Every conversation on DSM encryption gets derailed by the response “well if someone has physical access to your NAS then they can do anything”. I know that, my threat model is not someone running off with my NAS.
The specific issue is RMA of failed drives within warranty and not having my data exposed to the next person who buys the refurbished disk or a hardware recycler.
If the hard drives are fully encrypted then the contents should be as good as random noise.
Where does DSM 7.2 store the encryption key? I don’t think the AMD cpu has a TPU?
Synology DS has its own internal flash for the init and graphical setup - are the keys stored there? If they are: that’s perfect.
So the official documentation on this is shaky at best (at least for share folder encryption)
I have seen people claim that the machine key is the same for each unit. But have not been able to validate that. I also have never seen an example of someone actually breaking it.
TL;DR I am not the expert on this, but probably good enough to stand up to your smash and grab thief, but probably not good enough to stand up to the NSA
So as long as you are in RAID5 (or SHR1 with 3 drives or more) it is impossible to recover data from any one drive as every chunk of data is striped across every drive.
DSM does create a RAID1 volume that is mirrored on every single drive in your RAID, so you could have some private information stored there that could be recovered, but for the most part its just mundane things.