The data encryption feature on the Turbo NAS allows you to encrypt the disk volumes on the NAS with 256-bit AES encryption for data breach protection. The encrypted disk volumes can only be mounted for normal read/ write access with the authorized password. The encryption protects the confidential data from unauthorized access even if the hard drives or the entire server were stolen.
About AES encryption:
“In cryptography, the Advanced Encryption Standard (AES) is an encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256 […]. Each AES cipher has a 128-bit block size, with key sizes of 128, 192 and 256 bits, respectively. The AES ciphers have been analyzed extensively and are now used worldwide” . (Source: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard)
The AES volume-based encryption is applicable only to specific QNAP NAS models.
Please refer to the comparison table at:
http://www.qnap.com/images/products/comparison/Comparison_NAS.html.
Before you start
Please beware of the following before you start to use the data encryption feature of the Turbo NAS.
- The encryption feature of the Turbo NAS is volume-based. A volume can be a single disk, a JBOD configuration, or a RAID array.
- You have to select whether or not to encrypt your data when you create a disk volume on the NAS. In other words, you will not be able to encrypt a volume after it has been created unless you initialize the disk volume. Note that initializing a disk volume will clear all the existing disk data on it.
- The encryption on the disk volume cannot be removed without initialization. To remove the encryption on the disk volume, you have to initialize the disk volume and all the data will be cleared.
- Please keep the encryption password or key safe. If you forget your password or lose your encryption key, you will not be able to retrieve your data!
- Before you start, please read this document carefully and strictly adhere to the instructions.
Activating disk volume encryption on the Turbo NAS
Encrypt the disk volume during the NAS installation
Follow the instructions of the Quick Installation Guide (QIG) to initialize the NAS by the web-based interface. In the Step 6 of the quick configuration, select “Yes” for the “Encrypt disk volume” option.
Note: You can execute disk volume encryption by the LCD panel if your NAS is equipped with one. Please refer to the QIG for the instructions.
Once you have selected to encrypt the disk volume, the encryption settings will appear.
Enter an encryption password, which will be used to unlock the encrypted volume. The encryption password must be 8-16 characters long and cannot contain spaces ( ). Try to select a long password which combines letters and numbers.
- Use Default Value: Select to use the default encryption password “admin”.
- Save Encryption Key: Select to save the encryption key on the NAS (this option can be changed later).
- If checked: The NAS will unlock the encrypted disk volume automatically using the saved password when it starts up.
- If not checked: The encrypted disk volume is locked when the NAS starts up. You have to login the NAS as an administrator and enter the encryption password to unlock the disk volume.
Then proceed to the next step and finish the NAS installation.
Create a new encrypted disk volume with new hard drives
If your NAS has been installed and you want to create a new encrypted disk volume by installing new hard drives on the server, follow the steps below.
1.Install the new hard drive(s) to the NAS.
2.Login the NAS as an administrator. Go to “Disk Management” > “Volume Management”.
3.Select the disk volume you want to configure according to the number of new hard drives installed.
4.Select the hard drive(s) for creating the disk volume. In this example, we select to create a single drive. The procedure applies also to a RAID configuration.
5.Select “Yes” for the “Encryption” option and enter the encryption settings.
Then click “CREATE” to create the new encrypted volume.Note that all the data on the selected drives will be DELETED! Please back up your data before creating the encrypted volume.
You have created a new encrypted disk volume on the NAS.
Verify that disk volume is encrypted
To verify the disk volume is encrypted, login the NAS as an administrator. Go to “Disk Management” > “Volume Management”.
You will be able to see the encrypted disk volume, with a lock icon in the Status column.
The lock will be open if the encrypted volume has been unlocked. A disk volume without the lock icon in the Status column is not encrypted.
Behavior of an encrypted volume upon system reboot
In this example, we have two encrypted disk volumes on the NAS.
The first volume (Single Disk Drive 2) has been created with the option “Save Encryption Key” enabled.
The second volume (Single Disk Drive 5) has been created with the option “Save Encryption Key” disabled.
After restarting the NAS, check the volume status. The first drive has been unlocked and mounted but the second drive is locked. Since the encryption key is not saved on the second disk volume, you have to manually enter the encryption password to unlock it.
- Saving the key on the NAS will protect you only if your hard drives are stolen. However, there is a risk of data breach if the entire NAS is stolen as the data is accessible after restarting the NAS.
- If you select not to save the encryption key on the NAS, your NAS will be protected against data breach even if the entire server is stolen. The disadvantage is that you have to unlock the disk volume manually on each system restart.
Encryption key management: new password/ save encryption key/ export encryption key
To manage the encryption key settings, login the NAS as an administrator and go to “Disk Management” > “Encrypted File System”.
Click “ENCRYPTION KEY MANAGEMENT” on the “Action” column of an unlocked disk volume.
You can perform the following actions:
- Change the encryption key
- Save the encryption key on the NAS
- Download the encryption key file
-
Change the encryption key:
Input your old encryption password and input the new password. (Note that after the password is changed, any previously exported keys will not be working anymore. You have to download the new encryption key if necessary, see below).
-
Save Encryption Key:
Save the encryption key on the NAS for automatic unlocking and mounting the encrypted disk volume when the NAS restarts.
-
Download Encryption Key File:
Input the encryption password to download the encryption key file. Downloading the encryption key file will allow you to save the encryption key in a file. The file is also encrypted and can be used to unlock a volume, without knowing the real password (see “unlock a disk volume manually” below). Please save the encryption key file in a secure place!
Unlock a disk volume manually
To unlock a volume, login the NAS as an administrator. Go to “Disk Management” > “Encrypted File System”.
You will be able to see your encrypted volumes and their status: locked or unlocked.
To unlock your volume, you can either input the encryption password, or use the encryption key file that has been exported previously.
If the encryption password or the key file is correct, the volume will be unlocked and become available.