[chris (OP)]

I am posting this here as a "how to" to help others.

Synology NAS DSM comes with an option to encrypt shared drives; this means that if someone removes the drives they cannot decode what is on them. It also means that if you make a remote backup of the drive content, using the built-in backup facility, what is written to the backup drive is also encrypted.

Unfortunately, Synology are pretty hopeless at actually telling you how to unencrypt you content should you need to. The interface gives you an option to export the key, but this dumps on your desktop a file of what looks, at first glance, like gibberish. No instructions are given on how to use it or how to rescue data if you've lost your NAS and need to resort to a backup.

Before I ended up in the above situation, I thought I'd solve the problem in advance to work out how to do it.

So here is what Synology don't, or won't tell you:

INSTRUCTIONS ON HOW TO DECRYPT AN ENCRYPTED SHARE ON SYNOLOGY NAS SYSTEMS USING A LINUX PLATFORM

1) Create a mount point on your linux platform e.g. /mnt/synology - sudo mkdir /mnt/synology

2) Mount the encrypted drive or directory at this mount point; here's how if it's a synology network share: mount -t cifs -o username=TYPE THE USER LOGIN NAME FOR THE SHARE HERE,password=TYPE THE LOGIN PASSWORD HERE //NAS_SERVER_IP/ENCRYPTED VOLUME /mnt/synology

This will mount the encrypted share to /mnt/synology; check you can see the content by typing ls -l /mnt/synology.

3) Now make another mount point, this time it's for the decrypted content - sudo mkdir /mnt/synology_decrypt

4) Install ecryptfs-utils on your linux platform (sudo apt-get install ecryptfs-utils).

5) Now mount the encrypted volume at the new mount point using this command:

mount -t ecryptfs /mnt/synology_decrypt

6) At the prompt, enter the passphrase or password (not the exported key) you used to encrypt the volume on synology originally.

7) Choose AES as the cipher.

Select 32bit.

9) Choose no for plain text passthrough.

10) Choose yes for filename encryption.

11) Your decrypted content will be accessible at the new mount point: cd /mnt/synology_decrypt/

If I have missed anything, please comment below.

This is pretty simple, so I have no idea why Synology have not made more effort to make this clearer on their website and in their supporting documentation. Perhaps they want everyone to buy a new disk station to decrypt their files...

Chris

[[KitFox]]

Synology are pretty hopeless at actually telling you how to unencrypt you content should you need to

Looks like i am doing the exact same thing as you did.

Before I ended up in the above situation, I thought I'd solve the problem in advance to work out how to do it.

Lol thats exactly what i want to do. Test a recovery process before using it.

So, my question, have you actually been able to recover it?
Do you think you can perform all this with Ubuntu Live CD?
At 2) this process is actually to restore from a working NAS. Did you try to mount, lets say... only one of the RAID1 disk plugged inside your computer? How would you mount it if its inside? the -t cifs : does it works with btrfs?

Lot of questions sorry, but nice nice post! The only one i found after 2 hours searching.

[chris (OP)]

Sorry for the slow reply, I've been away.

The how-to I have described above will allow you to decrypt a copy of the encrypted drive data, for instance from a backup source.

In my case, I have an external HDD plugged into the Synology box taking a nightly incremental impression of mission-critical files. The point is that if the Synology box, which has got 4 drives in a RAID 5 array, keels over, I can still access my most precious data.

But, I think you are asking something slightly different, which is what happens to the individual drives inside the Synology box if the box itself dies?

Under these circumstances the answer to this question will depend upon how your box is configured. If you have used a RAID array then, to access the data you will need to at least partially rebuild that array by using a new linux box and connecting the discs to it. The Synology format used is ext3 or ext4, depending upon the vintage of the synology box. To meaningfully access the data, you'll need to set up an appropriate RAID config on the system that you are using to read / restore the discs, and then mount them accordingly, using the decrypt steps above.

[[KitFox]]

Hey no problem.

Well im in Raid 1. (Mirror)

All i say is theory, only in the case the Synology DS218+ explode, and 1 of the disk goes with it.

I selected BTRFS file system.

I will just test it right away using your method, it will be long but definatelly usefull.

Ill use Ubuntu LiveCD with RMPrepUSB and Easy2Boot.

Edit: Little detail i forgot. I have a 6TB raid1, so i did 3 Volumes: 1Tb (shared unencrypted) 2.5Tb 2.5Tb (Crypted)

[chris (OP)]

Good luck! Let me know how you get on.

[[KitFox]]

I have finally been able to take only one drive off a raid 1, and mount an encrypted volume with Ubuntu LiveCD loaded on Easy2Boot stick.

After my test, sadly, i could not put my disk back in Synology, it appeared "Degraded" wich i wonder why since i never written anything on HD. I forgot to mount read-only. Maybe thats why.

Some doc taken left and right sadly i cannot post my solution as it always say im not allowed to post extrernal links

Even if i had non in my post. 

Its in the PDF

EDIT:

I modified the PDF there was some errors. If i redo it, ill take screenshots. But if my disk go degraded again rebuilding 6TB Raid takes 12 hours... its long.

[chris (OP)]

Thanks for updating us and thanks also for the useful how-to that you attached. (You will be able to post external links once you become more senior on the forum.)

I'm a bit surprised that your raid disk ended up "degraded"; something must have been written to it to corrupt it; or the array was not shut down properly to start with or afterwards.

Maybe someone else who is more expert on RAID can advise us on how to avoid this?

[foxescross]

Hi Chris (and followers),

I've have been hunting for 4 days and finally found a post that I thought would get me out of my hole. I'm a linux noob so have struggled somewhat, but have managed to install Ubuntu onto my windows 10 PC, I've created the mount /mnt/synology, however, when I try to mount it from my NAS I get the following error:

mount: /mnt/synology: unknown filesystem type 'cifs'.

Are you able to assist please?

Thanks.

[[KitFox]]

when I try to mount it from my NAS I get the following error

My how-to is only when you plug your disk in your PC. Its to recover from a crashed NAS

[foxescross]

Oh, I don't understand why the IP of the NAS goes into that mount command....

Would this guide take much modification if I plugged the drive into my windows PC and wanted to access it from Ubuntu installed inside Windows10?

[[KitFox]]

No idea. When i did it, it was a Native Ubuntu running on a Bootable USB3 stick.

[chris (OP)]

@foxescross I'm sorry to hear that you are struggling with this.

The solution I gave above mounts a drive that is available on the lan as a network share using CIFS.

Thus you need CIFS running on the linux platform. Did you install the samba and CIFS packages on your Ubuntu dual-boot machine?