Sign in with
Sign up | Sign in

Synology DS1010+

Is Data Encryption Worth Destroying Your NAS' Performance?
By

The Synology DS1010+ also comes with a dual-core Intel Atom D510 and 1 GB of DDR2 RAM. But unlike the devices from Qnap and Thecus, it encrypts data at a file level, instead of at a partition level. This is implemented via eCryptfs, which is rather similar to the popular TrueCrypt software. It creates a container that can grow or shrink in size dynamically as needed. The data stored in these container files is individually encrypted, while the information used to decrypt the files is stored in the unencrypted file header. In the following screenshots, we can see just how such a container is created, and what information from the encrypted file in it can be displayed directly in the Linux console.

Since Synology uses eCryptfs, the RAID arrays have to be configured and ready to go before enabling encryption. Setting up the encryption can be done when configuring file or folder sharing.

When sharing a folder there is a menu item in the Web interface called “Encrypt this shared folder.” This also requires the user to enter a password string that the encryption is based upon, and it has to be at least eight characters long.

If the menu item “Mount automatically on startup” is selected, the password is saved on the NAS device. This option allows you to automatically mount the encrypted folder after rebooting the device. But just like with the Qnap NAS, you should not use this feature if you are concerned about security (and if you're enabling encryption, there's a fair chance that you are).

Again, we receive a dialog box warning the user to store the key in a safe place, as the data cannot be decrypted without it. It also says that there might be a performance impact as a result of the encryption, and that the folder will not be available via NFS.

After confirming the operation, the encrypted folder is available just a few seconds later and the download of the key file that was generated from the password you entered is automatically accessed.

If you choose not to store the encryption password on the NAS, you can still access the encrypted folders after rebooting. This can be done either by entering the password via the Web interface or by using the downloaded key file.

If the encrypted folders are not mounted via eCryptfs, you just see a list of unintelligible letters and numbers when displaying the drive contents in the Linux console. After mounting them using the password, they are displayed as usual.

Ask a Category Expert

Create a new thread in the Reviews comments forum about this subject

Example: Notebook, Android, SSD hard drive

Display all 26 comments.
This thread is closed for comments
  • 0 Hide
    und3rsc0re , May 18, 2011 4:46 AM
    You guys should do this test using a few solid state drives, im interested to know the results if encryption affects the performance of them much.
  • 1 Hide
    compton , May 18, 2011 4:48 AM
    What about a Core i5 or better based server? You could turn an i5 with aes-ni into a cheap server for the same price as these diskless enclosures. Couldn't it be turned into a Linux based NAS with hardware encryption? I'm not hip to all of the issues, but that was my first thought.
  • 5 Hide
    rhangman , May 18, 2011 6:30 AM
    What about a VIA based solution? Low power like an Atom, cheap and has the padlock hardware encryption engine.

    http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
  • 0 Hide
    Anonymous , May 18, 2011 7:51 AM
    maybe you could test the other nas´too

    http://www.tomshardware.com/charts/multi-bay-nas-charts-2011/benchmarks,121.html
    already has a performance overview so just add encryption test
  • 2 Hide
    huron , May 18, 2011 3:33 PM
    I like what you guys are doing here at Toms...very interesting article. Any chance you guys can get your hands on a better processor to see what the results would be - I know how resource heavy encryption/decryption can be, and worry these don't really have enough horsepower to handle the job well.

    Continue this as a series with better CPUs?
  • 0 Hide
    bwcbwc , May 18, 2011 4:02 PM
    The implication for all of these devices is that the data is encrypted/decrypted within the device, which in turn means that the data is transmitted over the network in unencrypted form.

    The risk of a packet sniffer on the LAN seems a lot higher than someone walking out the door with your NAS array (or a piece of it), so I think you need to weigh your priorities when you choose this type of solution. If you are ready to address the physical security of data on a network attached drive, you should already have taken steps to ensure the security of the data during transmission.
  • -1 Hide
    freggo , May 18, 2011 4:06 PM
    What if one where to use TrueCrypt partitions on these servers instead ?
    I tested it extensively first and use it now for 2 years on my regular drives, hardly a 'noticable' performance hit compared to the unencrypted drives in the PC and 'zero' errors or problems so far.

  • -1 Hide
    Prey , May 18, 2011 4:33 PM
    In a commercial environment, especially medical, hell yes! Go to the HITECH Act and see the breach list over 500 due to unencrypted files that are stolen or lost.

    It shouldn't be a performance issue, but more a, is it worth the risk issue.
  • 0 Hide
    Niva , May 18, 2011 6:20 PM
    Definitely a good article, I'd been thinking about buying the Thecus. Tests with TrueCrypt would be appreciated since that's my tool of choice.
  • 1 Hide
    tacoslave , May 18, 2011 10:34 PM
    was i the only one thinking of sony?
  • 0 Hide
    dangolo , May 18, 2011 11:21 PM
    Bought the Thecus N4200 last year to compliment my system drive, a truecrypted C300 SSD. Windows 7 iSCSI interface makes it cake to use, and I admit, I LOVE this combo. Encryption "slowness" is not noticeable except in the most hurried of situations.
    I have no enemies, but the value of knowing my data is private as often as possible, is a battle worth fighting.
    BTW, the Thecus has a built in battery backup power supply, an eSata, and 2x10Gb ports. Very pricey, but worth it to me, thanks TH, brilliant concept and review =D
  • 1 Hide
    palladin9479 , May 19, 2011 12:58 AM
    rhangmanWhat about a VIA based solution? Low power like an Atom, cheap and has the padlock hardware encryption engine.http://www.via.com.tw/en/initiativ [...] rdware.jsp


    Any Via based solution would stomp the Atom into the ground when it comes to encrypted data. Heck you can throw together your own NAS with all the options you could possible want by building your own Mini-ITX server.

    Anyhow Toms has demonstrated in the past that its writers / editors are journalists before their technicians. They go for the shock story rather then get technical and actually test things like a Via platform. Having done my own test with openssl, going from -engine dynamic to -engine padlock yielding over 1000% increase (yes more then 10x) in performance. I'm capable of reading / writing to an encrypted disk at full speed without the CPU taking a hit. For those of you who want to use SSD's Via is the ~only~ option as any other CPU would drag when trying to do the encryption at that speed.
  • 1 Hide
    palladin9479 , May 19, 2011 1:34 AM
    After looking back over the article I noticed the prices on these items. Guys these things are rip offs. For the same amount you can build your own Via based Mini-ITX server and run whatever features you want on it.

    Via Nano L2200 1.6Ghz (or the newer dual core ones)
    1~2GB of DDR2 RAM (4 if you want to be adventurous)
    JetWay motherboard, or the Via reference one (I prefer Jetway)
    80GB SATA HDD (for OS)

    Then purchase a MediaSonic four bay eSATA / USB 3.0 external raid enclosure. Connect the enclosure to your server using eSATA and share out whatever drive setup you want. The bonus is you can do RAID-5 and the enclosure has its own circuitry to do the XOR calculations, thus relieving your CPU from having to do this. Use Linux as your OS, or MS SBS with DiskCryptor (Truecrypt refuse's to support Via CPU's, DiskCryptor is a fork from the original TrueCrypt and supports all current HW encryptors). Now you get whatever you want out of this package, use it just for network resource sharing like printers and file shares. If you want you can add OpenVPN style support, OpenSSL now supports the padlock encryption engine and you can specify that inside the OpenVPN configuration. You can add your own DNS server, web server or whatever project you can dream up.

    NAS devices like those above are for home "professionals" who don't know how to manage their own server, basically the iApple drones.
  • 0 Hide
    house70 , May 19, 2011 10:40 AM
    Nobody's asking you to buy one. People that can build their own NAS are NOT interested in this article, hence it was not for them. There are a lot of PC users not familiar with the requirements of building a NAS, especially running Linux. Do not look down on people that do not have the same knowledge about servers as you; they might have a LOT of knowledge about other things that you are clueless. Yo' mama didn't teach you that?
    Also, your point makes no sense: if for the same amount of money you can build your own, then you are not saving a dime by doing so.
    Finally, if you have built one, why don't you publish your own benchmarks, to put some weight behind your statements? Although, seeing how biased you are, I would not necessarily believe the numbers you put out. You have just shot your credibility in the foot (or rather, in the face) with your comment.
  • 1 Hide
    palladin9479 , May 20, 2011 1:56 AM
    A "NAS" is just a mini-itx system running a customized linux OS with a managed web front end. You are limited by the "features" the HW manufacturer provided. Build your own (Linux or Windows Server) and not only do you get the exact same thing, but you can then add features or expand it in any way you desire.

    I point at encryption as a prime example. These NAS's are all using under powered Atom CPU's and therefor can not handle disk encryption at full speed. If you had built your own then it would of had padlock support and would be able to handle full speed disk encryption.

    Quote:
    There are a lot of PC users not familiar with the requirements of building a NAS, especially running Linux.


    This makes no sense. The one's who would be spending $600+ for a "NAS" are either professional IT guys and thus would be capable of running their own system, or are iLife heads who think its "cool" to have something like this. These are not some $200 USD grandmother devices, nor are they set-top devices like a WDTV Live, their full up servers hosting an exported file system. Who in the world would be buying these that wouldn't be better served on their own? A power user would be better off building their own feature rich device, especially when it comes to backups and security. A home user wouldn't be using this and would instead use a large USB drive. An enterprise user would be laughing at all of you and using their own solution.
  • 0 Hide
    x3style , May 20, 2011 11:31 AM
    und3rsc0reYou guys should do this test using a few solid state drives, im interested to know the results if encryption affects the performance of them much.

    A little more in-depth knowledge about encryption would let you know that encrypting uses CPU power hence why accelerating the storage trough-put would change nothing in the processing bottleneck.
    Your car doesn't get more HP by putting bigger tires, for that you need some engine tweaking.
  • 0 Hide
    Anonymous , May 21, 2011 10:07 AM
    I use DNLA to stream media to my Samsung tv. What if I was to use a NAS with encryption. Would that work?.
  • 0 Hide
    Anonymous , May 22, 2011 7:31 PM
    I think it will resolve itself by a market -- this "NAS" are just overpriced, otherwise it's normal low-end solution for lazy user. I am also quit lazy, but after one experience with Buffalo Terastation I prefer to use MediaSonic enclosure connected to my server, similarly as other user adviced...
    When it will be 800$ including 4x 3TB HDDs, than it will make a bit sense. Now it's a normal rip-off, which is actually quit normal and respected business nowadays.
    If you look on a typical supemarket shelves, you can easy see that most products are even not intended to be usefull not for consumer but just designed to make a money for seller. Normally cinsumer doesn't like to buy this goods and that is why there exist multi-billion dollar marketing industry, to make you buy different "brand" trash...
    In IT you can at least test yourself...
    So just decide yourself, not trust ads at all and make some research before buying -- and you will be reasonably safe to get what you need, not what is marketed...
  • 0 Hide
    palladin9479 , May 23, 2011 3:58 AM
    Quote:
    I think it will resolve itself by a market -- this "NAS" are just overpriced, otherwise it's normal low-end solution for lazy user. I am also quit lazy, but after one experience with Buffalo Terastation I prefer to use MediaSonic enclosure connected to my server, similarly as other user adviced...
    When it will be 800$ including 4x 3TB HDDs, than it will make a bit sense. Now it's a normal rip-off, which is actually quit normal and respected business nowadays.
    If you look on a typical supemarket shelves, you can easy see that most products are even not intended to be usefull not for consumer but just designed to make a money for seller. Normally cinsumer doesn't like to buy this goods and that is why there exist multi-billion dollar marketing industry, to make you buy different "brand" trash...
    In IT you can at least test yourself...
    So just decide yourself, not trust ads at all and make some research before buying -- and you will be reasonably safe to get what you need, not what is marketed...



    Well if they could offer the NAS solution at $200~$250 without drives then that would be acceptable I think. You can get a home SOHO router device that supports USB "file share" for under $100 USD, and honestly this is ~all~ you need for a NAS device. Take the system board, remove the wireless components / routing interfaces, put in a SATA system with an eSATA / USB connector and 2~4 bays for drives. That would be marketable and be within the range of the average home user that doesn't have time / ability to manage their own server. This $600+ cost of drives for what is a non-managed file server ... its just too much for the SOHO world.
  • 0 Hide
    g00ey , May 23, 2011 11:14 AM
    But what if you use a proper quad-core computer with lots of RAM as a NAS running Solaris/OpenIndiana? Then the encryption shouldn't be much of a performance issue.
Display more comments