A new customer asked us about the encryption capabilities of our NAS appliances which we use for our managed storage for SMB solution. Our 2015 appliances offer AES-256 encryption on shares. The files are encrypted using a key or key file which should be as long as possible. For customers interested in encrypting their data, please give some thought as to why you are encrypting it as there may be some unintended consequences.
Gotchas:
- Our 2015 appliances do not have the capability to encrypt an existing share: Encryption can only be added to a new share.
- Do not automount an encrypted share. It sort of defeats the point. This introduces another pain though: Whenever your appliance is rebooted (power outage, security update, etc) you must enter the encryption key to mount the share.
- Get a UPS (battery backup)
- Keep your encryption key file on a thumbdrive
- If Radish Networks has a copy of your encryption key then do planned outages during business hours
- Write speeds on encrypted shares is significantly slower than on non-encrypted shares. This is a NAS appliance and the CPU on it isn’t nearly as powerful as a server’s. I recommend having both encrypted and unencrypted shares and splitting your data over the two
- Files copied through our offsite backup service are still encrypted. That’s good news for security, but makes restoring files difficult. All restores must be initiated from the NAS appliance – we can not decrypt the files on our side
- DO NOT LOSE THE ENCRYPTION KEY!