I understand Synology’s design approach. In enterprise environments, physical security - especially when systems are housed in ISO 27001–certified data centers—is relatively straightforward to achieve.

The primary value of disk/volume encryption is actually for scenarios like end-of-life replacement, RMA, failure and disposal - even if someone later reconstructs the disk sectors, the bits remain unreadable. This is one layer of defense in depth, not a substitute for physical security.

Synology also supports KMIP, which I see addressing two situations:

1. Data center key governance and media mobility - Multiple hosts (including spares) can use KMIP for centralized key management, improving the mobility of drives within the data center and reducing the operational cost of moving drives between machines. When decommissioning hardware, keys can be revoked directly in KMIP with an audit trail.

2. Edge/branch sites with weaker physical controls - By using KMIP, keys are kept in the more secure data center rather than on the edge device itself. The edge hardware stores no keys, so if an entire machine is stolen, it cannot be unlocked, preserving confidentiality.