Force re-entering of volume encryption key

Hi,

I have installed my Synology 1522+ with 4 HDD-s and enabled volume encryption. At that point I got the rkey file. Later, when I performed a soft reset (synodsdefault --reset-config) the system required me to reenter the volume encryption key (this is the behavior I have expected). Unfortunately, this procedure changes other configs that you have to change back manually later.
I have tried to disable the Encryption vault (Storage manager → Storage → Global settings → Encryption key vault → Enable Encryption Key Vault - uncheck) and to reboot to force the re-entering of the volume encryption key but the system boots without problems and the encrypted volume is visible.
Is this a bug?
Is there a way to force the Synology to ask for the encryption key without doing a soft reset?

Thanks in advance.

Hi,

First, thank you for bringing the command ‘synodsdefault’ to my attention. I always looked for an equivalent for the different reset modes in a command, and it seems this command does the trick or comes close.

Regarding your question about the volume encryption key, I’d like to share how I think it works—for what it is worth.

First, the whole idea of volume encryption is that on system boot, the volume automatically gets decrypted with the volume encryption key stored in the Encryption Key Vault (EKV). No user interaction is required.

You can reset the EKV, which seems different from disabling it. An EKV reset deletes any volume encryption key in the vault.

That is the moment you need your Recovery Key to manually unlock the encrypted volume.

Hi,

I have already looked at the option to reset the EKV, but the note below states that “Resetting the EKV also resets all the volume keys. The system will generate new keys to replace existing ones.” This implies that I will not re-enter the key, but download a new one. Which is not the desired behavior. I haven’t tried this yet, and I am a little skeptic that it would not work like it is written, and even afraid I might loose access to the data on the volume.

Also, if disabling the EKV does nothing, why is this option even available?

It seems to me that this feature is not fully polished and well documented.

There indeed seem to be some questions to be answered. I plan to look into this soon. I have the luxury of a test server without data.

Hi Marin,
I ran some tests and worked with the Encryption Key Vault (EKV) and the Recovery Key (RK) to unlock an encrypted volume after boot up. I was able to force-enter the key to unlock and prevent auto-unlock. It is not the recommended method, in my opinion, but YMMV.

The process is simple. Do a mode 1 reset. I did it with the reset button at the back. I have not tested it yet with the synodsdefault command you mentioned. This clears the EKV.

Next, perform two of the three steps to recover the mode 1 reset.

  • enable the EKV
  • unlock the encrypted volume with the Recovery Key (RK).
    The third step, to repair the EKV, which will enable auto-unlock, I did not do.

After a reboot, I have to enter the RK again. There is no auto-unlock. Notice that as long as there is no auto-unlock, the storage pool will remain in Warning state and the Volume in Critical state. You are entirely dependent on the RK to unlock the volume.