Synology shares and FreeBSD: All the methods

I have a Synology NAS and I've been working on getting the Shared Folders (which are encrypted) mounted under FreeBSD 13.

Below are the various methods I've tried and their outcomes:

NFS: Synology doesn't allow NFS to export encrypted shared folders. I have no further information but it appears to be a widespread frustration.

SMB1: Synology can set the min smb version to 1. I can mount it with `mount -t smbfs` but I'm uncomfortable with running SMB1 in the long term due to security problems.

SMB2/3 via fusefs-smbnetfs: Similar problems as fusefs-sshfs. The mounting process appears to work, and returns without errors or logs, but there's nothing in `df` or under the mountpoint.

FTP via fusefs-curlftpfs `sudo curlftpfs -o allow_other -o user=myuser ftp://myserver/ ~/mountpoint` This works the best of all the options, except the file creation operation doesn't seem to be supported, which is a dealbreaker.

SSHFS via fusefs-sshfs: `sshfs -d -o idmap=file -o uidfile=/home/myuser/uidfile -o gidfile=/home/myuser/gidfile myuser@myserver: ~/mountpoint` this returns successfully, but I don't see the fs mounted with `df` and the mountpount is empty. I have been able to mount it with idmap=user, but the group mappings don't work right, and one of the effects is that I can't `rm` any file, which is a dealbreaker.

Side note for the fusefs methods: It's very weird, but some of the times I am required to be root (I get operation not permitted) and sometimes not, even when my user owns the mountpoint.

I'd appreciate any input or experiences other people have on this topic. I'll also post more in this thread if I think of anything new to try.
 
Technically that will work. But, I consider encrypted shared folder to be part of my requirements for this project.

From a quick glance at the synology specs, the de/encryption seems to be handled purely on the NAS, so what's the point of this? Is there any risk of someone stealing drives? What if he steals the complete NAS? then he would have access to the encrypted data anyways...
Except for this *very special* case where someone would be able to steal your drives, I've never seen any use case for server-side encrypted file storage. Either the client side has to handle de/encryption (at filesystem- or file-level), or it is IMHO technically useless and only snakeoil that sounds good in front of your boss.
So I'd just disable the mainly useless "encryption at rest" (read: "unencrypted for anyone at runtime") and just use proper NFS(v4). This also spares a lot of trouble with incompatible file permissions between SMB/windows and the rest of the world...


As for SMB2/3: unsucessfull mounts are mostly caused by a failed login (if local requirements are met! i.e. vfs.usermount=1) - the crappy syntax of mount_smbfs / smbnetfs (and the second one not even providing a manpage...) doesn't help here... I remember nearly loosing my mind with the second one and reverting to using 'doas mount_smbfs' on a laptop once...
Also keep in mind you need samba and the full pile of its dependencies installed for smb2/3 mounts to work! That's another reason I usually avoid SMB like the plague wherever possible (apart from constantly broken file permissions and much worse performance than NFS)
 
From a quick glance at the synology specs, the de/encryption seems to be handled purely on the NAS, so what's the point of this? Is there any risk of someone stealing drives? What if he steals the complete NAS? then he would have access to the encrypted data anyways...
But he wouldn't have the passphrase needed to mount the encrypted shared folder after booting the NAS.
 
Correct - not sure the solution here. Sko makes a good point: drive encryption only prevents against physical theft. If that is a concern, perhaps look into doing it at the NAS and not with FreeBSD. I have never used the encryption at the NAS level with Synology (I have a 718+) but having read this, I'll look into it.
 
Back
Top