I’m exploring the possibility of integrating a third-party KMIP, specifically, the project available at GitHub - rnurgaliyev/kmip-server-dsm: KMIP Server for Synology DSM, with Synology DSM 7.2 encrypted volumes. Have any of you had any experience or experimented with this setup?
The idea would be to store the keys on a LUKS partition on the Raspberry Pi, which would be unlocked manually when needed.
On a related note, do you know what would happen if the Synology were to restart while the KMIP server is offline? I anticipate that the system would simply reboot as usual, but the encrypted volumes would remain unmounted—and the packages on those volumes not started—until the necessary key is manually supplied. In particular, I would expect the network configuration to be intact.
It seems that 3rd party KMIP support, available in the 7.2 beta, is not available in the 7.2 release. This may return in a later update, but I have no information about that.
With regard to what happens when the KMIP server is not available on boot of the NAS with the encrypted volume, I have similar expectations as you. I would love to test this but only have one KMIP supporting NAS in the house.
Do you perhaps know whether the KMIP server can be reached over the internet or must it be available on the local network?
Thank you for the information, I did not get around to testing with a generic Linux server acting as KMIP. I hope they will add it back in the future.
I could not find anything in the documentation about the KMIP client and server having to be on the same network. I guess the only way to be sure would be to test with a remote NAS accessible on the Internet (or maybe in the same mesh VPN).