I have the same question - a long-awaited feature for many people but the user documentation hasn't been updated to explain how to use this?
We've been paying out for external backup drives in encryption caddies with keypad which work great, but this feature might mean we can just use plain USB drives in future. It depends how they are utilised and read from other locations. Please post instructions Netgear?
It is a new feature on the ReadyNAS system where you can get your USB external devices encrypted for data inside it to be secured.
If you do get your USB Encrypted using this feature then from that point on, you can access your data from your ReadyNAS system only when the encryption key is available. Connecting it to a PC or Mac it will be not recognized and will prompt you to reformat the drive.
This feature would be best for users who needs to backup their NAS data and get it secured and to be used for recovery or backtracking and also to protect it in case of theft or other malicious activities.
Using it however on other systems is not possible you might be able to mount it on linux. This might be a good Idea to post it on the Ideas Exchange board.
If you do get your USB Encrypted using this feature then from that point on, you can access your data from your ReadyNAS system only when the encryption key is available. Connecting it to a PC or Mac it will be not recognized and will prompt you to reformat the drive.
This really needs a KB article (and should be in the user manual).
FWIW, I think that for most people this is a useless feature. Not much point in having a backup that can't be read without a working ReadyNAS.
There should be some off-line way of mounting the USB volume - at least from a linux system.
It is a new feature on the ReadyNAS system where you can get your USB external devices encrypted for data inside it to be secured.
If you do get your USB Encrypted using this feature then from that point on, you can access your data from your ReadyNAS system only when the encryption key is available. Connecting it to a PC or Mac it will be not recognized and will prompt you to reformat the drive.
This feature would be best for users who needs to backup their NAS data and get it secured and to be used for recovery or backtracking and also to protect it in case of theft or other malicious activities.
Using it however on other systems is not possible you might be able to mount it on linux. This might be a good Idea to post it on the Ideas Exchange board.
HTH
Thanks for the clarification Marc. I have been wishing for the NAS to be able to encrypt a connected USB for a long time but sadly this is not flexible enough. If we do our nighty backup to an external USB HDD encrypted in this way and the NAS goes down, it means we can't get to ANY of our data until we order a new NAS, get it installed and commissioned > the business stops = not compatible with our business continuity plan!
Presently we use external drives with hardware encryption via a disk caddy with keypad - if the NAS goes down then we can plug it into a PC and get essential data off it temporarily so we can keep working until the new NAS arrives.
Also, it would be nice if the new feature allowed us to encrypt a USB flash drive and put data on it to give give/mail to someone outside the company.
One other scenario: we have a new RR2304 as our "working" NAS (connected to the internet) and have an older RN2120 as an "offline" (air-gapped) device to be used for archiving older data (and sensitive data). Is it possible to transfer a copy of the encryption key for the USB device to the RN2120 aswell so data can be transferred from one NAS to the other using the encrypted device? (This will likely be moot as we need to check the device intermediately using a standalone 'sheepdip' PC, but it could be useful to know.)
It looks like this is a big step in the right direction but I think to be useful it really needs to be readable on a PC by someone who has a copy of the the key.
While documentation is lacking, I believe the USB key for USB drive encryption works the same as for the main volume (when it is encrypted), so it can be duplicated for your other NAS in the same manner. They certainly have to have made provisions for replacing a lost/broken key, which means you can have a duplicate
Instead of air gapping your backup NAS, you may want to consider what I and @StephenB do, which is to use RSYNC backup and disable the other protocols (except HTTP, which needs to be on for Admin access, but does not need to be enabled for any shares). Converting this to an online NAS if the primary goes down is pretty easy, especially if you use Active Directory or keep the user list up to date. Just be sure to use strong passwords for the admin and rsync passwords.
Instead of air gapping your backup NAS, you may want to consider what I and @StephenB do, which is to use RSYNC backup and disable the other protocols (except HTTP, which needs to be on for Admin access, but does not need to be enabled for any shares).
Also, mine is on a power schedule, so it is off when it is not backing up (or performing a maintenance task).
Instead of air gapping your backup NAS, you may want to consider what I and @StephenB do, which is to use RSYNC backup and disable the other protocols (except HTTP, which needs to be on for Admin access, but does not need to be enabled for any shares).
Also, mine is on a power schedule, so it is off when it is not backing up (or performing a maintenance task).
Thanks for the suggestions - unfortunately the second NAS MUST be air-gapped - no option. We have certain new security requirements put upon us by our primary customer at a recent security audit - that's why we bought the RR2304 and moved our old RN2120 to create the offline storage. Also there is no possibility for it to be connected online if the main one fails.
We don't use AD but only have 5 users. On the main NAS some work remotely using ReadyCloud until late at night and weekends, but we do a scheduled shut down for a few hours each night after backup has finished until early morning.
OK. I understand that your hand is being forced. But keeping a backup offline means it's not going to be kept up to date as well. What are you doing, "sneeker net" with a USB drive?
Being locally online does not mean the NAS has to be available via the Internet. You can have a separate router (or just a switch or direct wiring if you use static IPs) for the second port of your main NAS that connects to the backup and has no internet access. Of course, VLANs can do much the same thing, but many IT security people know security but very little about IT or don't think paractically. Like arcane pasword requirements that pretty much force you to write them down -- is that really more secure?
I agree, that's an obvious need. If it can't be done natively, there should at least be a VM that can be used to access the data.
I've never tried to use encryption with the ReadyNAS VM, or even assign a USB port to it. I've never tried USB drive encryp[tion on a real RedayNAS, either, since it's new and I don't have a need for it. I use Veracrypt for all my encryption needs, which I run on a PC and have the target file on the NAS. But I just keep a few thigs like tax files and such in it.
This sounds like a worthwhile experiment for somebody to run. I'm afraid I may not get to it before the OP needs to make a decision, though I'll put it on my list.
The ReadyNAS VM does not recognize when a USB drive is connected to it, so that's apparently not an option. It's there and can be manually mounted, but it doesn't show up anywhere in the GUI. If there is a way to trigger the OS to see it like it does a newly inserted one on a real NAS, then maybe it would work.
Digging a bit more, I note that LUKS is installed on a ReadyNAS, so i rather expect it's being used for the encryption. If it is, then perhaps LibreCrypt could access it.
Digging a bit more, I note that LUKS is installed on a ReadyNAS, so i rather expect it's being used for the encryption.
Yes, I believe it is. But there are a couple of ways that can be set up - it would be helpful if Netgear published a procedure for manually mounting an encrypted volume.
