With DSM 7.2, Synology is bringing an exciting feature to many of its NAS systems, the ability to encrypt entire storage volumes.
So far, Synology NAS systems have only been able to encrypt individual folders, but not the entire NAS. It was also not possible, for example, to store applications such as the NoteStation or the like in encrypted form, since they saved their data outside of the encryptable folders.
The encryption of complete volumes is even said to be 48% faster than the encryption of individual folders!
It sounds great! Letās take a look at how fast volume encryption really is and what needs to be considered here.
How does volume encryption work?
When you create a new storage volume on your NAS after updating to DSM 7.2, you will be given the choice of creating a normal volume or an encrypted volume.
If you choose the latter, you have to create a key, which is read in for an auto mount when the NAS boots up. You only need your encryption password if you were to change or reset your NAS.
Therefore, volume encryption is very convenient.
The test system
To test the encryption performance, I use the Synology DS1821+ in combination with 3x 4TB Samsung 870 SSDs and a 10Gbit network card.
The 3 SSDs are in an SHR network (Raid 5).
How fast is Synologyās volume encryption?
To test the performance of the volume encryption, I copied and downloaded two data packages to the NAS via SMB.
Data pack 1 ā 1x large 25GB file Data pack 2 ā 27K files, 25K folders, 30GB
Packet 1 is pretty much the best case, with a large file. Data package 2, on the other hand, is the absolute worst case with 27,000 small files.
We look at four situations:
Unencrypted volume encryption folder encryption volume and folder encryption combined (yes it works)
Letās take a look at the optimal case first.
Exciting! Unencrypted, we get 1087 MB/s reading and 926 MB/s writing.
With volume encryption, we achieve almost the same result when reading, but drop to 676 MB/s when writing. However, 1064 MB/s and 676 MB/s are still very good, especially compared to folder encryption.
Folder encryption slows things down a notch more. We still get a decent 694 MB/s reading and a weaker 309 MB/s writing.
Interestingly, the double encryption reduces the speed again, but not so significantly. We still get 658 MB/s reading and 291 MB/s writing.
With many small files, the transfer speed drops to 40-50 MB/s. But here we see a similar picture. Unencrypted is the fastest, but bulk encryption isnāt much slower.
When encrypting folders, the tempo drops a little more.
How secure is volume encryption? (yeah)
You may have noticed something in my description of how volume encryption is set up.
Correct, the encryption password must be stored on the NAS (or on a separate āKeyā Synology NAS). In addition, the encrypted drive is automatically integrated.
I think you see the problem, where is the password stored?
Correct, the encryption password is saved on a partition on the corresponding drive.
Here on Reddit you will find a complete guide to reading the key
Alternatively also here:
Currently, however, the Synology NAS is also required for this, no other passwords. The encryption password appears to be backed up by your user password (which can be reset by physically accessing the NAS). However, this is also stored somewhere.
In theory, everything that is needed to fully decrypt the encrypted volumes is present on the respective drives.
So far, however, no one has succeeded in unbundling everything without the help of the original NAS.
Theoretically, however, according to all the information I have, volume encryption is absolutely vulnerable! If someone knows what he is looking at, it would be possible with enough effort to make things readable.
However, volume encryption makes access to the data more difficult and makes sense in principle if, for example, you can send drives back to the manufacturer for repair/exchange with a clear conscience.
Conclusion
Basically, Iām pleased that Synology finally offers full volume encryption. So it was not possible to encrypt some applications like NoteStation etc. effectively until now.
The volume encryption is fast and has hardly any disadvantages! In my test, it cost practically no performance when reading. Only when writing, the data rate dropped from 926 MB/s (unencrypted) to 676 MB/s, which is still significantly faster than the 309 MB/s of classic folder encryption.
In short, I see nothing that speaks against volume encryption. You can simply turn this on, it provides extra security and ācostsā nothing.
How much more security volume encryption brings is debatable. Unless you use an additional Synology NAS as a ākey serverā, the password for decryption is stored somewhat hidden on the encrypted drive.
With access to the NAS, it is therefore quite easy to read the key. But even without access to the NAS, there are theoretical possibilities for attack, in my opinion. But for this someone has to know pretty well what he is doing.
So if you are primarily concerned with protecting your data if you send your drives for repair/exchange, then volume encryption is a good choice.
If you want real data security, you still have to use folder encryption without automatic mounting after reboot. However, you can combine volume encryption and folder encryption with minimal performance difference.