I've tried to dig up as much as I can on setup and use of shared folder encryption keys, and I'm still confused as my NAS isn't treating them as I expect from reading Synology's guidance as well as various posts here. Based on this thread: Synology NAS Encryption: Forensic Analysis of Synology NAS Devices by Elcomsoft, and these 2 Synology articles: How to encrypt and decrypt shared folders on my Synology NAS & Manage Keys of Encrypted Shared Folders, I set up an encrypted test folder, set a long "Encryption key" passphrase for it, set up the Key Store location as a USB stick with another Passphrase for that (not System Partition), after which it downloaded an encryption "key" file to my computer. Isn't this key file what's supposed to be stored on the USB stick? Why did it choose to download another copy to my computer?
My understanding was that with this setup, and ideally for the most secure system, because I did not use the System Partition, I would need to have 3 things to decrypt that folder (based on what Oleg said in the post above) 1: the HD, 2: the USB stick, 3: the passphrase (I'm guessing that means the first Passphrase specific to that folder labeled Encryption key, not the second Passphrase labeled Passphrase when I set up the Key Store location.
But when I remove the USB stick, restart the NAS (complete power off then power on), I'm able to decrypt that folder simply by providing the folder passphrase, no need for the USB key. Is it still using the system partition somehow for this folder key? If so how do I remove it and force it to need the USB key? If I go into Shared Folder > Action > Key Manager, the Shared Folder dropdown says "System Partition" as the only option when I don't have the USB stick inserted.
If I do have the USB stick inserted, going to Key Manager requires a Passphrase, after which it lists my encrypted test folder. Going to Configure shows that the Key store location for that folder is the USB stick.
I'm thoroughly confused, I'm certainly missing something on how this is supposed to work.
Appreciate any guidance.
My understanding was that with this setup, and ideally for the most secure system, because I did not use the System Partition, I would need to have 3 things to decrypt that folder (based on what Oleg said in the post above) 1: the HD, 2: the USB stick, 3: the passphrase (I'm guessing that means the first Passphrase specific to that folder labeled Encryption key, not the second Passphrase labeled Passphrase when I set up the Key Store location.
But when I remove the USB stick, restart the NAS (complete power off then power on), I'm able to decrypt that folder simply by providing the folder passphrase, no need for the USB key. Is it still using the system partition somehow for this folder key? If so how do I remove it and force it to need the USB key? If I go into Shared Folder > Action > Key Manager, the Shared Folder dropdown says "System Partition" as the only option when I don't have the USB stick inserted.
If I do have the USB stick inserted, going to Key Manager requires a Passphrase, after which it lists my encrypted test folder. Going to Configure shows that the Key store location for that folder is the USB stick.
I'm thoroughly confused, I'm certainly missing something on how this is supposed to work.
Appreciate any guidance.