Knowledge Base

How to encrypt shared folders on Synology NAS

Overview

In today's world where much of our personal information and financial transactions are processed via the Internet, data encryption is an essential element to any computer security system. One of the reasons why encryption matters has a lot to do with that sending data through internet has high chances of getting hacked. If those hacked data happen to contain any personal information, hackers can misuse the data to commit crimes and without doing anything wrong, you will become a criminal. Another reason is that data encryption helps protect your computer from viruses. If your computer becomes virus affected, then any other computer presents in your office or home can be easily affected by the virus.

To guard yourself against things like identity theft and virus attack, it is important to keep your personal data secure and make them inaccessible to anyone who would like to take advantage of them for illegitimate purposes. In this regard, Synology NAS offers you a security solution for data protection. DiskStation Manager (DSM) adopts an encryption technique called Advanced Encryption Standard (AES) to ensure the security of your information by storing it in an encrypted format with a set of encryption key. Among different sizes of encryption key, DSM provides share-level AES 256-bit encryption to block off unauthorized access attempts.

This article will guide you through the steps to create and encrypt shared folders on your Synology NAS.

What is AES?

Advanced Encryption Standard (AES) is a specification for the encryption of electronic data, which has been adopted by the U.S. government since 2001 and is now widely used over the world. The algorithm implemented by AES is symmetric, which means that to encrypt and decrypt a set of data requires the same encryption key. Without the key, the encrypted data is inaccessible, which helps enhance the level of information protection.

Contents

  1. Before you start
  2. Encrypt shared folders
  3. Troubleshooting

1. Before you start

This article assumes that you have done the following tasks for your DiskStation:

  • Hardware installation for Synology DiskStation
  • Software installation for Synology DiskStation Manager (DSM, web-based operating system of DiskStation)
  • Creating volumes and shared folders (See here)
  • Creating users with access privileges (See here)

Refer to Quick Installation Guide for more information about hardware and software installation. You can also see Synology DiskStation User's Guide (available at Synology's Download Center) for a general idea about topics related to this article.

Return to top

2. Encrypt shared folders

Encryption is a way to enhance the security of a folder or file by scrambling the contents so that it can be read only by someone who has the right encryption key to unscramble it. After creating shared folders on DiskStation, you as an administrator (DSM admin, or a DSM user belonging to the administrators group) may want to encrypt some folders to prevent them from being accessed for security reasons.

The AES 256-bit encryption can block off all unauthorized access attempts. Without the encryption key, other people will not be able to use the encrypted data even if they remove the hard drives from your Synology DiskStation and mount it on their device.

This section explains how to encrypt shared folders and then assign access privileges to users for the data within the shared folders.

To encrypt shared folders and assign access privileges on your DiskStation:

  1. Once you have filled in the name and description for the new shared folder, and selected a volume where the folder will be created at Main Menu > Control Panel > Shared Folder, do the following:
    • Tick Encrypt this shared folder in the window that appears, enter the encryption key in the Encryption key field, and enter the same key again in the Confirm key field.
    • Tick Mount automatically on startup to mount the encrypted folder automatically after Synology DiskStation starts up next time. By default, encrypted shared folder will be unmounted automatically on startup for security reasons.
      • If you did not tick Mount automatically on startup, next time your DiskStation starts, you will need to choose Mount from the Encryption drop-down menu, and then enter or import the encryption key to mount the folder for access.
      • If you ticked Mount automatically on startup, you can choose Unmount from the Encryption drop-down menu to unmount the folder, or Export key to save the encryption key.
      • Note: If an encrypted folder is unmounted, you cannot rename it, change its volume location, or choose it as local backup destination.
  2. Click OK to confirm the settings of the newly-created shared folder.
  3. Note:
    • The following built-in shared folders are not allowed for encryption since they are associated with system services: web, photo, music, video, surveillance, download, NetBackup.
    • Encrypted shared folders cannot be accessed via NFS. If you encrypt a shared folder containing NFS rules, they will be removed.
  4. A warning message will appear to notify you of the importance of saving the encryption key. Click Yes to continue with the encryption process.
  5. Note:
    It is strongly suggested you export and save the key. Otherwise, you will never be able to access your encrypted data if you lose or forget the key.
  6. Save the encryption key by doing one of the following:
    • A dialog will pop up asking you to open or save the encryption key after you click Yes to agree to the encryption process. Click Save to save the key.
    • If you prefer to save the key later, you may go to the Encryption drop-down menu to export the key.
  7. Edit users' or groups' access privileges to the encrypted folder in the Edit window that appears along with the dialog bar. You can also allow or deny users' or groups' access to the other folders by clicking Privileges Setup at Main Menu > Control Panel > Shared Folder.
    • Click the Privilege Setup tab, and select any of the following from the drop-down menu:
      • System Internal user: Anonymous FTP user. Before allowing anonymous FTP users to connect to a shared folder, you need to allow their access to the folder first. For more information about anonymous FTP, see "Manage FTP Security Settings" on Page 68 of Synology DiskStation User's Guide (available at Synology's Download Center)
      • Local users: Synology DiskStation users (including guest). See "Create and Edit Users" on Page 53 of Synology DiskStation User's Guide for more information
      • Local groups: Synology DiskStation groups (Two groups are created by default: administrators and users.). See "Create and Edit Groups" on Page 56 of Synology DiskStation User's Guide for more information.
    • Tick or uncheck the following privileges to assign access privileges for the users or groups:
      • Read only: The user or group can access the files and subfolders in the shared folder, but cannot make changes to them.
      • Read/Write: The user or group can access and make changes to the files and subfolders in the shared folder.
      • No access: The user or group cannot access the files and subfolders in the shared folder.
      • Note:
        • When you encounter privilege conflicts, the privilege priority is as follows: No access > Read/Write > Read only.
        • When you create a new shared folder, if the access privilege of admin (or a user belonging to the administrators group) to the folder is set as No access, then admin (or the user belonging to the administrators group) will only be able to see the folder by going to Main Menu > Control Panel > Shared Folder.
    • Click the Advanced privileges tab if you want to do any of the following:
      • Disable directory browsing
      • Disable modification of existing files
      • Disable file downloading
    • Click OK.

Return to top

3. Troubleshooting

  • Why can't I see my encrypted shared folders after my Synology NAS starts up?
  • Check if you ticked Mount automatically on startup at Main Menu > Control Panel > Shared Folder > Create > Shared Folder Info last time you logged in to your DiskStation to create an encrypted shared folder. By default, encrypted shared folder will be unmounted automatically on startup to block all accesses on all protocols. Therefore, if you did not tick Mount automatically on startup, you will need to mount the encrypted folder(s) manually by entering or importing the encryption key for access.

    You may refer to Encrypt shared folders for more detailed instructions.

  • Why do file transfer speeds become slower when the shared folder is encrypted?
  • It is normal for file transfer speeds of encrypted shared folders to be slower because encryption can significantly increase the load on the CPU and decrease the data transfer rate of the encrypted folder. If you are looking for better performance, you may want to look after a DiskStation equipped with hardware encryption engine which makes considerable enhancement on throughput. You may visit Synology's official website, go to Home > Products > [Choose any DiskStation model] > Specifications > Hardware to check out which DiskStation supports hardware encryption engine, and then go to Home > Products > Performance to compare various series of models on their performance figures.

  • Can I back up the encrypted shared folders on my Synology NAS and restore the data within the folders back again?
  • Yes, but after restoring the encrypted shared folder(s) back to your DiskStation, the folder(s) will become unmounted and will not be automatically mounted on startup. You will be required to enter or import the encryption key to have the encrypted shared folder(s) mounted. Therefore, it is imperative that you export and save the key every time you create an encrypted shared folder. Otherwise, you will never be able to access your encrypted data, let alone restore it, if you lose or forget the key.

    You may refer to Encrypt shared folders for more detailed instructions.

Return to top

Is this information useful for you? Yes No

Need technical support? Submit Support Form