Full Volume Encryption - The MOST Exciting Feature on Synology DSM 7.2

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right how's it going Neil so today I'm very excited because we're going to be talking about something awesome full volume encryption on DSM 7.2 and I am currently running DSM 7.2 release candidate by the time you see this video there's a decent chance it may be live I'm not fully sure when the live date is but it looks like it should be pretty soon given how stable the release candidate is and for people who have seen my most recent video on DSM 7.2 betas full volume encryption they know there was a massive flaw and I was really really worried about so I want to quickly alleviate everybody on that they fixed it and now it's at a place where I will essentially recommend it to pretty much everybody say for a few specific people that we will get down to later on so first off what was the issue with full volume encryption that I was alluding to earlier so previously on the DSM 7.2 beta full volume encryption would not flush the encryption keys if you did a soft reset on the nas meaning that anybody with a little toothpick or any of those devices could soft reset the nas and then just change the admin password and now they were into your encrypted data without having to have a clue about the encryption key or any other additional information on the NASA they didn't have to know the admin password anything when I messaged Synology and I put it in a bug ticket about this for the beta they replied that this was expected behavior for the DSM 7.2 beta then they would not give me any additional information so I did not know if that was expected Behavior permanently if so that's useless encryption but it turns out they have fixed it now in the release candidate it's no longer an issue so now I can fully recommend this for just about everybody all right so now with out of the way for everybody who just want to do that one piece let's talk about what full volume encryption is full volume encryption is exactly what it sounds like it is the ability to just encrypt an entire volume on your Synology Nas and this has a bunch of great benefits over the previous version of encryption on Synology which was shared folder base encryption so shared folder base encryption was felt like an afterthought you had a limitation with a number of characters you could have in a path name this is now gone with full volume encryption you cannot browse previous versions of btrs snapshots if you had shared folder based encryption you had to clone to a new name to recover mid recovering such a pain that's gone you also had a worse performance overhead with shared folder based encryption than full volume encryption another great thing and finally it was just kluji you had to add it after the fact there was all this stuff you had to do to just make it a pain to work with it was not a great setup and I am so glad it is now just simplified so now full volume encryption is essentially just encryption but without any of the downsides there is still a small performance overhead that I've not been able to really find I've not been able to see at least in my limited testing so far only got one box on DSM 7.2 release candidate so I've not gotten the full performance overhead of it but realistically it's very small especially with NASA's with built-in encryption engines on any of the CPUs which most of the NASA's have at this point of the plus models and so there's so much stuff that's just made it so much easier now you don't have to worry about encrypting every single folder you don't have to worry about the issues that you get with suddenly active backup for business you have to encrypt it at a certain time now everything is now just encrypted exactly how you want it to be it's also meant that keys are just easier to store you now have just one key rather than in number of keys for all your shared folders but it is not perfect in the eyes of some people and we're going to talk about it here so to summarize what full volume encryption is on Synology nasp it is simply the ability to have a volume that is just encrypted no if ands or but it is just encrypted and it just works you don't have to deal with any of the limitations with regular shared folder based encryption anymore now if it works with regular volume it's almost certainly going to work exactly the same maybe a very small performance decline very small with a encrypted volume that is exactly what I wanted and now can start just recommending it to businesses pretty much across the board and home users who want their data protected additionally all right so first let's go ahead and show how full volume encryption works and it is very very simple so I'm on a Nas right now running DSM 7.2 release candidate and I'm going to go ahead and open up storage manager go to the storage pool and create a new volume you're also given this option when you're setting up for the very first time we're going to just give it a hundred gigs to start with and we're going to call it encrypted we're going to set up as btrfs and now we just simply have the option to encrypt this volume very easy the very first time you set this up it's going to initialize a localized encryption key Vault very similar to the way that the machine key Vault worked on shared folder based encryption so you add a password to it and it's also going to automatically download the encryption key as soon as you hit apply this time it even goes a step further and says hey if this encryption key Vault goes away so something like you're doing a soft reset or anything like that or maybe the encryption key you're using a KMP server and it goes out you will lose everything so it's forces you to say yes I've received the recovery key and we'll keep it safe so after that it will now work and your key will automatically be in the downloads right there it's just an 88 byte file that stores everything you need to encrypt and decrypt the volume now it differs pretty significantly from the standard shared folder based encryption in a couple of ways it is much more like Mac OS is encryption or windows's encryption then the old shared folder-based encryption you have no ability to unmount the actual volume so it is just mounted on boot automatically as long as your key vault is there and that is something that a lot of people have been rubbed the wrong way by and I go back and forth on personally I am actually glad that that is the default Behavior because it makes it so much easier to just recommend encryption to everybody because it just works there's no weird flaws there's no weird issues it is good enough for 99 of people in my opinion there is the big issue that technically the encryption keys are stored on disk which if you're handling like classified information or government secrets or anything is a huge No-No because it is technically possible to recover that in a lot of cases if you really know what you're doing all right so quick interjection here so to figure out how exploitable having the key stored in the key Vault basically on disk as well is I threw a contest out there I said anybody who can give me a solution that basically just uses the nas as well as any extra things like a Linux PC and can get the encrypted data off of the device without using the admin password or any like encryption key or prior knowledge would get a ds-923 plus and within eight hours I had a solution that has not been fully proven yet there's still a couple of pieces left but it's almost certainly going to work and it is not that complicated for what it is now that being said it does require full access to the box so you not only need the drives but you also need the physical Synology and you also need a pretty good understanding of Linux as well as a Linux machine that you can use to mount every single one of the hard drives but that is obtainable and so I want to have this quick cut in here because the solution honestly turned out to be a fair amount easier than I was just expecting it to be it does require full access to the physical original Nas you cannot use a new Nas for this but it is still there so you definitely have the security in knowing that hey if you need to ship the drives off their encrypted they should be fine on that though somebody may be able to exploit those as well but that would be considerably more complicated than the solution we came but the solution is out there so I wanted to kind of give that information out there currently the only kind of official way to get around this in DSM is to actually have the ability to have the keys not on the system so you can either use a kmip server which basically has the key stored on a different device and then you basically power off that device unless you need to actually Mount the thing and that way you know that somebody who's just in the lab or in the rack who does this exploit will not be able to just auto connect to it so that is an option and then another one is and I'm actually going to show it later in this video If you do a soft reset but do not fully repair the key manager it looks like it does not fully store the encryption keys and it looks like they will be ejected on boot I show this later on in the video it is a completely janky solution but does allow the fully encrypted volume to be demounted on boot which would go around this exploit I do really wish Synology would add a hardware component to this that would be very easy to do very similar to the way that shared folder based encryption allows you to store the keys on a flash drive if you had a flash drive and you just left it in a safe and you had trusted employees having access to it if the nas rebooted and all they needed to do was get access and plug in that flash drive I think that would be a very good compromise overall because it would mean that the attacker would have to also have that flash drive where that's always possible but adds a significant amount of complexity and that way it can be easily mounted by anybody in the office should the nas reboot you're always trying to find a good Common Ground between security and actual usability because if you have a device that is so secure that nobody can effectively use it it's not that useful I do also want to touch on my still overall recommendation for full volume encryption overall I'm still going to recommend full volume encryption and I'm still very glad they did it I think there are a couple of pieces they can add on there to get it across the benchline like the ability to require the key at boot Just For Those few users who truly have very very sensitive information the next level stuff that actually might be targeted by somebody breaking in to steal that information that information alone so I wish they had the ability to demount those keys and only be able to decrypt the volume by uploading the key on boot that would be the one real addition I would like to see this just because that would bring in across the finish line for the every single user who may want this I will still recommend full volume encryption to most users however the exploit is pretty difficult and is not going to be able to be done by your average Smash and grab Thief at all and it also means that even if somebody has the hard drives they do not have access to the data it is a very easy way to encrypt the data for the majority of cases but you should know that if you have a very technical Savvy person who really wants their way into that data having the encryption key stored on the system partition and not in any other way will be able to be exploited by somebody at any time even if they close down the exploit that was found there is always going to be a way unless you have a substantial change here that is just the nature of the Beast DSM needs to be able to access that encryption key and so that means an attacker with a sufficient knowledge will also be able to get that encryption key assuming they really know what they're doing right now the majority of NASA is out there that I see are not encrypted because there's so many limitations when it comes to Shared folder-based encryption by having an easy to use encryption method it is going to be so nice having the key stored on the actual volume is still leagues better than having the data unencrypted to begin with because it requires a lot of substantial knowledge on how to actually exploit it versus anybody just plugging the drives into DSM and hitting recover and so that is a huge thing where it is really going to help a ton of people for those people who have that truly sensitive information that they are okay requiring to be there every single time the nas boots up to ensure that the data is in no way going to fall into wrong hands even if somebody steals the entire Nas and attempts to re and attempts to grab the data there is always the shared folder base encryption where you can keep the key for yourself and you can use those in tandem and so that's going to be my recommendation there I'm going to go back to the rest of this video but I did want to add that in there because the solution that was found was substantially easier than I was expecting but it is still going to be leagues better than not encrypted to begin with while also serving its purpose decently well all right back to the video the encryption key by default is stored on the key Vault but if you do want additional security you can set up a kimp server which is a open standard that actually a fair amount of people have implemented and a Synology mask and operate as so if you're a large corporation you can set up the main server as a kimp server and then everybody else unlocks the volume based off of that encryption key but for the vast majority of users you're just going to use it locally now the advantage of this setup is the fact that you don't have to do anything differently you do not have to be there whenever the nas boots up to put the key in the nas just continues to operate exactly how it would so it reboots it comes back up and everything is just very automated this is technically works for security because technically there's always the possibility that somebody can find the key on the system but the huge advantage of that is it is encryption without any of the downsides which I think is what Synology needed here for people who are really really looking for the utmost crazy high security stuff then yes you still have shared folder encryption and you can put the key on a flash drive you can actually just store the key in your head and only ever have it on there these can work in tandem so they've not taken away that but the way it is implemented today just works and I actually like that a lot now let's talk about what encryption is used for and this encryption does not protect you from hackers it does not protect you from anything like that what encryption protects you from is physical theft so pretty much the reason you encrypt something like a hard drive on your computer or anything else is not so that people on the internet cannot hack into you it does not do anything for that what encryption does is it protects you from physical theft so that means somebody breaking in stealing your hard drives or if you ever have to RMA a drive you can send it in without any worry because you know it's encrypted as a side note if you're on raid 5 it's pretty much encrypted because they're only having a portion of the data required on the system volume but that way you can just sleep well at night knowing that even though you may have very sensitive tax information on one of those drives nobody's going to be able to decrypt it and that is what encryption is really used for it is not meant to protect the NAS from the internet it will not do anything for that but what it will do is it will make sure that somebody who just steals the nas or steals the hard drives will not be able to get in and that's the real purpose so now I'm going to quickly create a second volume and show you how it used to work foreign so this one's going to be not encrypted and I'm not going to have it on there and I'm going to show you how it worked with shared folder based encryption and some of the big downsides that made a huge pain to work with so I'm going to create two shared folders one on each on the second folder I'm putting it on the standard btrfest volume that is not encrypted so we're going to use shared folder based encryption so we're going to select protect the share to folder by encrypting it and we just type in a key here and this is representing how encryption worked previously it's going to download the key very similar right now we can see that both are mounted we see that the shared folder based encryption one has a few limitations associated with it one the name of a file or a folder cannot be more than 143 English characters and there is going to be performance head both of them will have a performance hit but the shared folder base encryption has a larger performance hit once again this is in my experience pretty negligible another limitation that we will have is the fact that if we set up snapshots on this we will not be able to browse previous versions of files because these snapshots themselves will be encrypted so that is another downside of the old shared folder-based encryption and I'm going to show that here that that setting just does not exist once it installs the advantage to the previous shared folder based encryption was you can have it standby and you can still use this and I still use this for specific use cases so if you want to actually use encryption to have additional protection from hackers people who are actually accessing it what you can do is you can actually mount it when you're not using it sorry unmount it so say I know I'm going to be gone or this is a folder I very rarely use for example I have it set up where clients can send me the encryption key just in case they ever need it so once again these encryption keys are crucial for you to keep you really need to make sure you've got access to them in case everything in the world goes wrong and so for clients I offer it where they can just send it to me and that way if they ever need it we can hop back on Zoom I can see their face I'm like yes you are that person and I can send them back the encryption key that is very sensitive data that I do not want leaking out and I very rarely need it I'm only accessing it once a month Maybe so what I will do with that is it is encrypted and I leave it unmounted constantly so that way even if somebody gets access to my Nas who knows how but even if somebody gets access to my Nas they cannot access this folder so if we go into file station that folder is just gone and so that way you have additional protection that is one real advantage of old shared folder-based encryption versus the full volume encryption another one is how the encryption keys are stored so you have the option to use it okay K kmip server if you want to but for the vast majority of people the encryption key is the encryption key vault which is stored over here locally which has very little information there's not a lot you can do here and you cannot apply a password to it so it is essentially stored locally but you cannot choose where this location is you can basically just say it's either going to be local or it's going to be on a kmip server and then you essentially have to trust this the advantage of that is it always boots up whereas with shared folder base encryption you have the option to set up a key manager but it is truly optional you can set up on a external drive or the system partition the system partition would kind of mirror the exact way you set up here anyway and we can add in a shared folder based encryption and we can set up a specific Cipher there's a lot more options here and we can enter in there so you have a lot more flexibility when it came to the shared folder-based encryption and you can also have a Auto Mount there as well so right there the settings I just did there were it's the machine key and Auto Mount essentially mirror exactly how it works with the full volume encryption but the full volume encryption is just a lot simpler to set up so now let's go into snapshot replication and talk about one of the big downsides to shared folder base encryption that is fixed on full volume encryption so one of the greatest things about snapshots is the ability to have previous versions of files visible to employees by hitting this setting make snapshot visible this means that people can just recover their own files without having to contact the IT department so instead of filling out a ticket and waiting days for everything to get solved which a lot of people are just not going to do they're just going to redo the work if somebody deletes a file or corrupt something or what's the previous version of file they can do it themselves I'm going to take a manual snapshot to show it but when we go into shared folder based encryption we do the exact same settings we can see that snapshots are not able to be visible that's because this is an encrypted folder so when we look at file station with that we can see that we have this great snapshot folder that allows us to see previous versions of files right here it's awesome it's a huge selling point because this is also read only so it's got great protection while also allowing people to easily go back to previous versions files if we look at the Shared Foley base encryption we don't have that because of the fact that we had to encrypt the btrff snapshots so for whatever reason they could not decrypt the snapshots and put them in there instead if we wanted to recover a file we would actually have to go in to btrs snapshots what you actually have to do is you have to go into recovery should folder encryption recover and clone it to a new name or just straight up do it it's a huge pain and it's one of those really annoying things that makes it so much harder to recover and use these snapshots that is one of the biggest downsides I tell clients when they're asking should they encrypt their data now that's no longer there another one is just the Simplicity of it all now that's what I really like you can set it up you know you save that one key file and you're done you know everything is encrypted and you know your data is secure from the vast majority of cases if I do a soft reset on this Nas encryption Keys plus flush you're good and so there's a huge advantage of using full volume encryption versus shared folder encryption now let's talk about the behavior when we reboot the nas so I'm just going to restart it right here and with shared folder based encryption unless you added the key to the key manager and had it start on boot which is extra steps what's going to happen is the folders are not automatically going to be mounted on boot that is because it's waiting on you to go ahead and enter the key and get in there to add it now this is not the case with full volume encryption instead full volume encryption automatically and only will Mount the volumes on boot it will do that automatically and there's no option that I'm aware of that will let you change that for the vast majority of businesses that is actually how I set it up anyway because you don't want the boss to be out of town and now all the files are just unaccessible because there was a power outage it makes it a lot easier to work with and in my experience presents a very low risk to actually having an issue with that because all right so now the Nas is back up and if we go into our storage manager we can see that volume one automatically came back up and is just in there that is how full volume encryption just works there's no option here to unmount it there's no way to pull it out the only option we have in here is to regenerate the key regenerating the key you do not require the old key to regenerate the new key but as soon as you regenerate the key the old key is now invalid and you have to make sure to store this so only click this if you realize that the old key is now useless and you need to make sure you put this back wherever you need it but that is a really good setup now let's talk about what happens when we do a soft reset on the Nas and we can see that the keys are in fact flush oh so what I just did there is I just held the reset button on the back of the nas for I think it's like six seconds until you hear the first beep what that's going to do is it is going to cause us to be able to reset the admin password as well as some other stuff soft resets are very useful because it allows you to very easily get into the Nas and do things like that let me mute it really quick while we talk here so I soft reset the nas which means that the admin account is automatically set to no password so I can do admin no password and I can get in what this is useful for is this allows you to easily get back into the nas if you need to so say you forgot the admin password or say you screwed up a networking configuration the soft reset allows you to do all that without losing all of your data so we can just reset the admin password and just like that we're back in so theoretically a physical attack could have done that but now what has happened is we come in here the volume one says it's critical it was unable to automatically unlock this was not true on the beta but now whenever you a soft reset it flushes the encryption keys so we can go ahead and see that the encryption Vault has actually been completely disabled so let's go into global settings and we can see that our encryption Vault was completely disabled and so what we can do right here is we can see there's no options right here to unlock it because we first need to set up a encryption Vault again so we're going to go back to global settings and enable encryption vault and we are going to set up the password again and now that we've set up the password again and set up it it's lost all of its keys but we should still have that key so we can unlock it and now we unlock it we will see that our data is back in our shared folder should come back in there but one thing I did not select was repair the key so for all of you who are looking to be able to run encryption where you only want to be able to mount the volume on boot and you don't want this key story on there I think I actually just found your solution this is not how it's supposed to work at all but if that's really what you're focusing on you can do that simply do a soft reset basically destroy the encryption key and then now every single time we reboot it's not going to be able to do it because we did not repair the encryption vault interesting enough we can repair it now though and add back in that encryption key that we're missing so that way it automatically mounts on boot and so now it will automatically map back on boot but that is a janky option that you can use if you need to so that is how full volume encryption works on DSM 7.2 overall I'm quite happy with it it gets around all the old limitations of shared folder based encryption so it's a great tool in the Arsenal I do wish that they had the option if you wanted to to not have the encryption key vault and instead have always flush on reboot I would not recommend that use case for 99.9 percent of users but having that as an option would be good for people who really are wanting to make sure that there's no possible way and they're very worried about physical theft to an extreme that is good but for now those users can still use shared filter based encryption and be fine the last thing I did want to mention is unfortunately you cannot directly migrate a previous DSM 7.1 volume to a DSM 7.2 encrypted volume instead you essentially have to either restore your Nas using backups or if you've got enough space in your storage pool kind of play some Jenga with it and add an additional storage volume that is encrypted and start moving all of your shared folders to it that would be the only other option but that's how shared folder based encryption works and overall I think it's going to be a great tool for most people to use and now it's kind of a no-brainer one thought I did want to add in there before we leave is you don't necessarily need to encrypt everything family photos that you want to make sure will live on after something happens to you you may seriously consider adding a second volume for your photos directory that's not encrypted because you need to think about what is important to you is it important to you that all of your files stay encrypted and make sure that nobody access it unless you've given the explicit authorization or is it important that somebody can get access to them and maybe it's you later on so generally for family photos I do not recommend encryption just because you want to make sure that you don't lose those if anything happens even if something happens to you so you may seriously consider having a secondary volume just like I did there for your family photos that's not encrypted that's very easy to recover if you ever forgot the password or anything ever happened to you all right well that's gonna be it for this tutorial go and leave any of the tutorials you'd like to be make in the comments below and have a good one bye [Music]
Info
Channel: SpaceRex
Views: 20,288
Rating: undefined out of 5
Keywords:
Id: lyKXldHPAOU
Channel Id: undefined
Length: 31min 26sec (1886 seconds)
Published: Thu May 25 2023
Related Videos
Synology Most Commonly Asked Questions
SpaceRex
33K
Why Synology Says "This Connection is Not Private" - (How SSL Encryption Works)
SpaceRex
16K
My Synology NAS was ATTACKED!
WunderTech
43K
setting up Synology for beginners (DSM 7.2)
Nick Talks Tech
1.3K
Ransomware Protection with Synology Immutability - DSM 7.2 | Synology
Synology
16K
Better than Disney+: Jellyfin on my NAS
Jeff Geerling
1.1M
Synology Volume Encryption Overview in DSM 7.2 - Beta Impressions
NASCompares
6.7K
Ransomware Protection: The Complete Guide for Synology NAS
SpaceRex
81K
Synology NAS COMPLETE PLEX Setup Tutorial (2024 SETUP GUIDE #5)
NASCompares
9K
The NAS That Permanently Changed My Privacy Life
Techlore
27K
Synology vs UGREEN - Who makes the BEST NAS??
Raid Owl
45K
Getting the Most Performance out of TrueNAS and ZFS
Techno Tim
75K
Setting Up a 3-2-1 Backup for Synology NAS
SpaceRex
27K
Watch before Buying a Synology NAS - The 5 Most Common MISTAKES new users make!
SpaceRex
256K
Why would you EVER buy a Synology NAS?
WunderTech
31K
Synology DS223j VS DS723+ | Which NAS to Buy?
Techfluencer
9.6K
How I Handle File Management and Backups: My NAS Setup
Christopher Lawley
34K
Why You NEED a NAS (More Than Just Storage)
FromSergio
282K
Which RAID Type Should You Use on your Synology NAS?
WunderTech
6.8K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.