Synology Shared Folder Encryption

Image of Synolog DeskStation 212jWhile I’m religious about encrypting my data when I move it offsite I do nothing to protect it in my house. If someone steals my Home Server it’s fairly trivial to get the data. It’s just a matter of finding it. The home server (and it’s backups) are the only places my important files reside so folder encryption seems like a good fit.

I never really wanted to go the Bitlocker route with full disk encryption. My MicroServer wouldn’t like the overhead and only a small subset of files need encryption. The alternatives, such as encrypting files, or having a encrypted container just had too much friction for me to use them.

Synology can encrypt shared folders so I decided to give it a try. All the files I want encrypted are already on a single Windows Home Server 2011 share so it was just a matter of moving the share to Synology. We’re not talking state or corporate secrets here so I’m not going to worry about scrubbing the disk once the files are deleted.

For the record, I’m using DSM 4 for this.

Creating An Encrypted Share

Unfortunately home folders can’t be encrypted since this would be the logical place for my files. Certain other system shares also can’t be encrypted. I’ll create a new encrypted share by logging onto the Synology web console and opening Control Panel –> Shared Folder (click any image for full size)

Synology Control Panel Shared Folders

Then Click the Create button and fill in the information.

Create a new share

Shared Folder creation dialog


I do not check “Mount automatically on startup” so I’ll need to do it manually when I reboot. I figure it’s more likely the entire Synology box will be stolen than just the hard drives. It’s I little more work for me but a little more secure. I don’t reboot very often anyway.

You’ll get a warning about protecting your encryption key. Acknowledge it.

Encryption warning

The share will be created and you’ll be prompted to download a file that has the encryption key in it. If you save the file, keep it in a safe place. Anyone with the file can mount the share.

Then you’ll be prompted to give the appropriate users access to the share.

Edit folder priviledges


Click OK to give permissions and your done.

Using the Encrypted Share

When the share is mounted anyone with the privileges to the share can access it without using the key. The encryption key is only needed to mount the share.

If you need to mount or unmount the share return to the Shared Folder section of Control Panel, select the share and click the encryption button.

Mount of unmount the share

If mounting the share either type the encryption key or browse to the exported key file saved when the share was created.

Mount an encrypted folder

If the share is mounted you’ll also have the option to export the key to a file.

Tips & Notes

Don’t save the file with the encryption key on the NAS itself. No sense making it easy for the thief. I need the key so infrequently I don’t use the file at all. I save the key is LastPass, my password manager, and cut & paste when needed.

Encrypted shared folders cannot be moved to a new volume unless it’s unencrypted first.

Any Synology NAS administrator can export the key assuming the share is already mounted so don’t expect this to keep a secret from other admins.

The encrypted share does need to be mounted before it can be unencrypted. This provides protection against decryption since the key is needed to mount it. But back to my previous point, if it is mounted any administrator can decrypt it.

I was hoping to attach an external USB drive and encrypt the files on it so I could use it for offsite backup. Unfortunately the USB share is created automatically and it’s one of the system shares that can’t be encrypted. Oh well, my current process using Truecrypt works well enough.

Finally, I did have to change by backup plan to encrypt the backup destination for these files. No point having an encrypted share if the backups are sitting out there . (I use Cloudberry Backup on my WHS to back up this share locally.)

Anyone have any simple encryption options for Windows Home Server shares?

The OS Quest Trail Log #54: Vacation is Over Edition

Mountains and clouds in New HampshireIt had to happen sometime, my vacation is ending and it’s back to corporate America on Monday. This blog was silent for a month with barely a peep the month before that but things picked up recently. Vacation was a trip to the White Mountains followed by a week around the house with a lot of computer time during the last week. As luck would have it the trip was during the bad week of weather.

A New Laptop & Encryption

Prior to vacation my new Dell laptop arrived with just enough time to get it set up. It’s always fun to get a new computer. I’ve been using it quit a bit around the apartment rather than my desktop. I’m sitting on the patio now as I type this up.

I also took a look at TrueCrypt as a way to secure my laptop on its travels. I started off playing it safe, planning to encrypt a USB drive which I would take with me. That went so well I decided to go for broke and encrypt the entire system drive. So far it’s working great and I don’t have any complaints about performance.

In retrospect the one thing I might have wanted to look for in a laptop with a CPU that supported AES hardware acceleration. I hadn’t seriously considered encryption until after I got my laptop and I didn’t even know the feature existed. As it is, a CPU that support hardware accelerated AES doesn’t appear to be an option in the Dell Inspiron line at this point, although some higher level i5 CPUs do support it.

WordPress Changes

I also spent some time looking at my sites and WordPress. I’d gotten sloppy in my testing so while I was busy keeping the site code up to date my WP Super Cache plugin stopped caching and went unnoticed. I spent some time trying to troubleshoot it but finally got frustrated enough to look for an alternative. I found two complementary caching plugins which are running now.

I also finally fixed the plugin I use to announce new posts on Twitter. In this case I knew it was broken due to the change to oAuth authentication. In my quest to keep things lean I wasn’t running the Curl library for PHP. Once I added PHP-Curl the plugin worked fine.

Security and Browsers

I also got around to plugging a month old security vulnerability that Microsoft isn’t fixing in order to avoid breaking any apps. Hopefully Microsoft will fix this on their own. I can kind of see their point, if an app is written properly and doesn’t rely on the default search order there’s no problem. If the app does rely of the default search order then their patch may break it. I haven’t had any problems since installing the patch although it’s only been a day. I suspect they’ll roll out the patch once there’s some history of problem free patching.

I also decided to give the IE 9 beta a spin. I must have some hidden desire to abuse this new laptop. Since IE isn’t my default browser there wasn’t much risk. I’m actually pretty impressed. It seems fast. The bad news is it has the same problem rendering the footer of my website’s home page that earlier IE version have. I long ago stopped caring about IE, as long as it was usable. If the site renders find in Firefox, Safari and Chrome then it’s OK with me.

Still, Internet Explorer 9 is going to be a lot of new code. I suspect it will have a lot of new security holes in that shiny new code. So while the first impression is it doesn’t suck anymore, I don’t see it replacing Chrome for me in the future.

On Deck

There’s a few more things I started looking at or working on while on vacation. History tells me I won’t get to them all, at least not soon.

I downloaded the latest Windows Home Server 2 (Vail) beta software. I’ve yet to install anything but home to do so on my spare test box. I need to look into things some more but I expect I’ll be building a new server for Vail. There’s not going to be any upgrade path on the old server since this is typically sold as an appliance by OEMs. Even if it could be upgraded it’s safer to go to new hardware with all that data. My test box is more powerful than my current WHS so it may actually end up being suitable for my new WHS. At least if I can start testing it I’ll get an idea of the hardware and memory requirements.

Despite the relatively bad weather I did take some pictures in the White Mountains of New Hampshire (like the one at the top of this article). I’m still getting used to the various photo software I have available to see which I like. The stuff that came with my Canon camera is remarkably good for bundled software. I’ve also been looking at Picasa and Windows Live Photo Gallery although these appear to be better suited for organization and minor editing. I’ve been working on getting familiar with Aperture 3 as it seems best suited as a combination organizer/manager and editor.

So it’s back to work tomorrow. Hopefully after the initial surge of work when I return I’ll have enough time for fun with computers and be able to keep the posts coming.

TrueCrypt: Full Disk Encryption

After seeing how easy TrueCrypt worked when I used it to encrypt files (or more accurately, create a encrypted container to hold files) I decided to give full disk encryption a try on my new Dell Inspiron laptop. I was planning to take the laptop on my vacation trip and wanted to encrypt the data. The laptop was new and not a critical part of my workflow so if full disk encryption cratered the laptop, requiring a rebuild, it could wait until after my trip without causing any serious problems.

As it turned out, the full disk encryption worked without any problems. While I hadn’t used the new laptop enough to gauge any before/after performance differences, the benchmarks showed a negligible difference.

I’d already installed TrueCrypt on the laptop so all I needed to do was encrypt the system drive. I decide to encrypt the entire system drive (the only drive in the laptop) and I’ll just use normal encryption. I won’t bother with the hidden option since I mainly care about preventing someone who steals my laptop from being able to access the files. The encryption  process is wizard based and the screens are shown below. I don’t have any plans to dual boot this laptop so I can keep it simple with a single boot configuration. I also stick with AES encryption since it benchmarks better than the other options.

System Disk Encryption Wizard Screen 1 System Disk Encryption Wizard Screen 2

System Disk Encryption Wizard Screen 3 System Disk Encryption Wizard Screen 4

At this point I was presented with a UAC prompt as TrueCrypt looked for hidden sectors in the host protected area. The process was too quick to get a screenshot or even read the entire message. TrueCrypt apparently liked what it found (or didn’t find) and moved on.

System Disk Encryption Wizard Screen 6 System Disk Encryption Wizard Screen 7

System Disk Encryption Wizard Screen 8 System Disk Encryption Wizard Screen 9

System Disk Encryption Wizard Screen 10

At this point I’m prompted to create a rescue disk which I do. Should something happen to the hard drive that prevents the PC from booting.  The Rescue Disk can be used to boot the PC and then unencrypt the hard drive so that the data can be copied off the drive.

System Disk Encryption Wizard Screen 11 System Disk Encryption Wizard Screen 12

System Disk Encryption Wizard Screen 13 System Disk Encryption Wizard Screen 14

System Disk Encryption Wizard Screen 15

After the detour to create the rescue disk we’re back to work on setting up the full disk encryption. At this point no actual encryption has happened yet.

System Disk Encryption Wizard Screen 16 System Disk Encryption Wizard Screen 17

Now things will begin to happen so a couple screens provide instructions on what to do should things go horribly wrong.

System Disk Encryption Wizard Screen 18a System Disk Encryption Wizard Screen 18b

Then the PC reboots and does it’s thing. I’m told the pretest was successful. After clicking the encrypt button there’s more instructions about how to recover if there’s a problem.

System Disk Encryption Wizard Screen 19 System Disk Encryption Wizard Screen 20a

System Disk Encryption Wizard Screen 20b System Disk Encryption Wizard Screen 20c

There was another UAC prompt when I clicked “OK” on the message box. As the encryption is going on the status is displayed.

System Disk Encryption Wizard Screen 21 System Disk Encryption Wizard Screen 22

My 580 GB Hard Drive with about 75 GB in use (both as reported by Windows) took about 8 hours to encrypt. I didn’t use the PC during this time so the encryption process should have gotten all the available resources.


After the encryption was finished I rebooted the PC to make sure everything was OK. The reboot was fine although things seemed to be slower than before. I hadn’t had the laptop long enough to really get a good feel on the performance so it may have been more perception than reality. I had benchmarked the Dell Inspiron laptop prior to encryption so I did it again now. There was a significant drop in the disk benchmark score.

The pre-TrueCrypt encryption disk results were 21% better than the post encryption score. While I expected some performance hit, this seemed extreme. I rebooted one more time and there was a noticeable improvement. I ran the benchmark again and the disk actually scored about 10% better than the pre-encryption benchmark. (I don’t stop all background tasks to do the benchmarks so some variation is to be expected.) Like I said before, I didn’t have the laptop very long before I encrypted it so I didn’t get a good feel for performance, but I don’t have any complaints and it seems peppy enough. It was interesting that it took two reboots after the encryption finished for things to settle down.

I haven’t had problems running any software and there hasn’t been any instability with the system. My Windows Home Server backup runs just fine. Since the disk is decrypted at boot the WHS backup software sees the file system the same way it did prior to encryption.

Overall I’m happy with TrueCrypt full disk encryption, it’s worked well and I’m happy with the performance. While I certainly don’t want to lose my laptop, I’m happy to know that if I do the data will be protected.

TrueCrypt 7.0–Install & Encrypt USB Flash Drive

TrueCrypt Logo

With the arrival if my new Dell Inspiron laptop just before some planned vacation travel I decided to try out disk encryption. My plan was to encrypt a USB drive and add an encrypted container for files on my laptop. Using Windows Bitlocker would have required upgrading to a more expensive version of Windows 7 so I went with the free Open Source TrueCrypt. In addition to being Open Source, it’s also cross-platform and runs on Windows, OS X and Linux.

Installation was simple, after downloading the latest version I ran the installation executable and ran through the wizard. There’s only 5 screens during the install. They’re shown below, along with the options I used. They’re pretty self-explanatory and don’t affect the operation of TrueCrypt itself, just how you want to access it. Nothing gets encrypted during the installation.

I decided to do the full install, rather than install in “portable mode”. Portable mode is used when the extract option is picked on the first screen. It allows encrypted containers to be created but can’t encrypt the system drive. I do the full install so that I have the option of full drive encryption should I decide to go that route. It’s a 64-bit application and uses less than 8MB for the installation.
TrueCrypt Install Screen 1 TrueCrypt Install Screen 2

TrueCrypt Install Screen 3 TrueCrypt Install Screen 4

TrueCrypt Install Screen 5

The beginner’s tutorial referred to on the last screen is available on the TrueCrypt website. Starting up TrueCrypt presents the main screen:


Creating A Encrypted Volume

My USB Flash Drive is already in a USB port (as Drive F:) so I click the “Create Volume” button to start the process of creating an encrypted container on the flash drive. The hidden volume (an encrypted volume within a encrypted volume) is more security than I need. So I’ll create a standard volume. The volume location screen is asking for the name of the encrypted container to be created, and not an existing file to be created.

Volume Creation Wizard Screen 1 Volume Creation Wizard Screen 2 Volume Creation Wizard Screen 3

I pick AES encryption since it benchmarks with the best performance. The benchmarks are based on the current computer and will vary from PC to PC (or even on the same PC run at different times). I took the default AES selection.

Volume Creation Wizard Screen 4 Volume Creation Wizard Screen 5

I have the USB Flash drive formatted with the FAT file system (which is also the original format) for maximum compatibility across Windows, OS X and Linux. So I’m limited to a maximum container size of 4GB since the container is one file and FAT has a 4GB limit. I also enter a nice long phrase for the encryption password and accept the default FAT file system and cluster size. I spend some time moving the mouse around to generate some nice random keys. Once I click format the volume is quickly created.

Wizard6 Wizard7 Wizard8 Wizard9

The final screen in the Wizard lets me know all is well.


TrueCrypt Travel Disk

Since TrueCrypt 7 may not be on every PC I will use the USB flash drive in I want to create a Traveler install on the flash drive. This is done by selecting Tools –> Traveler Disk Setup from the menu. For the file location I entered in F: since that’s my USB flash drive. This does not mean the flash drive must always be mounted as F:, it’s simply where to install the TrueCrypt files. I don’t bother with the autorun options since I dislike any autorun.

traveler1 traveler3

The traveler files occupy less than 4MB on the flash drive and get installed into their own directory (F:TrueCrypt in my case).

Finally, when I want to mount the encrypted volume on the USB drive I run TrueCrypt.exe, select a drive letter to mount it on, enter the path to the volume file and click mount.


The encrypted files within the volume are now available just like any other drive. Since the file system is FAT, both on the USB stick and within the encrypted volume I can access the files on my Windows or Mac computers. Linux should work too.


TrueCrypt includes several features I’m not using since I want to keep things simple and I’m not concerned about someone making any effort to crack the encryption. But if my USB drive is lost or stolen, it won’t be easy for the thief to get to my files.

Installation was easy and straight-forward while usage is simple. The hardest part is typing in the passphrase. The longer it is, the more secure it is so mine exceeds two dozen characters and considering my lack of typing skills it’s not uncommon to need two tries.