption key is only needed to mount the share.
If you need to mount or unmount the share return to the Shared Folder section of Control Panel, select the share and click the encryption button.
If mounting the share either type the encryption key or browse to the exported key file saved when the share was created.
If the share is mounted you’ll also have the option to export the key to a file.
Tips & Notes
Don’t save the file with the encryption key on the NAS itself. No sense making it easy for the thief. I need the key so infrequently I don’t use the file at all. I save the key is LastPass, my password manager, and cut & paste when needed.
Encrypted shared folders cannot be moved to a new volume unless it’s unencrypted first.
Any Synology NAS administrator can export the key assuming the share is already mounted so don’t expect this to keep a secret from other admins.
The encrypted share does need to be mounted before it can be unencrypted. This provides protection against decryption since the key is needed to mount it. But back to my previous point, if it is mounted any administrator can decrypt it.
I was hoping to attach an external USB drive and encrypt the files on it so I could use it for offsite backup. Unfortunately the USB share is created automatically and it’s one of the system shares that can’t be encrypted. Oh well, my current process using Truecrypt works well enough.
Finally, I did have to change by backup plan to encrypt the backup destination for these files. No point having an encrypted share if the backups are sitting out there . (I use Cloudberry Backup on my WHS to back up this share locally.)
Anyone have any simple encryption options for Windows Home Server shares?