The Synology End Game

Not only that, but their security situation is terrible. Their OS is full of EOL'ed stuff.

On products you can buy TODAY, you find:

  - Their Btrfs filesystem is a fork of a very old branch and doesn't have modern patches
  - A custom, non standard, self built, ACL system for the filesystem
  - Kernel 4.4
  - PHP 7.4 (requirement for their Hyperbackup app)
  - smbd 4.15
  - PostgreSQL 11.11
  - smbd 8.2p1
  - Redis 6.2.8
  - ...

They claim it's OK because they've backported all security fixes to their versions. I don't believe them. The (theoretical) huge effort needed for doing that would allow them to grow a way better product.

And it's not only about security, but about features (well, some are security features too). We're missing new kernel features (network hardware offload, security, wireguard...), filesystem (btrfs features, performance and error patches...), file servers (new features and compatibility, as Parallel NFS or Multichannel CIFS/SMB), and so on...

I think they got stuck on 4.4 because of their btrfs fork, and now they're too deep on their own hole.

Also, their backend is a mess. A bunch of different apps developed on different ways that mostly don't talk to each other. They sometimes overlap with each other and have very essential features that don't work and don't plan to fix. Meanwhile, they're busy releasing AI stuff features for the "Office" app.

Edit note: For myself and some business stuff, I have a bunch of TrueNAS deployments, from a small Jonsbo box for my home, to a +16 disk rack server. This was for a client that wanted to migrate from another Synology they had on loan, and I didn't want to push a server on them, as they're a bit far away from me, and I wanted it to be serviceable by anyone. I regret it.

The encryption is also broken. If you use encrypted shared folders, you have an arbitrary filename limit (https://kb.synology.com/en-ro/DSM/tutorial/File_folder_path_...). If you use volume encryption, your encryption key is stored on the NAS itself, which is capable of decrypting the data, unless you buy a second Synology NAS (https://blog.elcomsoft.com/2023/06/volume-encryption-in-syno...) to act as a key vault. Synology claims that volume encryption protects if you if the storage drives are stolen, but in what world would the drives, and not the NAS itself, be stolen?

The filename limit comes from ecryptfs (https://www.ecryptfs.org/) which is what Synology uses for encrypted shared folders.

As for full disk encryption, you can select where to store the key, which may be on the NAS itself (rendering FDE more or less useless) or on a USB key or similar.

For full disk encryption you need DSM >= 7.2 and you can either, store it locally (useless) or in a KMIP server. [0]

As a KMIP server you use:

  - Another Synology NAS with DSM >= 7.2
  - A KMIP compatible key server

Except for the demo implementation that Synology uses (PyKMIP), all the KMIP compatible servers I've found have licenses in the tens of thousands a year. So if anybody has any suggestions to substitute PyKMIP...

--

  0: https://kb.synology.com/en-global/DSM/tutorial/Which_models_support_encrypted_volumes