Synology NAS Encryption Performance

From my last post, you already know I have a Synology NAS I’m trying to set up just right for all of my home office needs. One question is, “what about full disk encryption?” I’d like to be able to leave the house knowing, if my home is broken into and the NAS stolen, the data itself isn’t at risk.

This is a little trickier than with, say, a laptop, because the laptop is protected by a password every time you stop using it for a few minutes. There’s ample opportunity for automatic lockout that, only under the most surprise-FBI-raid circumstances would your data get captured in an unencrypted state, and even then, retrieving it is still difficult. In contrast, the NAS has to be plugged in and operational all the time, with disks mounted and unencrypted.

One way to make this scenario secure is to encrypt the data at rest using client-side encryption from the likes of Resilio Sync or True Image – just make sure unencrypted data never even hits the NAS. For some use-cases, this simply isn’t an option though, like if you use Synology Drive or have to access data via an unencrypted network share.

For these cases, you can use the built-in shared folder encryption, where the NAS encrypts all data written to disk and decrypts all data retrieved from it at the system-level. This doesn’t come for free, though, as all the work of encrypting and decrypting that data costs compute power. How bad is it?

The answer is, of course, “it depends”. For devices that don’t support hardware AES, it’s bad enough that you probably shouldn’t bother unless you ABSOLUTELY must. My DS1019+ DOES support hardware encryption, though, in the form of an AES instruction on the CPU. In this case, that instruction isn’t FREE, and enabling encryption DOES result in higher CPU usage and a slight performance hit. SpaceRex on YouTube did a video with his DS1918+ where the overhead wasn’t terrible, but WAS certainly noticeable. However, because the DS1019+ is limited to GbE and doesn’t have any faster connection option, this overhead works out to be irrelevant. In other words, if your NAS supports hardware encryption and only gigabit ethernet, you won’t suffer a performance hit enabling encryption.

To demonstrate this, I did some tests:

Blackmagic disk speed test 107.4MB/s write and 104.6MB/s read
Blackmagic Speed Test writing to an UNENCRYPTED SMB share.
Blackmagic disk speed test 105.3MB/s write and 104.1MB/s read
Blackmagic writing to an identical but ENCRYPTED SMB share.

So in my case, on a wired connection, no major performance impact. I was also curious about the impact on CPU usage, so I ran the same tests back to back with Resource Monitor open. We can see that a 2×2 speed test to encrypted storage taxes the CPU at maybe 20% average, where the same test to unencrypted storage is more like 15% or 18% average. No major difference here, as far as I’m concerned.

Screenshot showing Synology Resource Monitor CPU and network usage.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *