For example could I choose to save certain folder to the encrypted SDD drive and not on the ReadyNAS drives or would I have to save them there first then back them up onto the encrypted SSD drive?
if this is not possible can I encrypted a part of my ReadyNAS HDD or create an encrypted partition within my ReadyNAS?
Trying to find a solution to keeping some data encrypted as per the new GDPR laws in the UK.
Many thanks,
Kate
Model: RN10200|ReadyNAS 100 Series 2-Bay (Diskless)
Trying to find a solution to keeping some data encrypted as per the new GDPR laws in the UK.
I think we'll see lots of other folks enquiring about this over the next month.
On the network side, you can force SMB to require encryption.
The drive enclosure you reference should keep the backup encrypted - it is intended to provide hardware encryption on the drive itself, requiring entry of the correct passcode on the enclosure keypad. Data sent to the drive would be unencrypted, but the enclosure encrypts it, and retreiving the data also requires that the correct passcode be entered.
However, it might still be possible for someone to back up the data to an unencrypted USB drive - particularly if you connect a backup job for the sensitive information to the backup button on the front of the NAS. That is, someone could connect their own SSD to the USB port, press that backup button, and potentially get the data off the NAS. Encrypting the NAS data volume wouldn't prevent that threat.
Also, if I understand you correctly, you might be wanting to create a network share on the encrypted drive (rather then using the drive to for encrypted backup). That should also work, but you do need to make sure that network access to that share is properly protected (and the transfer over the network is encrypted). The NAS does give you enough tools to do that.
One solution to the backup challenge is to make sure you have adequate physical security in place for the NAS chassis (physically preventing access by unauthorized personnel).
Encrypting the main data volume is also possible, but doesn't fully solve the problem since the files are always decrypted as the NAS reads them. It also will hurt performance. Another aspect is that the volume encryption key is on a flash drive that needs to be inserted into the NAS when it is booted - which is operationally awkward since in this case you'd need to keep that flash drive securely stored.
If the sensitive data is only used by one or two people (or is only backed up to the NAS), then there is another option. You can create an encrypted virtual disk, which can be stored on the NAS. You can do that with a Microsoft VHD container for instance, or an iSCSI LUN. The main restriction is that such virtual disks can only be accessed by one user at a time (and they would all need to share the same password). With this approach, the NAS doesn't know the virtual disk's password, because the encryption and decryption are done in the PC client. So the virtual disk on the NAS is encrypted, any NAS backups preserve that encryption (no matter how they are done), and the data transferred across the network is also encrypted. If the number of users (or the number of client PCs) that need access is small, and if they don't need simultaneous access, then this approach is a good option.
