So I’ve searched through the forums (as well as Synology’s) and can’t find a definitive explanation or solution to this situation. Being that full volume encryption is relatively new for Synology following DSM 7.2, my plan is as follows to get this running on a DS1621+ and stop dealing with the headache of Shared-folder based encryption and move off to more of a permissions based strategy.
Edit: Forgot to mention the system is already running DSM 7.2 Update 3.
Edit: Removed Step 2. Remove the SHA Pool with 2 drive fault tolerance & the only volume (Volume 1)
Step 3: Implies adding full volume encryption.
My plan is to
HyperBackup everything (Encrypted and non-encrypted Shared Folders & Apps) using using C2 Storage.
Factory Reset
Replace the SHA Pool config. as previously removed & volume 1
Restore from HyperBackup via C2 Storage. (Concerned around the restored files having to be decrypted.)
Hope the files and apps don’t break do to some bug or misguided thought process. (Synology has really been testing my confidence this past year.)
I would really love to hear all of your thoughts on this, attention to detail is appreciated. (I.E.) Am I missing or forgetting something, wouldn’t this break HyperBackup restoration, wouldn’t this affect the snapshots, current permissions layout, and date’s and time of current folders? Should I perform the factory reset?. How would you approach this? What would you do differently? Why would you do something different?
What I am missing in your plan is creating an encrypted volume, as per the title of your thread.
Also, what is the purpose of a factory reset? In case of such a reset, in step 3, you can skip step 2. I would skip the reset and leave the pool as is; remove and recreate the volume as an encrypted volume.
Do you have one backup only? I would not even consider this scenario without testing on a different system or use the experience of someone who has done something very similar.
Would it make sense to unencrypt the encrypted shared folder first as I assume you do not want to use them after the change.
Adding volume encryption would come in at step 3. As for step 2, I usually prefer to start from a clean slate when restoring from backups, but you’re right about step 2. Some of the tid-bits of information I have found suggest wiping out the pool instead of just the volume, and I’m not aware of the rational behind that. I have restored from hyperbackups prior but not to a encrypted volume with Synology. As far as encryption goes, shares and backups are client side encrypted before ever leaving the NAS with C2 Storage and I prefer to keep it that way due to some PII and common security practice standards. The goal is to create a simple solution, then hopefully a simple but detailed guide for this process. I suspect many others either have or are going to run into this scenario.
Apart from the details, you are after an overall process of migrating from a setup with encrypted shared folders to an encrypted volume.
Or is it the process of replacing a non-encrypted volume with an encrypted volume, where the current situation might have some encrypted shared folders, which may or may not get decrypted after the encrypted volume is established?
I am just trying to define the case, which I might give a run on a test-NAS that I have here. I even have C2 Storage space available to include in the test.
I did a small test where I backed up a shared folder to C2. Next, I removed the volume and created an encrypted volume. Last, I restored the backup. Result: successful.
Second test, where the second step was a factory reset. Created pool and encrypted volume and did a restore. Result: successful.
I dived more into the matter of volume encryption and shared folder encryption and found that key management for volume encryption is weak unless you have a KMIP server. You need another Synology NAS for that, which must also support volume encryption (not every model support KMIP).
I found a good blog post that covers the issues quite well: Volume Encryption in Synology DSM 7.2: LUKS with Questionable Key Management | ElcomSoft blog
I apologize for the late response, as I’ve been under the weather.
“Or is it the process of replacing a non-encrypted volume with an encrypted volume, where the current situation might have some encrypted shared folders, which may or may not get decrypted after the encrypted volume is established?”
This right here.
"I did a small test where I backed up a shared folder to C2. Next, I removed the volume and created an encrypted volume. Last, I restored the backup. Result: successful.
Second test, where the second step was a factory reset. Created pool and encrypted volume and did a restore. Result: successful."
Well that’s great! I’m glad to hear this came out successful. I’m about to perform a similar scenario with more test shares, apps, ext. and will report back with the results.