Volume Encryption + Memory Encryption

[Laddmeister]

I'm glad to see that Synology will release volume encryption in DSM 7.2. The one large weakness volume encryption has, both on NAS and on computers, is that the encryption keys remain unencrypted in live memory and this can be extracted by an potential attacker.

To mitigate this some systems have implemented memory encryption, or some times encryption of keys in memory. I know the DS923+ and the DS1522+ comes with the AMD Ryzen R1600 embedded processor. This processor supports full memory encryption, but usually it has to be enabled in BIOS as its deactivated by default.

Do any of you know if memory encryption can be enabled on the 1522+ or the 923+?

I think the memory is solded to the DS920+, so memory enryption wont be needed on that device, even if the processor doesnt support memory encryption.

I asked Synology, but I got in an email a response that the Synology has AES-processor, so its safe. And that was not what I was asking.

PS! If you're here to post the "hit him with the wrench" comic or talk about unrealistic threat model, please refrain from commenting. Its not relevant to the question.

 

[Telos]

The one large weakness volume encryption has, both on NAS and on computers, is that the encryption keys remain unencrypted in live memory

Another serious gap is encryption of the OS and swap partitions where both personal data and metadata exist. I suspect that the coming "volume encryption" feature will not extend beyond the volume partition.

I wonder too if the performance hit, limitation on file names, as well as the impaired functionality of packages such as Snapshot Replication, will be overcome with "volume encryption". The history of Synology package development suggests that this feature will be highly touted, yet fall short of a true encryption solution for many... serviceable, but incomplete.

 

[Laddmeister]

Another serious gap is encryption of the OS and swap partitions where both personal data and metadata exist. I suspect that the coming "volume encryption" feature will not extend beyond the volume partition.

I wonder too if the performance hit, limitation on file names, as well as the impaired functionality of packages such as Snapshot Replication, will be overcome with "volume encryption". The history of Synology package development suggests that this feature will be highly touted, yet fall short of a true encryption solution for manu... serviceable, but incomplete.

As far as I have understood they'll go for LUKS which works very well on other NAS devices, like QNAP. LUKS has no restrictions on file name length and the performance loss is non-existing compared to folder based encryption. You can still use folder based encryption on a volume that is LUKS encrypted. This will be like a computer that has it's volumes encrypted with bitlocker or veracrypt. Unless you restart it, it wont really affect you. Snapshots might be an issue though.