![]() Vulnerability 1: The stored encryption key can be intercepted and the data accessed if the user had the encryption key stored in DSM Key Manager. As a result, both the MEK and the KEK can be stored on the hard drive (if the user adds their key to the DSM Key Manager) both can be extracted from the cold device, the MEK unwrapped and used to decrypt the data. Instead, a single, pre-programmed wrapping passphrase (KEK) is used to encrypt the encryption passphrase (MEK). In reality, Synology does not appear to be using hardware-bound encryption. Naturally, this was the expectation when we started researching the encryption in Synology devices. In Windows systems with BitLocker device encryption, this is achieved by wrapping the encryption key with a unique sequence obtained from the hardware-bound TPM module. One of the goals of file system encryption is preventing the attacker from removing the hard drive(s) and decrypting the data. If we treat the encryption passphrase as a Media Encryption Key (MEK), the wrapping passphrase becomes the Key Encryption Key (KEK). In Synology devices, the encryption passphrase is wrapped (encrypted with a different passphrase). Stored encryption keys allow users mounting their encrypted shares automatically once the Synology NAS boots up otherwise, the passphrase must be entered on every boot. Synology DSM relies on the built-in Key Manager to store encryption keys. So all you can do is create a new directory, mount it with the new passphrase and copy all the files over there.” ( Grumbel ) “There is no way to change the passphrase on the fly as ecryptfs encrypts each file with that passphrase individually and all files need to be rewritten with the new passphrase. In addition, file names stored in encrypted folders cannot contain more than 143 Latin characters in their names. The encryption passphrase cannot be changed without decrypting and re-encrypting all data. From the point of view of a regular consumer, Synology’s encryption implementation is very restrictive. Detailed information on eCryptFS is available here. Synology uses folder-based encryption based on eCryptFS, an open-source stacked cryptographic file system. In order to decrypt the encrypted share, experience using Linux or forensic tools supporting eCryptFS folders is required. Note that Synology automatically saves the encryption key in a file on the user’s computer when the user creates the encrypted share.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |