Ensuring Your Synology NAS Encryption Keys are Valid on DSM 7.2

by Cesare Tagliaferri in Tutorials - 2024-08-24

I have been using encrypted volumes on my Synology NAS since they were introduced in DSM 7.2. Despite understanding the limitations and security risks, I decided to adopt them early on, with the intention of eventually moving the keys to an external KMIP server when I have the time.

One feature that I felt was missing from the “encrypted volumes” implementation was the ability to verify the validity of the encryption keys. After spending some time figuring out how to do this, I decided to document the process to help others who might be facing the same challenge.

Key Validity Check

To verify the validity of an encryption key, follow these steps:

  1. Create a Temporary Encrypted Shared Folder: This folder will be deleted after the verification process to ensure no encryption keys remain accessible on the NAS.
  2. Upload the Encryption Keys: Place the .rkey files in the new shared folder.
  3. Connect to the NAS via SSH: Navigate (cd) to the shared folder.
  4. Decode the Key Files: The key files are base64 encoded. Use the following command to decode them: 
     find . -name "*.rkey" -exec sh -c 'base64 --decode "$1" > "${1%.*}_decoded.rkey"' sh {} \;
  5. Check the Validity of Each Key: Use this command to verify each key: 
     sudo cryptsetup open --test-passphrase /dev/vgX/volume_X -S 1 -d /volumeY/temp_key_check/XXXX_VolumeX_decoded.rkey -v

    Where X is the volume number of the volume you need to check, and volumeY/temp_key_check/XXXX_VolumeX_decoded.rkey is the path to the decoded key. Synology stores the encryption key in slot 1, this is why we specify -S 1 (this is not strictly necessary, without this argument the command would check all slots, if I’m not mistaken).

    • If the key is valid, you will see this in the command output: Key slot 1 unlocked.
    • If the key is incorrect, you will see this instead: No key available with this passphrase.

    In both cases, you will see No usable token is available in the output: this is normal.

    IMPORTANT: This command is non-destructive, and it can safely be used on a mounted volume.

I perform this check quarterly to ensure that I can access my files, even if I need to reset the NAS or move the HDDs to a different unit.

Running tmux on a Synology NAS

How to run tmux on a Synology NAS, using only Docker and without installing any unofficial package.