Encryption is applied to data at different time:
- In transit between known endpoints but when there is less trust in the medium through which the data is transported.
- In storage to protect from unauthorised disclosure.
The first case is what is applied when connecting across the Internet, say for passing personal data to a website. This protection is only when the data is passing the two ingress/egress points of the secure connection, beyond these points the data could be in clear or may be have other protections to secure it. For instance, you may make a purchase from an online retailer that uses a secure website, but this only secures data between the browser and webserver. There is no guarantee that the internal servers that the webserver uses to store content and our purchase information will have data transferred securely to them.
The second case is to add further electronic protection to any authentication and access controls already in place, in the case where physical access is gained to the storage devices. In general, most data isn't of a private nature so using full disk encryption may not be required, and a more focused approach can be used for a selected dataset. However, full disk encryption would mask where the interesting data is.
Given that most attacks will be electronic in nature then ensuring that strong mechanisms are used to for authenticating access requests, limiting access anc controlling what is accessible, and strongly encrypting connections should be the first concern. This means:
- Setting up remote access (SSL-VPN and OpenVPN, then L2TP/IPsec) with strong passwords and 2 factor authentication (DSM supports this for user accounts).
- Limiting who can connect using remote access.
- For any Internet accessible services, including remote access, if possible, limit regional accessibility
- Limit the accessible services that are available from the Internet.
- Only permit secure connections to these services.
- Don't permit direct access to the main DSM/SRM web portal, these can used by remote access.
- At least, limit admin accounts access from LAN side IPs.
Personally, I encrypt stored data that I need secured and not, say, the iTunes media library. I've three WD MyBook Studio drives that encrypt their data and their internal disks cannot be moved to another enclosure in the event of a MyBook power brick dying. The MyBook encryption key is hardware stored and not extractable, unlike on DSM ... so be very careful to keep any encryption keys safe when doing a full disk encryption.
Never, ever use a home Internet router/firewall's DMZ feature: if they have one, it usually punches a hole straight through from the Internet to a target device and most home users will not be capable of configuring that device to withstand probes and attacks.