QNAP Systems, Inc. - Network Attached Storage (NAS)



How do I encrypt the data on a QNAP NAS?

Applicable models:

  • All x86-based series
  • ARM-based series with firmware v. 4.1.1 (or newer)

The data encryption feature on QNAP NAS allows you to encrypt disk volumes on the NAS with 256-bit AES encryption. Encrypted disk volumes can only be mounted for normal read/write access by using the authorized password. Encryption protects confidential data from unauthorized access even if the hard drives or the entire NAS were stolen.

About AES encryption:

The Advanced Encryption Standard (AES) is an encryption standard adopted by the U.S. Government. This standard comprises three block ciphers, AES-128, AES-192 and AES-256. Each AES cipher has a 128-bit block size, with key sizes of 128, 192 and 256 bits, respectively. The AES ciphers have been analyzed extensively and are now used worldwide. (Source: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard)

Before you start

Please beware of the followings before you start applying the data encryption feature of the Turbo NAS.

  • The encryption feature of QNAP NAS is volume-based. A volume can be a single disk, JBOD configuration, or RAID group.
  • You must decide whether or not to encrypt your data when you create a disk volume on the NAS. You will be unable to encrypt a volume after it has been created unless you initialize the disk volume and delete all of its existing content.
  • Encrypted disk volumes cannot be removed without initialization. To remove encryption from a volume, you must initialize the disk volume and delete all of its existing content.
  • Please keep the encryption password/key safe. If you forget your password or lose the encryption key, you will be unable to retrieve your data!
  • Before starting, please understand this document carefully and strictly adhere to its instructions.

Activating disk volume encryption on QNAP NAS

Encrypt the disk volume when you set up the NAS.

Please follow the “Smart Installation Guide” to initialize the QNAP NAS using the web-based interface. Check "Encrypt disk volume" in step 5 of the quick configuration.

Note: You can set disk volume encryption using the LCD panel if your NAS is equipped with one. Please refer to the Smart Installation Guide for the instructions.

Enter a password, which will be used to unlock the encrypted volume. The encryption password must be 8-16 characters long and cannot contain spaces. A long password that combines letters and numbers is recommended.

Auto Unlock Volume: Decide whether or not to save the encryption key and to automatically unlock the volume (this option can be changed later).

  • If checked: The NAS will automatically unlock the encrypted disk volume using the saved password when it starts up.
  • If not checked: The encrypted disk volume is locked when the NAS starts up. Only the administrator can then enter the encryption password to unlock the volume.

Proceed to the next step and finish the NAS installation.

Create a new encrypted disk volume with new hard drives

If your NAS has been installed and you want to create a new encrypted disk volume by installing new hard drives, please follow these steps.

1. Install new hard drives to the NAS.

2. Log into the NAS as an administrator. Go to “Control Panel” > “Storage Manager” > “Storage Space”, click “New Volume” to create a new disk volume.

3. Select a volume type, and then choose the disks you want to create as a volume. Select a RAID type and click “Next”.

4. Set the “Snapshot Protection Settings” if the volume type is between Thick Multiple Volume and Thin Multiple volume (single type does not support Snapshots).

5. Check “Encryption”, enter the encryption settings, and click “Next”.

6. Click “Finish” > “OK” to create the new encrypted volume. All of the data on the selected disks will be deleted.

Verify that disk volume is encrypted

Log into the NAS as an administrator and go to “Control Panel” > “Storage Manager” > “Storage Space”. You will see the lock icon in the “Status” column for encrypted disk volumes. If the disk is not encrypted, you will not see this icon.

Behavior of an encrypted volume after rebooting system

For example: we have two encrypted disk volumes on the NAS.

The first volume (Single Disk: Drive 1) has been created with the option "Save Encryption Key" enabled. The second volume (Single Disk: Drive 2) has been created with the option "Save Encryption Key" disabled.

After rebooting the NAS, you will see the volume status. The first drive has been unlocked and mounted but the second drive is locked because the encryption key is not saved on the second disk volume. You must enter the encryption password to unlock it.

  • If you enable the option "Save Encryption Key", it will only prevent a data breach if the hard drives have been stolen. If the entire NAS is stolen then the thief can access the data after restarting the Turbo NAS.
  • If you disable the option "Save Encryption Key", your NAS will be protected against data breach even if the entire NAS is stolen. The disadvantage is that you have to unlock the disk volume manually every time the NAS starts up.

Encryption key management

Log into the NAS as an administrator and go to “Control Panel” > “Storage Manager” > “Storage Space”. Select the disk volume and click “Manage”. A new window named “DataVol* Management” will appear.

Click “Action” > “Encryption” to perform the following actions:

Change/Download/Save the encryption key, and Lock/Unlock this Volume

Change: Enter the original and new password to change the encryption key. You can select whether or not to save the key after you change it (whenever you change the encryption key, the original one will not be available anymore. Refer to the following steps to download your new encryption key.)

Download: Enter your password to download the encryption key file. The encryption key file can be used to unlock the disk volume even if you don’t know the password (refer to the following steps to unlock manually.)

Save: If you have saved the encryption key on it, the NAS will automatically unlock the disk volume upon startup (this function only works for disk volumes that have not saved the encryption key before.)

Lock/Unlock this Volume: Click “Yes” to lock the disk volume.

For Locked volumes, select the disk volume and click “Manage” > “Unlock this Volume”. Enter the password or upload the encryption key to unlock the disk volume.

Release date: 2013-05-17
Was it helpful?
Thank you for your feedback.
Thank you for your feedback. If you have any question, please contact support@qnap.com
73% of people think it helps.