Volume Encryption + Memory Encryption

5
0
NAS
DS920+ planned
Operating system
  1. Windows
Mobile operating system
  1. Android
I'm glad to see that Synology will release volume encryption in DSM 7.2. The one large weakness volume encryption has, both on NAS and on computers, is that the encryption keys remain unencrypted in live memory and this can be extracted by an potential attacker.

To mitigate this some systems have implemented memory encryption, or some times encryption of keys in memory. I know the DS923+ and the DS1522+ comes with the AMD Ryzen R1600 embedded processor. This processor supports full memory encryption, but usually it has to be enabled in BIOS as its deactivated by default.

Do any of you know if memory encryption can be enabled on the 1522+ or the 923+?

I think the memory is solded to the DS920+, so memory enryption wont be needed on that device, even if the processor doesnt support memory encryption.

I asked Synology, but I got in an email a response that the Synology has AES-processor, so its safe. And that was not what I was asking.

PS! If you're here to post the "hit him with the wrench" comic or talk about unrealistic threat model, please refrain from commenting. Its not relevant to the question.
 
Last edited:
The one large weakness volume encryption has, both on NAS and on computers, is that the encryption keys remain unencrypted in live memory
Another serious gap is encryption of the OS and swap partitions where both personal data and metadata exist. I suspect that the coming "volume encryption" feature will not extend beyond the volume partition.

I wonder too if the performance hit, limitation on file names, as well as the impaired functionality of packages such as Snapshot Replication, will be overcome with "volume encryption". The history of Synology package development suggests that this feature will be highly touted, yet fall short of a true encryption solution for many... serviceable, but incomplete.
 
Another serious gap is encryption of the OS and swap partitions where both personal data and metadata exist. I suspect that the coming "volume encryption" feature will not extend beyond the volume partition.

I wonder too if the performance hit, limitation on file names, as well as the impaired functionality of packages such as Snapshot Replication, will be overcome with "volume encryption". The history of Synology package development suggests that this feature will be highly touted, yet fall short of a true encryption solution for manu... serviceable, but incomplete.
As far as I have understood they'll go for LUKS which works very well on other NAS devices, like QNAP. LUKS has no restrictions on file name length and the performance loss is non-existing compared to folder based encryption. You can still use folder based encryption on a volume that is LUKS encrypted. This will be like a computer that has it's volumes encrypted with bitlocker or veracrypt. Unless you restart it, it wont really affect you. Snapshots might be an issue though.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I am setting up a new DS224+ unit for a client. Not new to NAS drives but new to Synology. Storage pool...
Replies
0
Views
1,101

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top