Mittwoch, 29. Februar 2012

Encryption of the Synology DiskStation (how to decrypt)

To make things easier for me and saving time, I have bought a Synology DiskStation DS212 which should handle all backups jobs and also all of the network shares over smb, nfs, iscsci...

But because I'm a carefulness person I want to try the encryption more in detail before I store my Information and see that I will not able to uncrypt the content.

How the DiskStation handling encryption

The original content will be encrypted 1:1 which means for each file you will have a encrypted file.
But the filename is encrypted as well, so you will not be able to see which encrypted file has the content which you are looking for.

Original Content:

Encrypted Content:


As you can see on the file names it used the eCryptfs to encrypt the content on the Synology DiskStation.
Which also means, if you configure a external backup (e.g. HiDrive, rsync) for your files only the encrypted files will be transfered not the decrypted files.

How to decrypted the eCryptfs files ?

eCryptfs is a encrypted file system, at the moment there is no port for windows avalible.
So you need a linux machine, server, vserver or live CD to be able to decrypted the content.

After you have the files on a linux machine you need to install the package for e.g.
...
$ sudo aptitude install ecryptfs-utils
...

Create a new folder which is later needed as mountpoint for the Data for e.g.
...
$ mkdir decryted_content
...

Inilaize the filename decryption
...
$ ecryptfs-add-passphrase --fnek
...

Start the real decrypt process
...
$ sudo mount -t ecryptfs ECRYPTFS_FNEK_ENCRYPTED.FWbZV8QaPSicykbGpS4YE-rkkmvurJEHl21deUmV8nep5Fh2sqpTvpXto---/ decryted_content/
...

It will asked you some questions which you need to answer in the following way for the Synology DS212 with DSM 3.2.
...
Passphrase : Your Passphrase from the DS212
Select cipher : aes
Select key bytes : 32
Enable plaintext passthrough : n
Enable filename encryption : y
Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [xxx] to [/xxx/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : no
...

After this you will get a message if all is working fine:
...
Mounted eCryptfs
...

Now you can access the content over the decryted_content/ folder.

e.g.
...
ls -l decryted_content/*
insgesamt 5872
-rwxrwxrwx 1 ... 879394 29. Feb 14:33 Chrysanthemum.jpg
-rwxrwxrwx 1 ... 845941 29. Feb 14:33 Desert.jpg
drwxrwxrwx 2 ... 0 29. Feb 14:33 @eaDir
-rwxrwxrwx 1 ... 595284 29. Feb 14:33 Hydrangeas.jpg
-rwxrwxrwx 1 ... 775702 29. Feb 14:33 Jellyfish.jpg
-rwxrwxrwx 1 ... 780831 29. Feb 14:33 Koala.jpg
-rwxrwxrwx 1 ... 561276 29. Feb 14:33 Lighthouse.jpg
-rwxrwxrwx 1 ... 777835 29. Feb 14:33 Penguins.jpg
-rwxrwxrwx 1 ... 84480 29. Feb 14:33 Thumbs.db
-rwxrwxrwx 1 ... 620888 29. Feb 14:33 Tulips.jpg
...

Please make sure to unmount the folder if you don't need it any more, because the mount will not be unmounted if you logout of the linux system. (live systems are something else)

So from this side all is looking fine, as you can see on the screenshot below.



Some security advices
  • Even if you have an encrypted file system you should not auto mount the device on your DiskStation. Because if someone get the DiskStation or have pysical access over ssh or so he can read out the encryption key. ;)
  • Use a real Passphrase (a sentence which you can rember) not a Password (some weird characters) as encryption key
  • Make sure that if you share your encrypted folder that you use a strong Password for the access to this share
  • Try to limit the access to such a share over a firewall and a restricted access list

1 Kommentar:

  1. Hi Markus - apologies i found the answer here.

    http://robertcastle.com/2012/10/howto-recover-synology-encrypted-folders-in-linux/

    AntwortenLöschen