What happens with my encrypted files on Synology when it is stolen?

I have a Synology NAS. It has the possibility to encrypt folders. I have enabled it via the web interface. But one of the reasons for actually encrypting these files is that they should be protected even if if someone steals my NAS. I have mounted the drive on the NAS via the web interface.

What happens when the power is cut and the NAS boots again? Is the folder automatically mounted again? Is the key stored in volatile memory, in flash memory or on the hard disk? If it is stored in volatile memory there should be no risk at all.

Compare it to an iPhone. If you enable screen lock, the key is thrown away when activated.

Johan Karlsson

Posted 2013-02-15T21:18:04.090

Reputation: 275

Mounted where? On the NAS itself or on your computer? – terdon – 2013-02-15T21:56:19.317

I have tried to clarify the question. I am worried about when the folder is mounted on the NAS and it get stolen. – Johan Karlsson – 2013-02-17T18:13:36.667

1Why don't you just reboot your NAS and see if it mounts? – terdon – 2013-02-18T14:10:43.177

@terdon I have no real explanation why I did not try this from the beginning. But now I have. It seems that the mount done on the NAS survives a re-boot. This is not exactly what I hoped for. – Johan Karlsson – 2013-02-25T13:14:23.513

1Have a look at the NAS's /etc/fstab file, find the entry for the relevant drive and remove the auto option if present. It might be a good idea to post the fstab here so we can have a look. – terdon – 2013-02-25T18:14:08.413

Answers

At least with DSM 4.2, there is an option on the share dialog called "Mount automatically on startup." Make sure this options is unticked and if your NAS is disconnected (and stolen), it requires you to enter the password in the web interface to descrypt.

See http://www.synology.com/support/tutorials_show.php?q_id=455

user231143

Posted 2013-02-15T21:18:04.090

Reputation: 126

This works like a charm :) – Johan Karlsson – 2013-09-09T09:13:07.787

What happens with my encrypted files on Synology when it is stolen? The lack of full drive encryption makes Synology solution unsafe (and slow as ecryptfs benchmarks prove). The attacker will simply collect the harddrive and harvest tons of unencrypted data: configuration, metadata, all emails (MailPlus share can NOT be encrypted), and the copies of your documents from the Synology Drive folder. Furthermore, passwords are often stored in plaintext (e.g. MailPlus/@local/GUID/GUID/.SYNOMC/fetch files), which could lead to additional access to online email/groupware resources, potentional identity theft, stalking, credit card fraud etc.

What happens with my encrypted files on Synology when it is stolen and booted again? There's no reason for an adversary to boot if device is aquired physically, to fight the ownership and permissions of the live filesystem and authentification of the operating system. But still, as system loads and starts sharing services, it could leak data to a new network. To postpone mounting of encrypted folders, you keep keys separately from the system: 1) keep keyphrase in brain and avoid key manager 2) use key manager but rellocate keyfiles to the USB flashdrive, which can be plugged in all of the time, as Synology will eject it automatically using '[x] Eject device after boot' checkbox. Furthermore, a special USB flashdrive could be encrypted by a fingerprint (normally i'd add one more layer, and double encrypt but this is possible on workstations with TPM and automatic unlock, not on Synology)

user533385

Posted 2013-02-15T21:18:04.090

Reputation: 11