A Guide for Upgrade to DSM 7.2 Full Volume Encryption

by Rian

Synology introduced full volume encryptions (FVE) as of DSM 7.2. There were some testings in the community surrounding the performance, and the actual effectiveness of the security itself. The real fun part, and frankly the part that matters for many users, of the Synology’s new implementation is its innate capability to support 255 bytes in file name length, compared to the encrypted shared folder (ESF), which had only 143 bytes or 47 characters for CJK languages.

If only DSM can easily switch to, or toggle ESF off, then FVE on, there wouldn’t be much of problems. But that is not possible. I wanted to make a record of what I’ve tried and what I found personally to be useful. One of the rather frequently recommended solution was to simply buy another NAS unit. While I understand why that practice may have come into place in the industry, I don’t think it’s practical for most home or small office users. For that reason, I won’t be discussing simply buying another unit.

As for the security aspect of FVE, technically, FVE does not replace the role of ESF. DSM still offers ESF. FVEs are most useful in the context of crypto-shredding. When a hard drive is inevitably damaged, one can safely assume no-one without the key can make use of datas on the damaged drive. In a sense, FVE replaces shredding or secure erase practice.

DSM requires extra space, same amount as ESF, to decrypt the folder. And the user cannot select another volume, (e.g. new FVE volumes) as destination. This, in practice, means for 1TB ESF, you’d need an extra 1TB space in the current working volume. Only after it is done, the contents can be moved over to new FVE volumes. In my case, I ended up using an external drive connected via USB to make some extra room. I can’t speak for all the use cases, but if you wouldn’t mind copying the contents of the folder over manually, any external drive might be of help.

On an unrelated note, DSM can take several hours to reclaim the space from the old unencrypted volumes and expand the new FVE volumes. I was moving multiple folders over to FVE volumes side-by-side, so I had to eyeball how much breathing room DSM would leave me as the new FVE volumes were expanding. If I were to do it again, I would rather do it one at a time.

Password management is another bit that has changed. Unlike ESF, with FVE, DSM generates key per volume, and the keys are managed much like a password manager. That is to say, if you were using the same password across multiple ESF, that won’t be possible —and not recommended security-wise— with FVE. Keys are also not memorable. Instead, the process makes sure the user has downloaded a copy of key file on a local machine. If you are worried about the security risks of key locations, it is possible to use KMIP server or mount the volumes manually using the key files.

Last but not least, it might be possible to simply move ESFs into FVE enabled volumes. But I decided against it, as expanded volume spaces cannot be reverted back. So the FVE volumes would be the twice the normal size of each ESF. That wasn’t ideal solution for me, so I went through more laborious routes.