I’ve been reading up on the new features of DSM 7.2 specifically regarding immutable storage. I understand the idea of locking the files so that you can’t just click the delete button and get rid of them. This is great for protecting against accidental deletions as well as ransomware.
However, couldn’t a malicious actor just delete the entire storage pool? Are there any other weaknesses with immutable storage?
If you have physical access, you could just yank the drives and run. In the world of what if’s the meteor obliterating your NAS and all your supporting infrastructure is also a possibility. If a malicious actor has admin access to the NAS, its game over no matter which way you look at it.
Well, I guess that’s my question about admin access. All the documentation says that in Compliance Mode, not even admins can delete the data.
So according to the documentation from synology it looks like compliance mode does not allow you to delete the storage pool / volume:
| Features | Enterprise mode | Compliance mode |
|---|---|---|
| Data checksum can be enabled to ensure data integrity | Optional | Enabled by default and cannot be disabled |
| Append-only state can be applied to files | Yes | Yes |
| Non-locked files can be deleted by administrators | Yes | Yes |
| Locked files can be deleted by administrator regardless of the lock state | No | No |
| The WriteOnce shared folder can be renamed | No | No |
| The WriteOnce shared folder can be deleted by administrators | Yes | No |
| The volume where the WriteOnce shared folder is located can be deleted by administrators | Yes | No |
| The storage pool containing the WriteOnce shared folder can be deleted by administrators | Yes | No |
| Snapshots of WriteOnce shared folder can be taken | Yes | Yes |
| Snapshots of the WriteOnce shared folder can be replicated | Yes | Yes |
| A failover to the WriteOnce shared folder can be performed on the partner server | Yes | Yes |
| A new shared folder can be cloned from a snapshot of a WriteOnce shared folder* | Yes | Yes |
| The replication of the WriteOnce shared folder can be switched over | Yes | No |
| A re-protect operation can be performed to safeguard the WriteOnce shared folder | Yes | No |
| The WriteOnce shared folder can be restored to a specific snapshot | No | No |
| The WriteOnce feature uses the Tamper-Proof Clock mechanism | Yes | Yes |
| The WriteOnce feature requires the purchase of a license | No | No |
From this article:
Note: I have not yet had a chance to test how to break this! But I do know that the clock that they use to lock the snapshots is different then the system clock
Ah, Ok that helps. So let’s say I am the administrator, and I was running compliance mode. I put a bunch of data on some drives, but later decide I don’t want that. To reclaim that drive space, I would have to physically remove those drives, install them in some other system (Windows or Linux I presume) and then format the drives. Then I could reuse them in Synology for another purpose. Does that sound correct?
It looks like (from the documentation at least) that that is what would be required!
You may be able to do a hard reset with the reset button on the unit to get it to as well. Not sure though