Knowledge Base

How to encrypt and decrypt shared folders on my Synology NAS

Overview

Data encryption has become an essential strategy for data security over the network. Encryption prevents sensitive data from getting hacked and misused by hackers for illegitimate purposes, and it also helps protect your computer from viruses and accompanying system vulnerabilities.

To keep your personal data secure and away from potential malicious users, DiskStation Manager (DSM) adopts an encryption technology called Advanced Encryption Standard (AES), by storing your data in an encrypted format with a set of encryption key. In addition, DSM provides share-level AES 256-bit encryption to block unauthorized access attempts.

This article will guide you through creating encrypted shared folders on your Synology NAS and remind you of important encryption issues.

What is AES?

Advanced Encryption Standard (AES) is a specification for the encryption of electronic data. AES has been adopted by the U.S. government since 2001 and is now widely used over the world. The algorithm implemented by AES is symmetric so that encrypting/decrypting requires the same encryption key. Without the key, the encrypted data is inaccessible to ensure information security.

Contents

  1. Before you start
  2. Create encrypted shared folders
  3. Arrange access privileges for users and groups
  4. Decrypt encrypted shared folders
  5. Troubleshooting

1. Before you start

This article assumes that you have done the following tasks for your Synology NAS:

  • Hardware installation for Synology NAS
  • Software installation for Synology DiskStation Manager (DSM, web-based operating system of Synology NAS)
  • Creating volumes and shared folders (See here)
  • Creating users with access privileges (See here)

Refer to Quick Installation Guide for more information about hardware and software installation. You can also see Synology NAS User's Guide (available at Synology's Download Center) for a general idea about topics related to this article.

Return to top

2. Create encrypted shared folders

As an administrator (DSM admin, or a DSM user belonging to the administrators group), you can encrypt a shared folder only when creating it.

Note:
  • You can only encrypt a shared folder when creating it. If a shared folder is created unencrypted, you cannot encrypt it afterward.
  • If a shared folder is created encrypted, you cannot reset it as an ordinary shared folder that allows key-less access.
  • We strongly suggest you export and save the encryption key for any encrypted shared folder.
  • Without the key, it is impossible to crack the encryption and access the data even if you remount the drives on other devices.
  1. Go to Control Panel > Shared Folder > Create > General, and do the following:
    • Tick Encrypt this shared folder, and enter the encryption key in the Encryption key and the Confirm key fields.
    • Tick Mount automatically on startup so that your Synology NAS will automatically mount the encrypted shared folder when it starts next time. By default, an encrypted shared folder will be unmounted automatically on startup for security reasons.
      • If you did not tick this option, next time your Synology NAS starts, you will need to click Mount (at Control Panel > Shared Folder > Encryption), and enter or import the encryption key to mount the folder for access.
      • If you ticked this option, you can select the target folder and click Unmount (at Control Panel > Shared Folder > Encryption) to unmount the folder, or Export key to save the encryption key.
      • Note:

        If an encrypted folder is unmounted, you cannot rename it, change its volume location, or choose it as a local backup destination.

  2. Click OK to confirm the settings of the newly-created shared folder.
  3. A pop-up warning message will remind you to save the encryption key. We strongly suggest you click Yes to keep the key handy.
  4. Save the encryption key by doing either of the following:
    • A pop-up dialog will ask you to open or save the encryption key after you click Yes. Click Save to save the key.
    • If you prefer to save the key later, you may go to Encryption to export the key.
Note:
  • The following system default shared folders cannot be encrypted: web, photo, music, video, surveillance, download, NetBackup.
  • Encrypted shared folders cannot be accessed via NFS, and will remove the previously set NFS rules if there is any.

3. Arrange access privileges for users and groups

To edit users' or groups' access privileges to the encrypted folder, go to Control Panel > Shared Folder, select the encrypted folder, and click Edit.

  1. Click Permissions, and select any of the following from the drop-down menu:
    • System internal user: Anonymous FTP/WebDAV users. You can allow anonymous FTP/WebDAV users access to a shared folder here. For more information about anonymous FTP/WebDAV, consult Synology NAS User's Guide (available at Synology's Download Center).
    • Local users: Synology NAS users (including guest). Consult Synology NAS User's Guide for more information.
    • Local groups: Synology NAS groups (Two groups are created by default: administrators and users). Consult Synology NAS User's Guide for more information.
  2. Arrange access privileges for the users or groups:
    • Read only: Allow the user or group to view the shared folder content.
    • Read/Write: Allow the user or group to view and change the shared folder content.
    • No access: Deny the user or group any access to the shared folder content.
    Note:
    • In case of privilege conflicts, the privilege priority is ranked as follows: No access > Read/Write > Read only.
    • When you create a new shared folder, if the access privilege of admin (or a user belonging to the administrators group) to the folder is set as No access, then admin (or the user belonging to the administrators group) will only be able to see the folder by going to Control Panel > Shared Folder.
  3. Click Advanced for the following options:
    • Disable directory browsing
    • Disable modification of existing files
    • Disable file downloading
  4. Click OK.

4. Decrypt encrypted shared folders

If the encrypted shared folder for access is unmounted, please do the following:

  1. Go to Control Panel > Shared Folder, and click the encrypted shared folder.
  2. Click Encryption > Mount to mount the folder.
  3. Enter or import the encryption key.
  4. Click OK.

Return to top

5. Troubleshooting

  • Why can't I see my encrypted shared folders after my Synology NAS starts up?
  • Go to Control Panel > Shared Folder > Create > General, and check if you ticked Mount automatically on startup. If not, encrypted shared folders will not be mounted automatically on startup to block all access. You will need to manually mount the encrypted folders by entering or importing the encryption key for access.

    You may refer to Create encrypted shared folders for more detailed instructions.

  • Why do file transfer speeds become slower when the shared folder is encrypted?
  • It is normal for encrypted shared folders to have slower file transfer speeds. Encryption can significantly increase the CPU workload and decrease the data transfer rate. For enhancement on throughput, you may desire a Synology NAS equipped with a hardware encryption engine:

    • To find an appropriate Synology NAS, visit Synology's official website and go to Home > Products > [Choose any Synology NAS model] > Specifications > Hardware Specifications.
    • To compare multiple models and their performances, visit Synology's official website and go to Home > Products > Compare Products.

  • Can I back up the encrypted shared folders on my Synology NAS and restore the data within the folders back again?
  • Yes.

    Note that these restored encrypted shared folders will be unmounted and will not be automatically mounted on startup. You will have to enter or import the encryption key to mount these folders again. Considering this backup/restore issue, we strongly suggest you export and save the key every time you create an encrypted shared folder. Otherwise, it will be impossible to access or restore the encrypted data without the key.

    You may refer to Create encrypted shared folders for more detailed instructions.

Return to top

Is this information useful for you? Yes No

Need technical support? Submit Support Form