How do I encrypt the data on a QNAP NAS? File Management - Storage | Network & Security - Security

Applicable models:

All x86-based series

ARM-based series with firmware v. 4.1.1 (or newer)

The data encryption feature on QNAP NAS allows you to encrypt disk volumes on the NAS with

256-bit AES encryption. Encrypted disk volumes can only be mounted for normal read/write

access by using the authorized password. Encryption protects confidential data from

unauthorized access even if the hard drives or the entire NAS were stolen.

About AES encryption:

The Advanced Encryption Standard (AES) is an encryption standard adopted by the U.S.

Government. This standard comprises three block ciphers, AES-128, AES-192 and AES-256.

Each AES cipher has a 128-bit block size, with key sizes of 128, 192 and 256 bits, respectively.

The AES ciphers have been analyzed extensively and are now used worldwide. (Source:

http://en.wikipedia.org/wiki/Advanced_Encryption_Standard)

Before you start

Please beware of the followings before you start applying the data encryption feature of the

Turbo NAS.

The encryption feature of QNAP NAS is volume-based. A volume can be a single disk,

JBOD configuration, or RAID group.

You must decide whether or not to encrypt your data when you create a disk volume on

the NAS. You will be unable to encrypt a volume after it has been created unless you

initialize the disk volume and delete all of its existing content.

Encrypted disk volumes cannot be removed without initialization. To remove encryption

from a volume, you must initialize the disk volume and delete all of its existing content.

Please keep the encryption password/key safe. If you forget your password or lose the

encryption key, you will be unable to retrieve your data!

Before starting, please understand this document carefully and strictly adhere to its

instructions.

Activating disk volume encryption on QNAP NAS

https://www.qnap.com/en/how-to/tutorial/storagehttps://www.qnap.com/en/how-to/tutorial/securityhttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Encrypt the disk volume when you set up the NAS.

Please follow the “Smart Installation Guide” to initialize the QNAP NAS using the web-based

interface. Check "Encrypt disk volume" in step 5 of the quick configuration.

Note: You can set disk volume encryption using the LCD panel if your NAS is equipped with

one. Please refer to the Smart Installation Guide for the instructions.

Enter a password, which will be used to unlock the encrypted volume. The encryption password

must be 8-16 characters long and cannot contain spaces. A long password that combines letters

and numbers is recommended.

Auto Unlock Volume: Decide whether or not to save the encryption key and to automatically

unlock the volume (this option can be changed later).

If checked: The NAS will automatically unlock the encrypted disk volume using the

saved password when it starts up.

If not checked: The encrypted disk volume is locked when the NAS starts up. Only the

administrator can then enter the encryption password to unlock the volume.

Proceed to the next step and finish the NAS installation.

Create a new encrypted disk volume with new hard drives

If your NAS has been installed and you want to create a new encrypted disk volume by installing

new hard drives, please follow these steps.

1. Install new hard drives to the NAS.

2. Log into the NAS as an administrator. Go to “Control Panel” > “Storage Manager” > “Storage

Space”, click “New Volume” to create a new disk volume.

3. Select a volume type, and then choose the disks you want to create as a volume. Select a

RAID type and click “Next”.

4. Set the “Snapshot Protection Settings” if the volume type is between Thick Multiple Volume

and Thin Multiple volume (single type does not support Snapshots).

5. Check “Encryption”, enter the encryption settings, and click “Next”.

6. Click “Finish” > “OK” to create the new encrypted volume. All of the data on the selected

disks will be deleted.

Verify that disk volume is encrypted

Log into the NAS as an administrator and go to “Control Panel” > “Storage Manager” >

“Storage Space”. You will see the lock icon in the “Status” column for encrypted disk volumes.

If the disk is not encrypted, you will not see this icon.

Behavior of an encrypted volume after rebooting system

For example: we have two encrypted disk volumes on the NAS.

The first volume (Single Disk: Drive 1) has been created with the option "Save Encryption Key"

enabled. The second volume (Single Disk: Drive 2) has been created with the option "Save

Encryption Key" disabled.

After rebooting the NAS, you will see the volume status. The first drive has been unlocked and

mounted but the second drive is locked because the encryption key is not saved on the second

disk volume. You must enter the encryption password to unlock it.

If you enable the option "Save Encryption Key", it will only prevent a data breach if the

hard drives have been stolen. If the entire NAS is stolen then the thief can access the data

after restarting the Turbo NAS.

If you disable the option "Save Encryption Key", your NAS will be protected against data

breach even if the entire NAS is stolen. The disadvantage is that you have to unlock the

disk volume manually every time the NAS starts up.

Encryption key management

Log into the NAS as an administrator and go to “Control Panel” > “Storage Manager” >

“Storage Space”. Select the disk volume and click “Manage”. A new window named “DataVol*

Management” will appear.

Click “Action” > “Encryption” to perform the following actions:

Change/Download/Save the encryption key, and Lock/Unlock this Volume

Change: Enter the original and new password to change the encryption key. You can select

whether or not to save the key after you change it (whenever you change the encryption key, the

original one will not be available anymore. Refer to the following steps to download your new

encryption key.)

Download: Enter your password to download the encryption key file. The encryption key file

can be used to unlock the disk volume even if you don’t know the password (refer to the

following steps to unlock manually.)

Save: If you have saved the encryption key on it, the NAS will automatically unlock the disk

volume upon startup (this function only works for disk volumes that have not saved the

encryption key before.)

Lock/Unlock this Volume: Click “Yes” to lock the disk volume.

For Locked volumes, select the disk volume and click “Manage” > “Unlock this Volume”. Enter

the password or upload the encryption key to unlock the disk volume.

Release date: 2013-05-17

Applicable models:About AES encryption:Before you startActivating disk volume encryption on QNAP NASEncrypt the disk volume when you set up the NAS.Create a new encrypted disk volume with new hard drivesVerify that disk volume is encryptedBehavior of an encrypted volume after rebooting systemEncryption key management