How can I encrypt or decrypt shared folders on my Synology NAS?
How can I encrypt or decrypt shared folders on my Synology NAS?
Resolution
Encrypt shared folders
Any users belonging to the administrators group can encrypt existing shared folders or new shared folders during folder creation. When you encrypt a shared folder, a key is generated and automatically downloaded. This key is required for mounting the encrypted shared folder in the future. It is impossible to crack the encryption and access the data without the key, even if you remount the drives on other devices. Therefore, it is critical to save the key in a safe place.
To create a new encrypted shared folder:
- Follow the instructions in the respective help articles for DSM 7.0 and DSM 6.2 to create a new shared folder.
- On the Encryption page, tick Encrypt this shared folder and enter the encryption key in the Encryption key and Confirmation key fields.
- You may choose to tick Add encryption key to Key Manager. This is optional. If this is left unticked, you need to click Mount (at Control Panel > Shared Folder > Encryption) the next time your NAS starts up and enter/import the encryption key to mount the folder for access. Click Next.
- Follow the wizard instructions to finish creating the folder.
To encrypt an existing shared folder:1 2
- Go to Control Panel > Shared Folder.
- Select a shared folder you want to encrypt and click Edit > Encryption.
- Follow step 2 in the previous section to encrypt the shared folder.3
Although an encryption key is automatically downloaded during the encryption process, you can also do either of the following to export it again:
- Right-click on an encrypted shared folder, click Encryption, and click Export key.
- Go to Control Panel > Shared Folder, click the Encryption drop-down menu, and click Export key.
Manage keys of encrypted shared folders
It is a good idea to keep your encryption keys in a safe place. However, you can add encryption keys to Key Manager once it is initialized. The Key Manager can be used for the following purposes once it has been initialized:
- Manage keys of shared folders.
- Decrypt multiple encrypted shared folders at the same time.
- Enable encrypted shared folders to be mounted automatically on startup.
To learn how to initialize Key Manager, add keys to the Key Manager, or decrypt shared folders with Key Manager, refer to the respective help articles for DSM 7.0 and DSM 6.2.
Mount encrypted shared folders
Once a shared folder is encrypted, it needs to be mounted on a NAS to be accessible. You can manually mount an encrypted shared folder or set the system to automatically mount it.
To learn how to mount encrypted shared folders either manually or automatically, refer to the respective help articles for DSM 7.0 and DSM 6.2.
Decrypt encrypted shared folders
Decrypting encrypted shared folders makes them available to all users who have privilege to access them. Please note that only mounted encrypted shared folders can be decrypted.
To decrypt encrypted shared folders, go to Control Panel > Shared Folder, select the folder, click Edit, go to the Encryption tab, and untick Encrypt this shared folder.
Notes:
- The following system default shared folders cannot be encrypted: ActiveBackupforBusiness, docker, MailPlus, NetBackup, usbshare, web, and web_packages.
- For DSM 6.2 and earlier versions, encrypted shared folders cannot be accessed via NFS. If there are any previously set NFS rules, they will be removed during the encryption process. For DSM 7.0 and above, encrypted shared folders can still be accessed via NFS and previously set NFS rules will not be removed during the encryption process.
- The file compression function cannot be used in conjunction with the file encryption function.