I have installed my Synology 1522+ with 4 HDD-s and enabled volume encryption. At that point I got the rkey file. Later, when I performed a soft reset (synodsdefault --reset-config) the system required me to reenter the volume encryption key (this is the behavior I have expected). Unfortunately, this procedure changes other configs that you have to change back manually later.
I have tried to disable the Encryption vault (Storage manager → Storage → Global settings → Encryption key vault → Enable Encryption Key Vault - uncheck) and to reboot to force the re-entering of the volume encryption key but the system boots without problems and the encrypted volume is visible.
Is this a bug?
Is there a way to force the Synology to ask for the encryption key without doing a soft reset?
First, thank you for bringing the command ‘synodsdefault’ to my attention. I always looked for an equivalent for the different reset modes in a command, and it seems this command does the trick or comes close.
Regarding your question about the volume encryption key, I’d like to share how I think it works—for what it is worth.
First, the whole idea of volume encryption is that on system boot, the volume automatically gets decrypted with the volume encryption key stored in the Encryption Key Vault (EKV). No user interaction is required.
You can reset the EKV, which seems different from disabling it. An EKV reset deletes any volume encryption key in the vault.
That is the moment you need your Recovery Key to manually unlock the encrypted volume.
I have already looked at the option to reset the EKV, but the note below states that “Resetting the EKV also resets all the volume keys. The system will generate new keys to replace existing ones.” This implies that I will not re-enter the key, but download a new one. Which is not the desired behavior. I haven’t tried this yet, and I am a little skeptic that it would not work like it is written, and even afraid I might loose access to the data on the volume.
Also, if disabling the EKV does nothing, why is this option even available?
It seems to me that this feature is not fully polished and well documented.
Hi Marin,
I ran some tests and worked with the Encryption Key Vault (EKV) and the Recovery Key (RK) to unlock an encrypted volume after boot up. I was able to force-enter the key to unlock and prevent auto-unlock. It is not the recommended method, in my opinion, but YMMV.
The process is simple. Do a mode 1 reset. I did it with the reset button at the back. I have not tested it yet with the synodsdefault command you mentioned. This clears the EKV.
Next, perform two of the three steps to recover the mode 1 reset.
enable the EKV
unlock the encrypted volume with the Recovery Key (RK).
The third step, to repair the EKV, which will enable auto-unlock, I did not do.
After a reboot, I have to enter the RK again. There is no auto-unlock. Notice that as long as there is no auto-unlock, the storage pool will remain in Warning state and the Volume in Critical state. You are entirely dependent on the RK to unlock the volume.
It’s incredibly frustrating that Synology still hasn’t implemented the option to not store encryption keys on disk. Their current approach—forcing users to save the keys on the drive—completely undermines the purpose of volume encryption. In contrast, QNAP allows users to choose whether or not to store keys on the drive, and Synology itself provides this flexibility for encrypted folders. Why can’t the same logic apply to volume encryption? If I’m willing to enter the key every time the NAS reboots, that should be my choice. It’s astonishing that Synology doesn’t let users make this decision for themselves.