Sign in with
Sign up | Sign in


Is Data Encryption Worth Destroying Your NAS' Performance?

The NAS servers used in this test are all designed for commercial or semi-professional environments, which to some extent is reflected in their lofty prices. The Thecus N4200 is about $670, while the Synology DS1010+ and Qnap TS-459 Pro cost a bit more.

That's quite a hefty sum to pay for a diskless enclosure that you still need to populate with storage. In many cases, that raises expectations, and you naturally assume data stored on the NAS server really is safe. Similarly, you also expect that, even if a hard drive in the server's array fails, you'll still be able to rebuild the configuration and keep that data available. All three NAS servers offer a variety of RAID modes and backup capabilities that really can prevent data loss when they're applied sensibly.

Data Loss Due To Theft

Data can, however, be lost in ways other than a drive dying. How about if a disk from a RAID 1 array gets stolen? What about the entire NAS unit (these things aren't exactly heavy)? That's not a far-fetched scenario, especially if your networked storage is installed in a high-traffic environment like a retail store or doctor’s office. It's nice that all of the NAS servers in this test can be chained down using a Kensington lock. But lightweight physical security might not be much of a challenge to a prepared thief.

Thecus and Qnap also equip their products (the N4200 and TS-459 Pro) with lockable drive trays. This means that even the bravest jerk with a well-placed screwdriver should be unable to get away with a hard drive without damaging its housing. Conversely, the hard drives in Synology's DS1010+ could even be stolen on the fly, though, since it does not have any lockable drive bays.

Encryption Protects Against Prying Eyes…

If you're going to the trouble of protected the NAS device and hard drives from physical theft, the surest way of safeguarding the data from unscrupulous eyes is to encrypt disk contents. The manufacturers make use of a tool that has been known by all die-hard Linux users for years, meaning that it is already quite common out there, and has seen a lot of use in practice. Thecus and Qnap apply their encryption to the entire partition, while Synology allows its users to encrypt only specific folders.

…At the Cost of Performance

Performance-wise, the tested products are not that different. A lack of encryption acceleration means that enabling the feature absolutely destroys performance on all three units.

The default data transfer rates of the three candidates are on a similar level in many benchmarks, although the Thecus N4200 shows slightly better results than the competition. Nevertheless, it must be said that the encryption performance leaves a lot of room for improvement. The implementation of a dedicated hardware cryptography unit would affect the data transfer rates very positively. Intel’s dual-core Atom D510 offers modest performance in everyday use, but for this type of encryption task, it is simply underwhelming, in turn affecting the data transfer rates. Maybe AES-NI has value in the embedded market; hopefully Intel has something planned there.

Use and Flexibility

When it comes to using encryption, Thecus employs the most complex implementation. In order to unlock an encrypted partition, the N4200 requires an external drive to be connected, which is then removed during operation and stored in a safe place.

Qnap’s approach to handling the encrypted partitions is also solid, and there is no reason to complain. Synology offers the most flexible single-folder encryption solution. While encryption has to be configured in advance on the NAS servers from Thecus and Qnap (which then becomes a permanent change to the partition), the encrypted database on Synology's DS1010+ can grow or shrink dynamically. The advantage here is that the most sensitive folders can be selectively encrypted without much effort, while other shared files or folders remain unaffected by the performance impact caused by the encryption. Also, existing files or folders can be encrypted at a later time, and not just when they're created.

If you are concerned about security, there is one thing that you absolutely should not do with these three NAS devices, and that is to store the password string required to decrypt the partitions or files on the NAS itself. Security always comes at the cost of some effort, but you should absolutely choose to manually enter the password to gain access to the encrypted partition or file after rebooting the NAS. That shouldn't happen very often anyway.

React To This Article