Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Shank 5 days ago

The encryption is also broken. If you use encrypted shared folders, you have an arbitrary filename limit (https://kb.synology.com/en-ro/DSM/tutorial/File_folder_path_...). If you use volume encryption, your encryption key is stored on the NAS itself, which is capable of decrypting the data, unless you buy a second Synology NAS (https://blog.elcomsoft.com/2023/06/volume-encryption-in-syno...) to act as a key vault. Synology claims that volume encryption protects if you if the storage drives are stolen, but in what world would the drives, and not the NAS itself, be stolen?

8fingerlouie 5 days ago | parent | next [-]

The filename limit comes from ecryptfs (https://www.ecryptfs.org/) which is what Synology uses for encrypted shared folders.

As for full disk encryption, you can select where to store the key, which may be on the NAS itself (rendering FDE more or less useless) or on a USB key or similar.

tecleandor 5 days ago | parent | next [-]

For full disk encryption you need DSM >= 7.2 and you can either, store it locally (useless) or in a KMIP server. [0]

As a KMIP server you use:

  - Another Synology NAS with DSM >= 7.2
  - A KMIP compatible key server
Except for the demo implementation that Synology uses (PyKMIP), all the KMIP compatible servers I've found have licenses in the tens of thousands a year. So if anybody has any suggestions to substitute PyKMIP...

--

  0: https://kb.synology.com/en-global/DSM/tutorial/Which_models_support_encrypted_volumes
8fingerlouie 5 days ago | parent [-]

I remembered wrong. I’m fairly certain that Synology, at some point, allowed you to store the encryption vault on an external (USB) drive, but apparently not anymore.

MobileVet 5 days ago | parent [-]

You didn't remember wrong, I have mine stored on an external drive. I am using DS 6.x though

mtillman 5 days ago | parent | prev | next [-]

My disk station uploaded 54gb to synology servers the other day before I had my router block outbound. Trash product.

aborsy 5 days ago | parent | prev [-]

Why can’t the user enter the encryption passphrase in DSM, which is actually the default in LUKS and allowed in TrueNAS etc?

The DSM itself lives in an unencrypted partition or volume. Applications with data in encrypted volumes will be inaccessible until the volumes are unlocked.

As usual, there is an easy workaround. You can run a KMIP server in a docker container and set up an external keystore. Once synology allows you to proceed with volume encryption, you can discard the KMIP server if you want and use the recovery keys.

tecleandor 5 days ago | parent | prev | next [-]

Ah, I forgot about that. I had to take the key out of the NAS too, to a different device. That made no sense at all. And almost all of the implementations of the key server you need cost thousands of dollars in licenses.

Edit: what they deploy on their NAS is an old version of a testing implementation of the KMIP protocol. PyKMIP: https://github.com/OpenKMIP/PyKMIP

JTpe18 3 days ago | parent | prev | next [-]

I understand Synology’s design approach. In enterprise environments, physical security - especially when systems are housed in ISO 27001–certified data centers—is relatively straightforward to achieve.

The primary value of disk/volume encryption is actually for scenarios like end-of-life replacement, RMA, failure and disposal - even if someone later reconstructs the disk sectors, the bits remain unreadable. This is one layer of defense in depth, not a substitute for physical security.

Synology also supports KMIP, which I see addressing two situations:

1. Data center key governance and media mobility - Multiple hosts (including spares) can use KMIP for centralized key management, improving the mobility of drives within the data center and reducing the operational cost of moving drives between machines. When decommissioning hardware, keys can be revoked directly in KMIP with an audit trail.

2. Edge/branch sites with weaker physical controls - By using KMIP, keys are kept in the more secure data center rather than on the edge device itself. The edge hardware stores no keys, so if an entire machine is stolen, it cannot be unlocked, preserving confidentiality.

cyberax 5 days ago | parent | prev | next [-]

You can move out the key from the device using KMIP. I have an implementation that uses a Go-based service to store it in Nitrohsm. I'll clean it up and post a release announcement on Reddit...

tecleandor 5 days ago | parent [-]

That'd be great, as the PyKMIP implementation wasn't very intuitive... (Nor Synology docs...)

cyberax 5 days ago | parent [-]

Synology actually uses PyKMIP under the hood. They basically use it as a key-value storage for the encryption key, nothing advanced.

I went down the rabbit hole and implemented the KMIP client and server, that pass the tests from OASIS.

Sidenote: please, somebody nuke the OASIS from orbit. To be sure.

HighGoldstein 4 days ago | parent | prev | next [-]

> but in what world would the drives, and not the NAS itself, be stolen?

Not to defend Synology, but popping a drive out of the NAS so that it won't be noticed (or noticed much later) is a much easier way to steal data than carrying off the whole NAS. I assume they're guarding against the kind of scenario where an employee steals steals drives rather than ski-masked thieves breaching the office and making off with the NAS.

tecleandor 4 days ago | parent [-]

But a single drive in a RAID is worth almost nothing.

cyberpunk 5 days ago | parent | prev [-]

maybe it has a kensington lock?

layer8 5 days ago | parent [-]

The drive bays also have individual locks, but neither would prevent a thief who knows what they are doing.

gog 5 days ago | parent [-]

Not on all of the models.