Tuesday, November 12, 2024 โ€ข Welcome to the ๐Ÿ’ฏ Nonsense-Free Zone!
๐Ÿ›๏ธ Todayโ€™s ๐Ÿ”ฅ Deals on An image of Amazon logo๐Ÿ›’

Synology DSM 7.2: Full Volume Encryption and NVMe Storage for Select Servers

Share what you're reading!

Here's some exciting news that might get you busy in a good way on a slow day. Synology has just told me that DSM 7.2โ€”the latest version of its DiskStation Manager operating system for NAS serversโ€”is now officially available in the US.

The new version has been available elsewhere in the world since May 22.

While not as significant as the move from DSM 6 to DSM 7, this incremental upgrade brings a few major important and much-anticipated improvements in my book. Additionally, there are a host of other minor yet relevant positive changes.

Synology DS1821+ vs. DS1621+
The DS1821+ and DS1621+ are among many Synology servers to get all the benefits of DSM 7.2.

Synology DSM 7.2: A significant incremental update

In many ways, DSM 7.2 is much more significant than DSM 7.1, which came out a year ago. The cabinet below includes the full release notes of this version.

Synology DSM 7.2 release notes

DSM 7.2 release notes

Synology provides these release notes.

Housekeeping

  1. After installing this update, you will not be able to downgrade to a previous DSM version.
  2. This update will restart your Synology NAS.
  3. Starting from this version, logs for drives will no longer appear in Storage Manager > HDD and will be available only in Log Center.
  4. Removed the "Automatically create port forwarding rules" option from QuickConnect advanced settings to increase network security.
  5. Users can now create a Btrfs volume of up to 1 PB on specific Synology NAS models. This update automatically converts existing volumes that use the Btrfs (Peta Volume) file system to Btrfs. However, to create a volume larger than 200 TB, a RAID 6 storage pool and at least 64 GB of system memory are still required.
  6. The maximum single volume size supported by RS2423+โ€‹/โ€‹RS2423RP+ has been adjusted to 200 TB (with a minimum system memory requirement of 32 GB).
  7. Starting from this version, only Windows Server 2008 R2 and above versions will be supported. After installing this update, the current Windows Server 2008 domain and earlier versions will be unavailable.
  8. For the models below, you can only download the upgrade patch from Synology Download Center because you won't receive notifications for this update on your DSM.
    • FS Series: FS3017, FS2017, FS1018
    • XS Series: RS18016xs+, RS4017xs+, RS3617xs+, RS3617xs, RS3617RPxs, RS18017xs+, DS3617xs, DS3617xsII, DS3018xs
    • Plus Series: RS2416RP+, RS2416+, DS916+, DS716+II, DS716+, DS216+II, DS216+, DS1817+, DS1517+, RS2818RP+, RS2418RP+, RS2418+, RS818RP+, RS818+, DS1618+, DS918+, DS718+, DS218+, RS1219+
    • Value Series: DS416, DS416play, DS216, DS216play, DS116, RS816, DS1817, DS1517, RS217, DS418play
    • J Series: DS416slim, DS416j, DS216j, DS418j, DS218j, DS419slim, DS119j

New features/improvements

  1. Added support for WriteOnce shared folders. This feature is based on the Write Once, Read Many (WORM) technology and can be enabled to prevent files from being modified, deleted, or renamed for a specified period.
  2. Added support for volume encryption. All volume encryption keys are stored in the Encryption Key Vault, which can be set up on a local Synology NAS or via KMIP on a remote Synology NAS.
  3. Added more Synology NAS models to support M.2 NVMe SSD storage pools.
  4. Added more Synology NAS models to support the M2D18 adapter card: RS822RP+, RS822+, RS1221RP+, and RS1221+.
  5. Added more SSD cache group management options, including changing the RAID type and replacing a drive.
  6. Added support for inline zero-block removal to increase the efficiency of data deduplication.
  7. Adjusted how drive information is presented in Storage Manager. Users can now quickly check the condition of their drives by looking at the "Drive Status" field.
  8. Users can now view the amount of used and free space for each storage pool and volume in Storage Manager.
  9. Added a warning notification for when the available shared folder quota is low.
  10. Supports deleting individual desktop notifications.
  11. Supports sending DSM notifications via additional webhook providers, including LINE and Microsoft Teams.
  12. Supports creating custom notification rules for system events, giving users greater control over what notifications to receive.
  13. Supports exporting a list of users and of groups.
  14. Added support for SAML to integrate DSM with external SSO servers.
  15. Added the option to allow non-admin users to safely eject USB devices.
  16. Users can now manually input the IP addresses or FQDNs of one or more domain controllers in the trusted domain. Synology NAS syncs domain data directly with the specified domain controllers.
  17. Users can now enable Synology's email server to send DSM notifications directly to their Synology Account.

Bug fixes

  1. Fixed an issue where adding drives to a JBOD storage pool did not expand its capacity.
  2. Updated Mbed-TLS to version 2.28.2 to fix multiple security vulnerabilities (CVE-2021-36647, CVE-2022-46392, CVE-2022-46393).
  3. Updated Libksba to version 1.6.3 to fix a security vulnerability (CVE-2022-3515).
  4. Updated SQLite to version 3.40.0 to fix a security vulnerability (CVE-2022-46908).
  5. Updated Certifi to version 2022.12.07 to fix a security vulnerability (CVE-2022-23491).
  6. Updated Node.js to version 14.21.1 to fix a security vulnerability (CVE-2022-43548).
  7. Updated cURL to version 7.86.0 to fix multiple security vulnerabilities (CVE-2022-27774, CVE-2022-27775, CVE-2022-27776, CVE-2022-27781, CVE-2022-27782, CVE-2022-32205, CVE-2022-32206, CVE-2022-32207, CV E-2022-32221, CVE-2022-35252, CVE-2022-42915, CVE-2022-42916).
  8. Updated PHP to version 8.1.9 to fix multiple security vulnerabilities (CVE-2019-11043, CVE-2021-21705, CVE-2022-31625).
  9. Updated Sysstat to version 12.7.1 to fix a security vulnerability (CVE-2022-39377).
  10. Updated OpenSSL to version 3.0.7 to fix multiple security vulnerabilities (CVE-2022-2068, CVE-2022-2097, CVE-2022-2274, CVE-2022-3358, CVE-2022-3602, CVE-2022-3786).
  11. Updated Expat to version 2.5.0 to fix a security vulnerability (CVE-2022-43680).
  12. Updated Libtirpc to version 2.87 to fix a security vulnerability (CVE-2021-46828).
  13. Updated GnuPG to version 2.2.39 to fix a security vulnerability (CVE-2022-34903).
  14. Updated OpenVPN to version 2.5.8 to fix a security vulnerability (CVE-2022-0547).
  15. Updated libxml2 to version 2.9.14 to fix a security vulnerability (CVE-2022-23308).
  16. Updated GMP to version 6.2.1 to fix a security vulnerability (CVE-2021-43618).
  17. Updated ImageMagick to version 6.9.12-61 to fix multiple security vulnerabilities (CVE-2020-25664, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020-25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27560, CVE-2020-27750, CVE-2020-27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27754, CVE-2020-27755, CVE-2020-27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-27760, CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27764, CVE-2020-27765, CVE-2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27769, CVE-2020-27770, CVE-2020-27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-27775, CVE-2020-27776, CVE-2020-29599, CVE-2021-20176, CVE-2021-20224, CVE-2021-20241, CVE-2021-20245, CVE-2021-20246, CVE-2021-20309, CVE-2021-3574, CVE-2021-3596, CVE-2021-39212, CVE-2021-4219, CVE-2022-1114, CVE-2022-1115, CVE-2022-28463, CVE-2022-32545, CVE-2022-32546, CVE-2022-32547).
  18. Updated FFmpeg to version 4.1.9 to fix multiple security vulnerabilities (CVE-2020-20892, CVE-2020-20902, CVE-2020-21688, CVE-2020-21697, CVE-2021-3566, CVE-2021-38114, CVE-2021-38291).
  19. Fixed a security vulnerability regarding Netatalk (CVE-2022-45188).
  20. Fixed multiple security vulnerabilities regarding Python3 (CVE-2020-10735, CVE-2021-28861, CVE-2022-45061).
  21. Fixed multiple security vulnerabilities regarding iproute2 (CVE-2022-3527, CVE-2022-3529, CVE-2022-3530).
  22. Fixed multiple security vulnerabilities regarding D-Bus (CVE-2022-42010, CVE-2022-42011, CVE-2022-42012).
  23. Fixed a security vulnerability regarding syslog-ng (CVE-2022-38725).
  24. Fixed a security vulnerability regarding inetutils (CVE-2022-39028).
  25. Fixed a security vulnerability regarding DNSmasq (CVE-2022-0934).
  26. Fixed a security vulnerability regarding BusyBox-udhcp (CVE-2019-5747).
  27. Fixed multiple security vulnerabilities regarding Linux Kernel (CVE-2021-22600, CVE-2021-38209, CVE-2021-4037, CVE-2022-0168, CVE-2022-1016, CVE-2022-1729, CVE-2022-1786, CVE-2022-20141, CVE-2022-20368, CVE-2022-2078, CVE-2022-2639, CVE-2022-2905, CVE-2022-29581, CVE-2022-32250, CVE-2022-3524, CVE-2022-3566, CVE-2022-3567, CVE-2022-36879, CVE-2022-36946, CVE-2022-42703).
  28. Fixed a security vulnerability regarding Nginx (CVE-2022-3638).
  29. Fixed a security vulnerability regarding ghostscript (CVE-2023-28879).
  30. Fixed a security vulnerability regarding curl (CVE-2023-23916).

Limitations

  1. S.M.A.R.T. testing for M.2 NVMe SSDs is no longer supported.
  2. Starting from DSM 7.2 Beta, Virtual Machine Manager will no longer support creating clusters with older DSM versions. Please update each host in the cluster to the same DSM version or above versions for the Virtual Machine Manager cluster to operate properly.

Traditionally, you're supposed to learn the release notes by heart before upgrading, so take your time. But if you ask me, there are three things to keep in mind:

  1. Full Volume Encryption
  2. Immutable Snapshot
  3. NVMe SSD storage pool for additional select servers

Let's check them out one by one.

Full volume encryption: Safeguarding data against loss or theft

Generally, when you encrypt the data, no unauthorized third party can read it without the encryption key.

In the case of a NAS server, when your hardware is stolen or sent to e-waste with the data in it, nobody can read the files. They can format storage devicesโ€”hence destroy the dataโ€”and use the hardware anew, but the encrypted information remains a secret. And often, that's more important than the value of the server itself.

Data encryption has been available in the Synology NAS server. However, up to DSM 7.1, that's only at the shared folder level.

The inconvenience aside, encrypting individual shared folders significantly hurts the server's overall performance. Plus, there is other unprotected content susceptible to prying eyes, such as LUNs and app data, on a volume besides shared folders.

On the other hand, volume encryption encrypts the entire volumeโ€”all data on it will be protected. Synology says volume encryption is 48% faster than shared folder encryption in performance.

It's worth noting that volume encryption must be applied at creation. Specifically, you can't turn an existing non-encrypted volume into one. You first need to remove itโ€”and all its dataโ€”and re-create it from scratch.

Also, though faster than shared-folder-level encryption, an encrypted volume is generally slower than a non-encrypted one. The system has to spend time and resources to encrype and decrypt it in real-time.

The trick is to use multiple volumes in a server. You only need to encrypt the one that stores important or private data.

The table below includes all NAS models that will get Full Volume Encryption (and Immutable Snapshots) when upgraded to DSM 7.2. Generally, you're in luck if you have a Plus (or higher-end) server of the model year 2020 or newer.

SeriesModels
FS-seriesFS6400, FS3600, FS3410, FS3400, FS2500,
FS2017, FS1018
HD-seriesHD6500
SA-seriesSA6400, SA3610, SA3600, SA3410, SA3400,
SA3400D, SA3200D
23-seriesRS2423RP+, RS2423+, DS1823xs+, DS923+,
DS723+, DS423+
22-seriesRS822RP+, RS822+, RS422+, DS3622xs+,
DS2422+, DS1522+
21-seriesRS4021xs+, RS3621xs+, RS3621RPxs, RS2821RP+,
RS2421RP+, RS2421+, RS1221RP+, RS1221+,
DS1821+, DS1621xs+, DS1621+
20-seriesRS820RP+, RS820+, DS1520+, DS920+, DS720+,
DS620slim, DS420+, DS220+
Synology NAS servers to support Full Volume Encryption and Immutable Snapshots when upgraded to DSM 7.2.

Immutable Snapshots: Keeping data safe against accidental or malicious alternation

DSM 7.2 also adds a new feature called WriteOnce, part of the Write Once, Read Many (WORM) technology.

In a nutshell, WORM allows for creating shared folders that users can write to once and not change the content. This type of access is mostly in enterprise environments where certain types of documents, such as contracts or sale receipts, need to remain intact.

However, WORM can also be applied to other applications, including Synology's Snapshots and Replication app, which keeps shadow copies (versions) of data for restoration in case of an accidental or malicious altercation, such as ransomware.

Snapshots have always been read-only, but with WriteOnce, they'll become Immutable Snapshots that are even less susceptible to being changed by sophisticated parties.

NVMe SSD storage pool now available to more servers

NVMe SSD storage pool was first introduced with the DS923+ and permeates to other 2023 servers, including the DS1823xs+, DS723+, and DS423+.

DSM 7.2 continues that trend by adding it respectively to a few existing applicable 2022 and 2021 servers, including the DS1522+, DS1621xs, DS1821+, and DS1621+.

Synology's NVMe SSD storage volume is not without caveats. If you want to use one, keep the following in mind:

  • Only Synology NVMe SSDs are supported: Currently, there's only one pricey option, the SNV3410 (available in 400GB and 800GB).
  • NVMe SSDs can't work as the server's boot volume: The server must first have an existing volume of internal hard drives or SATA SSDs.
  • No hot-swapping: You must turn the server off before servicing the NVMe SSDs.

Still, this is great news for advanced users who have upgraded their server to a 10Gbps network and want to get the best performance out of the system.

DSM 7.2 DS1821 Runing DSM 7.2DSM 7.2 DS1821 Encrypted NVMe volume
Here's my DS1821+ rocking DSM 7.2 and an NVMe encrypted volume. The upgrade process was painless.

Upgrade today!

Synology says most servers will get in-place upgrade notifications starting June 13. However, a manual upgrade is immediately possible and is the only way for select servers.

DSM 7.2 is generally supported by servers of the model year 2016 and newer.

Specifically, you can download the image and load it on your supported server right now via the Upgrade and Restore section of the Control Panel.

I put the new OS version on my DS1821+, which took less than ten minutes. Subsequently, other than Virtual Machine Manager, which needed an app update, other apps remained the same. But this varies case by case.

For my needs, the RAID 0 NVMe SSD volume alone proved DSM 7.2 worth the effort (and the wait). Among other things, now I know the server is not the bottleneck regarding throughput testing.

Having a slow day and a server that's dying to be upgraded? Give DSM 7.2 a try! But before that, be aware of the fact, like all versions, you generally can't downgrade. Not that there are reasons for going back to DSM 7.1.

Share what you just read!

Comments are subject to approval, redaction, or removal. You're in the no-nonsense zone and that applies BOTH ways.

It's generally faster to get answers via site/page search. Your question/comment is one of many Dong Knows Tech receives daily. ย 

  1. Strictly no bigotry, falsehood, profanity, trolling, violence, or spamming, including unsolicited bashing/praising/plugging a product, a brand, a piece of content, a webpage, or a person (โ€ข).
  2. You're presumed and expected to have read this page in its entirety, including related posts and links in previous comments - questions already addressed will likely be ignored.
  3. Be reasonable, attentive, and respectful! (No typo-laden, broken-thought, or cryptic comments, please!)

Thank you!

(โ€ข) If you have subscription-related issues or represent a company/product mentioned here, please use the contact page or a PR channel.

9 thoughts on “Synology DSM 7.2: Full Volume Encryption and NVMe Storage for Select Servers”

  1. Hi Dong,

    Can I make back-ups to an encrypted external USB drive (for the purpose of taking the drive with me and accessing the encypted data without a Synology device)?

    Kind regards,
    Rob

    Reply
    • You can make backups to an encrypted or non-encrypted drive, Rob. The encryption stays with the hardware, not the data. It only plays a role when the data is protected by a mechanism supported by the hardware, such as user accounts or passwords.

      Reply
  2. Have a PC and Synology NAS with gigabit connectivity. Buying a Mac Studio which comes with 10G ethernet and looking a new NAS optoins.

    1. DS1522+ with 10G link and SSD cache. – Know Synology well and can easily set this up.

    2. Flashstor 6 all-flasn storage with dual 2.5G links. Drives are very fast but limited by the network connections.

    Couple of questions.
    1. With a switch like the Qnap QSW-2104-2T-US, can SMB multichannel connect both 2.5G links into a switch and use a 10G port on the switch into the Mac? Would that act like a 5G ether net link with transfer speeds to the NAS at about 550 MB/s?

    2. Would it be faster if I connect the SS USB port to a Thunderbolt on the Mac?

    3. Would the Synology with 10G link and spinning HDD outperform the all-flash with faster drives but slower connectivity?

    Mostly used for photo/video editing.

    Reply
    • Hi Mike,

      1. I’d skip the catching and use SSD storage — NVMe is available to this server with DSM 7.2. You’d get MUCH faster performance.
      2. I’d go with 10Gbps port, 2.5Gbps link aggregation, which is clunky, gives you 5Gbps at best.
      1. See #2 above.
      2. Nope, via network you get 10Gbps as the maximum.
      3. This depends on the RAID but generally HDDs can’t complete with SSD. Considering the 10Gbps ceiling (the network connection), generally RAID 0 with hard drive will do, but you need SSD for a RAID with redundancy.

      For your need, I’d recommend using 10Gbps switch, ports, and SSD. You can have a separate volume for video editing, and it’ll work well. Good luck!

      Reply
      • Much appreciated Dong, thank you.

        I think I’ll skip the caching too as you have no control over what files are in cache. Most cost effective for me would be to just transfer my 5x6TB WD Red drives to a 1522+. I’ll get the 10G NIC and add RAM.

        You said “use SSD storage”, are you saying to use SSDs in the 5 bays of the NAS? The M.2 slots on the NAS only support the very expensive and very small capacity Synology branded NVMe drives which seem near useless unless you just need an 800GB mirrored volume for a very high cost/gig.

        Reply
        • Yes, SATA SSDs will work fine. You can even create a RAID 0 SSD volume for hot data and Replicate it to another volume as backup.

          Reply
          • Thanks so much. That sounds like a good idea then, maybe 3x12TB drives in RAID-5 for backups and 2x4TB in RAID-0 for hot data and speed. I’ll do some research, thanks for your help.

          • This may be a good option, little ‘best of both’.
            DS1522+
            8GB memory upgrade (16GB total)
            10G network upgrade
            2x18TB HDD – mirrored for backup volume
            3x2TB SSD – striped for performance volume

Leave a Comment

๐ŸŽฏ