From 2cf9c625d9969cfba25f7fc393c0ffbc64274faa Mon Sep 17 00:00:00 2001 From: Michele Cereda Date: Sat, 25 Mar 2023 20:32:42 +0100 Subject: [PATCH] chore: added a way to encrypt data on usb devices --- .vscode/settings.json | 1 + knowledge base/synology dsm.md | 60 +++++++++++++++++++++++++++++++--- 2 files changed, 57 insertions(+), 4 deletions(-) diff --git a/.vscode/settings.json b/.vscode/settings.json index 343cea1..d3b39c1 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -14,6 +14,7 @@ "cereda", "chezmoi", "cpulimit", + "cryptsetup", "csma", "datagram", "dhclient", diff --git a/knowledge base/synology dsm.md b/knowledge base/synology dsm.md index 17d9cb8..79e5efa 100644 --- a/knowledge base/synology dsm.md +++ b/knowledge base/synology dsm.md @@ -1,13 +1,28 @@ # Synology DiskStation Manager +## Table of contents + +1. [System's shared folders](#systems-shared-folders) +1. [Rsync](#rsync) +1. [Snapshots](#snapshots) +1. [Encrypt data on a USB disk](#encrypt-data-on-a-usb-disk) +1. [Data deduplication](#data-deduplication) + 1. [Remove duplicated files with jdupes](#remove-duplicated-files-with-jdupes) + 1. [Deduplicate blocks in a volume with duperemove](#deduplicate-blocks-in-a-volume-with-duperemove) +1. [Use keybase](#use-keybase) + 1. [Manage git repositories with a containerized keybase instance](#manage-git-repositories-with-a-containerized-keybase-instance) +1. [Ask for a feature to be implemented](#ask-for-a-feature-to-be-implemented) +1. [Further readings](#further-readings) +1. [Sources](#sources) + ## System's shared folders Automatically created by services or packages. -Cannot be changed/removed manually if their creator is still active or installed. +Cannot be changed/removed manually if the package creating them is still active or installed. -```text -/volumeX +```txt +/volume1 ├── docker # data container for the Docker service, created by it upon installation ├── homes # all users' home directories, created by the SSH service upon activation ├── music # created by the Media Server package upon installation @@ -16,6 +31,13 @@ Cannot be changed/removed manually if their creator is still active or installed └── video # created by the Media Server package upon installation ``` +USB disks are recognized as shared folders automatically and mounted under `/volumeUSBX`: + +```txt +/volumeUSB1 +└── whatever +``` + ## Rsync Requirements: @@ -66,10 +88,31 @@ Gotchas: - the `#snapshot` folder is created in the shared folder's root directory - the default snapshots directory for that shared folder is mounted on it in **read only** mode: - > ```plaintext + > ```txt > /dev/mapper/cachedev_0 on /volume1/Data/#snapshot type btrfs (ro,nodev,relatime,ssd,synoacl,space_cache=v2,auto_reclaim_space,metadata_ratio=50,block_group_cache_tree,subvolid=266,subvol=/@syno/@sharesnap/Data) > ``` +## Encrypt data on a USB disk + +Synology DNS does not equip utilities like `cryptsetup` or TrueCrypt or such. Also, creating a docker container for it is at this time a little bit too much for me. But, it does include `ecryptfs`. + +I found [this solution on Reddit][encrypting an attached external usb drive?] to use the included `ecryptfs`. It has downsides (`ecryptfs`' vulnerabilities, the fact that terminal commands are logged in `/var/log/bash_history.log` and a password would be visible, etc), but hey, that is what is used internally, so... + +> Implementation: +> +> 1. Create a shared folder called "crypt" [on your normal Synology Diskstation volume] +> 1. Plug in the USB drive if you haven't already +> 1. Log into DSM manager +> 1. Go to network services, and select terminal +> 1. Enable Telnet service. (If you have been manually changing the firewall, make sure you've unblocked port 23) +> 1. Telnet into the Synology box - logging in as root +> 1. Type this command to create the directory on your USB drive: "mkdir /volumeUSB1/usbshare/@crypt@" +> 1. Update the _blahblahblah_ password below and type into your telnet session (note - it should all be on one line): "mount.ecryptfs /volumeUSB1/usbshare/@crypt@ /volume1/crypt -o \key=passphrase:passphrase_passwd=blahblahblah,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,\ecryptfs_passthrough=n,no_sig_cache,ecryptfs_enable_filename_crypto=y" +> 1. Any data you copy into "crypt" above, will now be encrypted and saved in "usbshare1/@crypt@". To check - create a new folder in the folder "crypt" and have a look at how it appears encrypted when you look into "usbshare1/@crypt@" from DSM manager. +> 1. From here - set up any backup jobs you wish to copy into the "crypt" shared folder you created. +> 1. When you are ready to eject the drive make sure you unmount it first by typing into your telnet session "umount /volumeUSB1/usbshare/@crypt@" and then eject it in the normal way from DSM. +> 1. Disable the telnet service if you are no longer using it + ## Data deduplication Requirements: @@ -159,15 +202,24 @@ Use the [online feature request form]. Posting a request on the community site w ## Sources +All the references in the [further readings] section, plus the following: + - [Configuring deduplication block on the Synology] +- [Encrypting an attached external USB drive?] + [cli administrator guide for synology nas]: https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_Administration_CLI_Guide.pdf [online feature request form]: https://www.synology.com/en-us/form/inquiry/feature + +[further readings]: #further-readings + [michelecereda/keybaseio-client]: ../docker/keybaseio-client/README.md + [configuring deduplication block on the synology]: https://onedrive.live.com/?authkey=%21ACYMJq62iJaU7HY&cid=1E8D74207941B8DD&id=1E8D74207941B8DD%21243&parId=1E8D74207941B8DD%21121&o=OneUp +[encrypting an attached external usb drive?]: https://www.reddit.com/r/synology/comments/jq4aw6/encrypting_an_attached_external_usb_drive/ [making disk hibernation work on synology dsm 7]: https://www.reddit.com/r/synology/comments/10cpbqd/making_disk_hibernation_work_on_synology_dsm_7/