Synology Inc. Online Community Forum

[abbe]

I host a family photo album and would like to store the entire website encrypted. Thus, if the box get stolen, a thief would not be able to watch all the personal pictures of friends and family.

This goes for both the Photo and Web system folder and the rest of the system folders as well.

I have tried to encrypt these, but it is apparently not an option. The button for encryption is greyed out. Could we please have this? I am aware I would get a performance penalty, but it would be so nice to have.

Are there any plans to develop this?

/abbe

[abbe]

BTW it is also needed, when users store personal data in their "home" folder.

I hope this is possible,

Cheers

/abbe

[taylorhq]

I host a family photo album and would like to store the entire website encrypted. Thus, if the box get stolen, a thief would not be able to watch all the personal pictures of friends and family.

This goes for both the Photo and Web system folder and the rest of the system folders as well.

I have tried to encrypt these, but it is apparently not an option. The button for encryption is greyed out. Could we please have this? I am aware I would get a performance penalty, but it would be so nice to have.

Are there any plans to develop this?

/abbe

I'm not party to Synology's plans, and agree that it would be nice to have the option to encrypt these 'special' folders.

One thing you could try, if you are comfortable with the unix command line. Create an encrypted folder called something like 'photox'. Then create a symbolic link under the 'photo' shared folder, which points to the encrypted folder. This may not be supported by Synology, and future firmware releases might break it, but it is worth a try.

Use the web interface to create a shared folder called 'photox' with encryption.
Do not automount it at startup - otherwise a potential thief will be able to read the data.
Login to the command line as root, and type the following...

Code: Select all

cd /volume1/photo
ln -s /volume1/photox family


You will now see a folder underneath photo, called 'family'. Anything stored there will be encrypted.

I haven't tested this, as personally I don't use the photo album feature. But it's worth a try!

A nice touch is to unmount the encrypted folder, and then do 'touch /volume1/photox/this_folder_is_locked'. This creates a file in the directory which will be visible only when the encrypted folder is unmounted. That way, you'll never find the folder is empty and panic.

Please report back if this option works, as it might help others.

Steve

[aurelieng]

To encrypt a shared folder, shouldn't you click on the "Edit" button to set the encryption, so that the encryption button becomes accessible ?

[Greysoldier]

@taylorhq

Thanks for the explanation - that's great

[abbe]

@taylorhq

I tried your suggestion (great idea btw), but it doesnt work.

I created the encrypted folder webx.

I followed your procedure, and typed

cd /volume1/web
ln -s /volume1/webx webx
touch /volume1/webx/some_text_to_remind_me

It works beautifully via the command line, but I can't acces the webx folder via samba or filestation. I can see the symbolic link when I try FTP, but I can't follow it. I get an error message, telling me, that webx isn't accessible.

I tried the same with the default share "photo", just to make sure, that it is not just the web folder, that gives me trouble. It is the same story with the "photo" folder.

I think the problem is, that a user accessing a system default share is chrooted to that dir to enhance security, I read about it somewhere too. The only way to get around that right now is as root via command line and I am not giving that to my web users

Any other suggestions?

Cheers,

abbe

[taylorhq]

I think the problem is, that a user accessing a system default share is chrooted to that dir to enhance security, I read about it somewhere too. The only way to get around that right now is as root via command line and I am not giving that to my web users

Any other suggestions?

Cheers,

abbe

If your photo or web apps are running in a chroot jail, you'll need to mount the encrypted directory somewhere under the chrooted area, rather than via a symlink. Means doing it on the command line, rather than via the web control panel. Haven't got the command line to hand, but it will be similar to the one in my earlier post.

I'll try and run some tests and will report back if I have any luck. In the meantime, can you access the folder via the symlink through samba? I know that doesn't solve your problem, but I'd be interested to know if it works.

[abbe]

Hi,

No, I can't via Samba either. The encrypted share shows up as a folder when I browse e.g. photo or web from the example above but when i try to acces the folder I get a message telling me, that the ressource is not available.

[vm.franklin]

@aurelieng
You need to click on "edit" to convert a folder to have encrypted abilities

@abbe
Using symbolic links can or will result in system stability errors, or data loss, as they do not work well over SMB, AFP, or File Station. They are designed to work at the command line level only.

[taylorhq]

Using symbolic links can or will result in system stability errors, or data loss, as they do not work well over SMB, AFP, or File Station. They are designed to work at the command line level only.

In theory you can tell Samba to follow symlinks. Specifying "follow symlinks=yes", "wide links=yes", "unix extensions=no" in /usr/syno/etc/smb.conf should work. But as vm.franklin says, it is not recommended. In any case, the Synology box will rebuild this file whenever you make changes to the shared folder settings, so you'd have to find a way of re-applying your changes.

In theory you can mount an encrypted folder in a subdirectory under an SMB share, by manually running the /usr/syno/sbin/mount.ecryptfs command. I managed to get this to work with a Windows client, but Mac clients give unpredictable write behaviour. The write succeeds, but reports an error. Something to do with the Synology custom extensions to Samba (SYNOEARename fails) which take care of indexing and thumbnails. Again, as vm.franklin says, it is not recommended.

So I would say, despite my suggestions earlier in this thread, that it is best to follow the Synology recipe for now. Keep your encrypted folders as separate shares and hope that Synology will add support for encrypted subdirectories in the future. For example, I'd like to be able to have a 'steve' samba share, with a 'finance' subdirectory that is encrypted. Encrypting the whole 'steve' share would put unnecessary load on the server. Having the finance directory as a separate share is a pain, but one that I can live with.

Of course, to maintain perspective here - support for the ecryptfs system is a great step forward and personally I find it much more convenient to centralise the encryption in the NAS and avoid the need for client-based solutions like Truecrypt. Well done Synology!

[abbe]

I agree - this encryption feature rocks!

I am not sure if all the above applies to my initial problem - that the shares that the diskstation makes as default for the different services (web/photo) can't be encrypted right now.

I am only just familiar with linux and I don't know if my problem is connected with the sub-folder problem.

Does anyone now more about this?

@taylorhq

Thanks, you write great stuff.

[drawbridge]

Just a comment, not a criticism, because I think the DiskStation encryption feature is great (especially with hardware encryption on some models) but it should be noted that it does not protect data from network sniffing since encryption/decryption takes place at the DiskStation. Achieving data protection both on the device, AND end-to-end through the network, requires encryption/decryption at the client-side (e.g., using TrueCrypt or other such software-based tool). Of course, a TrueCrypt file container can be used with DiskStation already, but it might be interesting if DiskStation would support a TrueCrypt disk container. Although using client-side encryption/decryption would solve the network sniffing problem (if you care about that) it also defeats the value of hardware-based encryption.

[PolliSoft]

Hi,

I would like to convert an unencrypted Share vto an encrypted Share on one of my volumes. However, I get an "Operation failed because the available volume size is insufficient." even when the free speace is almost 60% of the volume. I have only one share on the volume so far. What can I do to encypt my Share?

/PolliSoft

Name Volume 2
Type RAID 0 (without data protection)
Status Normal
Capacity 3.58 TB
Used 1.5 TB
Available 2.08 TB
Disk Info
DS409 Disk 3 (1.82 TB), Disk 4 (1.82 TB)