You can move out the key from the device using KMIP. I have an implementation that uses a Go-based service to store it in Nitrohsm. I'll clean it up and post a release announcement on Reddit...

▲

tecleandor 5 days ago | parent [-]

That'd be great, as the PyKMIP implementation wasn't very intuitive... (Nor Synology docs...)

	▲	cyberax 5 days ago \| parent [-]
		Synology actually uses PyKMIP under the hood. They basically use it as a key-value storage for the encryption key, nothing advanced. I went down the rabbit hole and implemented the KMIP client and server, that pass the tests from OASIS. Sidenote: please, somebody nuke the OASIS from orbit. To be sure.