| ▲ | tecleandor 5 days ago |
| Not only that, but their security situation is terrible. Their OS is full of EOL'ed stuff. On products you can buy TODAY, you find: - Their Btrfs filesystem is a fork of a very old branch and doesn't have modern patches
- A custom, non standard, self built, ACL system for the filesystem
- Kernel 4.4
- PHP 7.4 (requirement for their Hyperbackup app)
- smbd 4.15
- PostgreSQL 11.11
- smbd 8.2p1
- Redis 6.2.8
- ...
They claim it's OK because they've backported all security fixes to their versions. I don't believe them. The (theoretical) huge effort needed for doing that would allow them to grow a way better product.And it's not only about security, but about features (well, some are security features too). We're missing new kernel features (network hardware offload, security, wireguard...), filesystem (btrfs features, performance and error patches...), file servers (new features and compatibility, as Parallel NFS or Multichannel CIFS/SMB), and so on... I think they got stuck on 4.4 because of their btrfs fork, and now they're too deep on their own hole. Also, their backend is a mess. A bunch of different apps developed on different ways that mostly don't talk to each other. They sometimes overlap with each other and have very essential features that don't work and don't plan to fix. Meanwhile, they're busy releasing AI stuff features for the "Office" app. Edit note: For myself and some business stuff, I have a bunch of TrueNAS deployments, from a small Jonsbo box for my home, to a +16 disk rack server. This was for a client that wanted to migrate from another Synology they had on loan, and I didn't want to push a server on them, as they're a bit far away from me, and I wanted it to be serviceable by anyone. I regret it. |
|
| ▲ | Shank 5 days ago | parent | next [-] |
| The encryption is also broken. If you use encrypted shared folders, you have an arbitrary filename limit (https://kb.synology.com/en-ro/DSM/tutorial/File_folder_path_...). If you use volume encryption, your encryption key is stored on the NAS itself, which is capable of decrypting the data, unless you buy a second Synology NAS (https://blog.elcomsoft.com/2023/06/volume-encryption-in-syno...) to act as a key vault. Synology claims that volume encryption protects if you if the storage drives are stolen, but in what world would the drives, and not the NAS itself, be stolen? |
| |
| ▲ | 8fingerlouie 5 days ago | parent | next [-] | | The filename limit comes from ecryptfs (https://www.ecryptfs.org/) which is what Synology uses for encrypted shared folders. As for full disk encryption, you can select where to store the key, which may be on the NAS itself (rendering FDE more or less useless) or on a USB key or similar. | | |
| ▲ | tecleandor 5 days ago | parent | next [-] | | For full disk encryption you need DSM >= 7.2 and you can either, store it locally (useless) or in a KMIP server. [0] As a KMIP server you use: - Another Synology NAS with DSM >= 7.2
- A KMIP compatible key server
Except for the demo implementation that Synology uses (PyKMIP), all the KMIP compatible servers I've found have licenses in the tens of thousands a year. So if anybody has any suggestions to substitute PyKMIP...-- 0: https://kb.synology.com/en-global/DSM/tutorial/Which_models_support_encrypted_volumes
| | |
| ▲ | 8fingerlouie 5 days ago | parent [-] | | I remembered wrong. I’m fairly certain that Synology, at some point, allowed you to store the encryption vault on an external (USB) drive, but apparently not anymore. | | |
| ▲ | MobileVet 5 days ago | parent [-] | | You didn't remember wrong, I have mine stored on an external drive. I am using DS 6.x though |
|
| |
| ▲ | mtillman 5 days ago | parent | prev | next [-] | | My disk station uploaded 54gb to synology servers the other day before I had my router block outbound. Trash product. | |
| ▲ | aborsy 5 days ago | parent | prev [-] | | Why can’t the user enter the encryption passphrase in DSM, which is actually the default in LUKS and allowed in TrueNAS etc? The DSM itself lives in an unencrypted partition or volume. Applications with data in encrypted volumes will be inaccessible until the volumes are unlocked. As usual, there is an easy workaround. You can run a KMIP server in a docker container and set up an external keystore. Once synology allows you to proceed with volume encryption, you can discard the KMIP server if you want and use the recovery keys. |
| |
| ▲ | tecleandor 5 days ago | parent | prev | next [-] | | Ah, I forgot about that. I had to take the key out of the NAS too, to a different device. That made no sense at all. And almost all of the implementations of the key server you need cost thousands of dollars in licenses. Edit: what they deploy on their NAS is an old version of a testing implementation of the KMIP protocol. PyKMIP: https://github.com/OpenKMIP/PyKMIP | |
| ▲ | JTpe18 3 days ago | parent | prev | next [-] | | I understand Synology’s design approach. In enterprise environments, physical security - especially when systems are housed in ISO 27001–certified data centers—is relatively straightforward to achieve. The primary value of disk/volume encryption is actually for scenarios like end-of-life replacement, RMA, failure and disposal - even if someone later reconstructs the disk sectors, the bits remain unreadable. This is one layer of defense in depth, not a substitute for physical security. Synology also supports KMIP, which I see addressing two situations: 1. Data center key governance and media mobility - Multiple hosts (including spares) can use KMIP for centralized key management, improving the mobility of drives within the data center and reducing the operational cost of moving drives between machines. When decommissioning hardware, keys can be revoked directly in KMIP with an audit trail. 2. Edge/branch sites with weaker physical controls - By using KMIP, keys are kept in the more secure data center rather than on the edge device itself. The edge hardware stores no keys, so if an entire machine is stolen, it cannot be unlocked, preserving confidentiality. | |
| ▲ | cyberax 5 days ago | parent | prev | next [-] | | You can move out the key from the device using KMIP. I have an implementation that uses a Go-based service to store it in Nitrohsm. I'll clean it up and post a release announcement on Reddit... | | |
| ▲ | tecleandor 5 days ago | parent [-] | | That'd be great, as the PyKMIP implementation wasn't very intuitive... (Nor Synology docs...) | | |
| ▲ | cyberax 5 days ago | parent [-] | | Synology actually uses PyKMIP under the hood. They basically use it as a key-value storage for the encryption key, nothing advanced. I went down the rabbit hole and implemented the KMIP client and server, that pass the tests from OASIS. Sidenote: please, somebody nuke the OASIS from orbit. To be sure. |
|
| |
| ▲ | HighGoldstein 4 days ago | parent | prev | next [-] | | > but in what world would the drives, and not the NAS itself, be stolen? Not to defend Synology, but popping a drive out of the NAS so that it won't be noticed (or noticed much later) is a much easier way to steal data than carrying off the whole NAS. I assume they're guarding against the kind of scenario where an employee steals steals drives rather than ski-masked thieves breaching the office and making off with the NAS. | | | |
| ▲ | cyberpunk 5 days ago | parent | prev [-] | | maybe it has a kensington lock? | | |
| ▲ | layer8 5 days ago | parent [-] | | The drive bays also have individual locks, but neither would prevent a thief who knows what they are doing. | | |
|
|
|
| ▲ | kace91 5 days ago | parent | prev | next [-] |
| My main issue with their system is how closed it is. I got an issue where mind would randomly start writing disk like crazy and maxing cpu usage, to the point I was bothered by the noise. I’d stop all containers, leave it as close to idle as I could manage, still spiking. There was no way I could learn what was causing it. I would like to assume it was a disk maintenance process or something, but for all I know it could be mining bitcoin and I’d be none the wiser. It went on for some weeks then stopped. |
| |
| ▲ | nolok 5 days ago | parent | next [-] | | Ever since they added the "universal search" thingy, their NAS do that anytime they reach a decently large video file. Even if you turn down search indexing, media indexing, media thumbnails, ... It still kills itself with no throttling processing those files. May or may not be what you encountered, but had a customer caught by this and found out the hard way you can't stop it. My issue is not the processing, it's the throttling, it's so crazy how the entire NAS gets taken down for like ten minutes (and that was on a racked xeon model), no samba no nfs no nothing answering anymore. | | |
| ▲ | kace91 5 days ago | parent [-] | | That might be it, I use it for radarr/sonarr so there’s a good amount of large video files in there. And yes, the lack of trotting is an issue, since you can’t even reach an administration panel. When it’s bad even ssh struggles. |
| |
| ▲ | lostlogin 5 days ago | parent | prev | next [-] | | > writing disk like crazy and maxing cpu usage, to the point I was bothered by the noise. Mine is in the basement for this reason. When it’s still and quiet after midnight I can still hear it grinding away. God I hate the sound. | |
| ▲ | tetris11 5 days ago | parent | prev | next [-] | | There are guides on how to mainline Synology NAS's to run up-to-date debian on them https://forum.doozan.com/list.php | | |
| ▲ | jauntywundrkind 5 days ago | parent | next [-] | | People seem very attracted to Synology because it requires very little thought & effort. FWIW the new Ugreen NAS run Debian. I don't know a ton about it, but it's be great if they could stay a little more up to date. This Synology story with ancient forks & weird encryption sounds truly bogus. | | |
| ▲ | tetris11 5 days ago | parent | next [-] | | I'm attracted to them because you can find them secondhand on ebay for very cheap, and their power draw / performance ratio is quite decent compared to other systems. I will say that the Ugreen NAS seems to offer more performance for less watts, so it's definitely something I will keep an eye on in the future if it pops up on Ebay. > This Synology story with ancient forks & weird encryption sounds truly bogus. It's not. My Synology is running Linux kernel v4, and I opted to use their "SHR" RAID configuration and can confirm that it's some weird BTRFS variant that is likely deadlocked due to the kernel. The encrypted volumes I've made also look very much like the EcryptFS files I've been seeing on other setups. I'm currently in the process of mainlining it to kernel v6 to reap the better power and idle / hibernation rewards, as well as just using a standard Ext4 FS with updates | | |
| ▲ | ValentineC 4 days ago | parent [-] | | > It's not. My Synology is running Linux kernel v4, and I opted to use their "SHR" RAID configuration and can confirm that it's some weird BTRFS variant that is likely deadlocked due to the kernel. SHR is mostly MD-RAID and LVM, and works with ext4 too. |
| |
| ▲ | import 5 days ago | parent | prev [-] | | I have a Ugreen, just got the latest update runs on kernel 6.12 |
| |
| ▲ | layer8 5 days ago | parent | prev [-] | | If you want to run Debian instead of DSM, you have a much wider choice of NAS hardware than just Synology. |
| |
| ▲ | Kototama 5 days ago | parent | prev [-] | | You could activate the sshd service and log in to the NAS. |
|
|
| ▲ | finaard 4 days ago | parent | prev | next [-] |
| At a customer I ended up having to help one department running two Synology boxes as a side project. I came in with low expectations, and still was thoroughly disappointed. - one device died, was EOL at that point, and newer ones no longer can read the disks
- stupid limits for array size. Depending on your setup adding disks can mean "copy everything off, delete arrays, and then create new ones". Also, want one 200TB array with your disks? Depending on model size you'll have to do multiple arrays instead with a bit to way lower capacity
- syncing a share to another instance is broken, with pretty much no useful debug information. Already the setup is stupid (doesn't let you select which array it goes on the target machine), and then seems to change access permissions of the sync user on the target box (i.e., you can do one sync, after that you'll need to reset the access permissions). I wanted to avoid doing my own sync script, but seems I'll have to do that in the end
- stupid disk compatibility warnings (which currently you can disable when you have SSH access)
- wireguard only via third party addons. It's 2025. I didn't even check before if those things can do wireguard - it didn't occur to me that a device sold nowadays might not be able to do that. While debugging I also noticed that pretty much every software component is from the stone age. |
|
| ▲ | OptionOfT 5 days ago | parent | prev | next [-] |
| They also have this weird full disk encryption that doesn't validate that the boot partition is compromised, allowing exploits like this: https://forums.spacerex.co/t/bounty-first-person-to-share-ho... This breaks both the 'store key locally' and the KMIP setup. And for their file-based encryption you cannot change the password. You need to create a new folder with a new password and copy all files over. |
|
| ▲ | dansmith1919 5 days ago | parent | prev | next [-] |
| > A custom, non standard, self built, ACL system for the filesystem But don't you love it when companies invent their own security instead of using battle-tested open-source systems? |
|
| ▲ | 8fingerlouie 5 days ago | parent | prev | next [-] |
| > Multichannel CIFS/SMB) My DS918+ has multichannel SMB and possibly also parallel NFS. It only works if you have multiple NICs connected. Other than that, i completely agree. Their tech stack is horribly outdated, and while i understand their reasoning for not upgrading, there's a limit to how long you can do that. Their reasoning is that they know the software that's currently running, warts and all, and can better guarantee stability across millions of devices with fewer moving parts. |
| |
| ▲ | tecleandor 5 days ago | parent [-] | | I think multichannel works, but pNFS doesn't. But I also think I had another different feature in mind, I was just reciting by memory :P :) |
|
|
| ▲ | edem 5 days ago | parent | prev | next [-] |
| I have a DS 923+. These extremely old softwares you mentioned were always weird to me but everything worked fine so far. What I'm not happy about is the vendor lock in, and the abysmal virtualization / transcoding performance. I want a NAS that comes with a similar ease of use as the DSM, but can double down as a __very lightweight__ virtualization platform for my local test deployments and as a media PC that I can rely on. What would you suggest? |
| |
| ▲ | Marsymars 5 days ago | parent | next [-] | | I'd suggest separate systems for NAS and media serving. I've a Ryzen Embedded system with lost of RAM as my NAS box and a small Intel N-series based system as my Plex server that pulls media off the NAS box. | | |
| ▲ | benoau 5 days ago | parent [-] | | Yeah but these days you can easily have one system with 10 - 20 cores so you should be able to handle both workloads very well. | | |
| ▲ | Marsymars 5 days ago | parent [-] | | You can, but for media serving and transcoding you ideally want Intel Quick Sync, and it's simpler to have separate systems for your Quick Sync system and your "many cores" system. | | |
| ▲ | benoau 5 days ago | parent | next [-] | | Both of the CPUs you mention are low-power I don't think this a problem for slightly meatier processors unless you need the GPU or Quick Sync for multiple purposes? | | |
| ▲ | Marsymars 5 days ago | parent [-] | | Sure, you can get a meaty recent-gen Intel processor and get Quick Sync and plenty of cores, it just gives you awkward dependencies - you then a) can't get a non-Intel-based system without losing Quick Sync even if they're better value/performance/performance-per-watt and b) you can't upgrade your transcoding CPU without doing a whole new build of your meaty system, which is high-cost if you've got an especially meaty system. (You might want to upgrade your transcoding box to a newer generation processor that supports, say, AV1 encoding.) And FWIW my Ryzen Embedded system isn't especially low-power by design, it was just the most accessible way of getting ECC memory for me. |
| |
| ▲ | edem 5 days ago | parent | prev [-] | | What does Quick Sync do? I'm new to this. | | |
| ▲ | Marsymars 5 days ago | parent [-] | | It decodes and encodes video streams with very low power draw and CPU load, so you can transcode media in realtime if your player device doesn't support the media format in question or you have bandwidth limits out-of-home. Can do the same with various GPUs, but Quick Sync tends to be the lowest-power and most well-supported at the software level. |
|
|
|
| |
| ▲ | Mars008 5 days ago | parent | prev | next [-] | | How about miniPC + USB x bay enclosure? I'm thinking about it. Have 4 Synology NAS mostly as long offline storage. No problems with them in this role so far. | |
| ▲ | nh43215rgb 5 days ago | parent | prev [-] | | Truenas scale? |
|
|
| ▲ | jraph 5 days ago | parent | prev | next [-] |
| Why do they need to use an old Brtfs fork? What is missing in the mainline kernel for them? |
| |
| ▲ | ethersteeds 5 days ago | parent | next [-] | | As I understand it, they forked years ago when btrfs was very much not ready to be used for production NAS storage. Their value prop was they took it and added lots of their own special patches that they claimed made it highly dependable. Over time their advantage has eroded as upstream has caught up, to the point that it looks ridiculously out of date today. | | |
| ▲ | arp242 5 days ago | parent [-] | | And given they're using very old versions of everything, it just sounds like dysfunction and/or moribund development. |
| |
| ▲ | kalleboo 5 days ago | parent | prev [-] | | I don't know if this is the reason, but supposedly their btrfs fork contains a custom integration with mdraid/lvm so that when btrfs detects a bad block, it signals lvm to do a repair. This is their solution to avoid using btrfs raid5/6 which is still marked unstable. |
|
|
| ▲ | ffsm8 5 days ago | parent | prev [-] |
| You regret switching them from Synology to Trueness? Am I misunderstanding your final note? It's confusing me after the preceding displeasure wrt Synology |
| |
| ▲ | tecleandor 5 days ago | parent | next [-] | | I regret not pushing a bit more for deploying a custom storage solution with TrueNAS (or something similar) instead of Synology. All the TrueNAS devices I have are mine, not from my clients. They already had one Synology device, they don't have any IT employees on site, and I'd need to take a flight to go to their offices, so I thought that using another Synology device would be better for maintenance. They (and I) were also worried about the noise: it's an small office, and they needed at least 8*3.5" drives, and most of the decent solutions I found for 8 or more drives were big and noisy. The Jonsbo N5 appeared a bit later, that looks like a good candidate today. Now I found that all their applications are half done, they don't upgrade or fix them regularly, security-wise is a mess, and everything on the backend is super old... | |
| ▲ | happytoexplain 5 days ago | parent | prev [-] | | "This" in the last paragraph refers to the rest of the comment, not to the preceding sentence. |
|
