Synology Inc. Online Community Forum

[szczetyk]

Hello,
web gui after factory reset (installing same FW with same assistant) and bringing back saved settings to DS 2.3 beta cannot see previous shared folder as encrypted....
So the question is, how to mount encrypted folder from /volume1 to be usable in synology from bash (CLI)...
As far as I "investigated" encrypted folder source is always in /volume1 between "@something@", for exmaple /volume1/@torrent@ which is mounted to volume1/torrent when gui of DS works properly....
According to what "ps" command under shell shows, to mount is used /usr/syno/sbin/mount.ecryptfs and /usr/syno/sbin/ecryptfs-unwrap-passphrase which is used when there's a need to change login pass to passphrase to mount encrypted folder.... (if I understand it properly - please correct me when I'm wrong)
So, i tried many different things to do it under bussy box.... without success. I managed to mount to "proper" folder (without @ @) encrypted files after going through interactive procedure of mount.encryptfs. "mount -t ecryptfs...." doesn't work....
How to mount it manually (step by step) please... I have the passphrase and encrypted data untouched....

And showing the way how to un mount encrypted folder would also be interesting
Cheers.

Thank You very much.... for any answer.... problem solved by myself.....
Maybe it was placed in bad topic, but anyway ;/ not even a word of help ;>

[mrlb]

Hi Franklin,

I cannot seem to find a wiki or howto guide on the procedure to convert shared folders into encrypted ones.

I saw that one users has been doing it by CLI, but I am assuming that this could also be done in the GUI?

You you please advise how to perform this?

Thanks!

[mrlb]

Hi Franklin,

I cannot seem to find a wiki or howto guide on the procedure to convert shared folders into encrypted ones.

I saw that one users has been doing it by CLI, but I am assuming that this could also be done in the GUI?

You you please advise how to perform this?

Thanks!

I see from the synology 209+ demo that encryption features are in the shared folder module. My 207+ running DSM 2.3-1118 does not seem to have this functionality? Do I need to enable this somewhere?

[HarryPotter]

I see from the synology 209+ demo that encryption features are in the shared folder module. My 207+ running DSM 2.3-1118 does not seem to have this functionality? Do I need to enable this somewhere?

(2) Shared folder encryption is supported only on specific models: DS1010+, RS409+, RS409RP+, RS409, DS509+, DS409+, DS409, DS209+II, DS209+, DS209, DS109+, DS109, DS409slim, RS408, RS408-RP, DS508, and DS408.

[mrlb]

Thanks I must of overlooked this. Its a real shame Synology has left this feature out of the x07 but i suppose it doesn't have the CPU power encrypt/decrypt compared to the higher models *sigh*...

[enderzero]

Can you please confirm - does the 2.3's share level AES encryption NOT work on the 110j/210j?

Those models are not on that list above but I cannot find that info anywhere else on the site.

I was planning on buying a 210j today but might go with something else without this feature. Thanks.

[vm.franklin]

Greetings enderzero

Yes, encryption is supported on the DS210j, provided that you use firmware DSM 2.3-1139, as noted here.

[enderzero]

Thanks Franklin, Looking forward to my 210j's arrival.

[synologyey]

Scenario.

Currently, if a hard drive is removed from the diskstation, it can be read on a windows pc using ext3 drivers and data retrieved. This would be useful in case the synology diskstation breaks down although data is not secure.

With encrypted shared folders, is there anyway to mount a encrypted folder outside of the diskstation via direct connect to a windows PC similar to above. This would then still allow retrieval of encrypted data if the diskstation were to break down.

Truecrypt has the advantage that containers can be mounted and data retrieved outside of the diskstation.

thx

[Boing]

My question is..

Could you guarantee that you have not implemented master-keys which would/could give investigation services access to encrypted drives?

.. Is the encryption system absolutely secure.. also against investigation services worldwide?

[vm.franklin]

@synologyey
Let me see if the data can be viewed from a Linux Machine - the probability of a Windows viewing ability is very limited or none.

@Boing
Encryption is not absolute - if you are being investigated by a legal state authority that was a warrant to look at your data - then they will deploy as much resources as necessary to break the encryption. The use of encryption is meant to deter/delay someone to look at your data - however, if they have the time and the resources to do so, encryption can be broken. While I'm not a legal expert - I believe if you're with holding a encrypted password to your data in front of a warrant - that can be construed as obstruction of justice...

Another thought is not to perform actions which could potentially attract the attention of the legal authorities...

[jlv]

Is this also valid for backup of encrypted share to Amazon S3?

Yes, files encrypted with the share-folder encryption will remain encrypted when sent to Amazon S3.

Hope this helps

I am unable to send to Amazon S3 any mounted encrypted share nor any file from a mounted encrypted share (of course I can send anything else)
The backup does not complete and yet triggers no error message as if the share was empty.
Any explanation?
The goal would be to store into Amazon S3 encrypted files with the capacity to read them only when restored inside the Synology encrypted share.
Any way to do it?

[vm.franklin]

@synologyey
Yes, encrypted data can be retrieved/decrypted on a traditional Linux (2.6.30/31/32) machine if you have your encryption key.

@jlv
You may wish to contact online support (and submit your kernel log) for further assistance, the links to do so are in my signature - a couple of suggestions for you
1. Make sure that your DiskStation has the time synced with a NTP server
2. Select the AWS server closest to your location
3. Please try generating new AWS keys to see if that resolves your error.

Hope this helps.

[Greysoldier]

...
Yes, encrypted data can be retrieved/decrypted on a traditional Linux (2.6.30/31/32) machine if you have your encryption key.
...

Hello franklin,

could you tell me please, what I need to do to decrypt the data on a Linux Machine?
Do I need a special program for the decryption?

Excuse me, but unfortunately I'm not a Linux specialist


Thank you!

[taylorhq]

could you tell me please, what I need to do to decrypt the data on a Linux Machine?
Do I need a special program for the decryption?

I was glad to see that encryption was supported in the recent synology firmware. But as I perform offsite backups to a non-synology server via rsync, I wanted to be sure that I could unencrypt my data, in case my synology box failed.

Synology shared folder encryption is based on ecryptfs. This provides an encryption layer over the existing file system. Recent linux kernels have support built-in. These are the steps I used to confirm that I could unencrypt data on a linux machine.

1) Prepare a linux machine, running a kernel that supports ecryptfs. I used Ubuntu 9.10.

2) Install support for ecryptfs. Default ubuntu install did not have it.

Code: Select all

apt-get install ecryptfs-utils

3) Copy the encrypted data from the synology box (synobox) to the linux machine...

Code: Select all

cd /home/steve
rsync -a synobox:/volume1/@crypttest@ .

4) Create a directory to act as a mount point for the decrypted data...

Code: Select all

mkdir /home/steve/crypttest

5) Mount the encrypted data...

Code: Select all

sudo mount -t ecryptfs /home/steve/@crypttest@ /home/steve/crypttest

(enter your passphrase - the one you entered when creating the shared folder on the synology box)
(select cipher 1=aes)
(select key bytes 2=32)
(select enable plaintext passthrough = n)
(select enable filename encryption = y)
(accept default FNEK Signature by pressing ENTER at prompt)
(choose 'yes' when asked if you would like to proceed with the mount)
(choose 'no' when asked if you would like to append signature to the cache file)

6) Change to your decrypted mount point to access your data...

Code: Select all

cd /home/steve/crypttest
ls -l

You can automate the mount by supplying the interactive choices as command line options, e.g.

Code: Select all

sudo mount -t ecryptfs /home/steve/@crypttest@ /home/steve/crypttest -o \
key=passphrase:passphrase_passwd=blahblah,ecryptfs_sig=6c6e2b8b7d94ce23, \
ecryptfs_fnek_sig=6c6e2b8b7d94ce23,ecryptfs_cipher=aes,ecryptfs_key_bytes=32, \
ecryptfs_passthrough=n,no_sig_cache,ecryptfs_enable_filename_crypto=y

(Put in all on one line without the \ characters if you like. I found that this forum system truncated the line, so I've split it up here.)

This is assuming a passphrase of 'blahblah'. The signature values for your mount command can be found by typing 'mount' at the command line after your first successful interactive mount. Look for the relevant entry and copy the signature strings from there. You will only have the same signature strings as me (6c6e2b8b7d94ce23) if you choose 'blahblah' as your passphrase!

Hope this helps someone.

I spent ages trying to get this working on older versions of linux. It's not worth the pain, in my opinion. But you will need CONFIG_KEYS enabled in your kernel build if you go down that route.

Steve