Knowledge Center

KMIP

At Control Panel > Security > KMIP, you can enable Key Management Interoperability Protocol (KMIP) service for the encryption keys of encrypted volumes on your Synology NAS. KMIP service allows you to store the encrypted volumes' encryption keys to another Synology NAS.

The following terms will be used in this article:

  • Remote key client: The Synology NAS where the encrypted volume is located.
  • Remote key server: The Synology NAS where you store the encryption keys of the encrypted volumes.

Note:

Remote Key Client

In this section, you can set your Synology NAS as a remote key client, storing the encryption keys of encrypted volumes from this Synology NAS to a remote key server. After you set up a remote key client, go to Storage Manager > Storage > Global Settings and set the connected server as Encryption Key Vault.

To set your Synology NAS as a remote key client:

  1. On the Synology NAS acting as the remote key client, perform the following steps:
    1. Go to Control Panel > Security > Certificate and click Settings.
    2. From the KMIP drop-down menu, select a desired certificate and click OK.
    3. In Control Panel > Security > Certificate, select the same certificate in Step b and click Action > Export certificate.
  2. On the Synology NAS acting as the remote key server, perform the following steps:
    1. Go to Control Panel > Security > KMIP.
    2. Select Set as remote key server.
    3. Select a key store location.
    4. In the Manage Client Connection section, click Manage.
    5. Click Add and upload the certificate you exported in Step 1.
  3. Go back to the remote key client and perform the following steps:
    1. Go to Control Panel > Security > KMIP.
    2. Select Set as a remote key client.
    3. Enter the connection information of the remote key server.
    4. Click Trust to connect with the server.

Note:

  • The default Synology certificate or QuickConnect certificate cannot be selected for KMIP service.
  • After changing the certificate for the KMIP service or remote key server you have set, you will need to use the respective recovery key to unlock each encrypted volume the next time you start up Synology NAS.
  • If the key store location is an encrypted volume, make sure the volume is unlocked for the remote key client to access the encryption keys.

To edit the connection of the remote key server:

  1. On the Synology NAS acting as the remote key client, go to Control Panel > Security > KMIP.
  2. In the Remote Key Client section, click Edit.
  3. Edit the connection information.
  4. After confirming the information, click Trust.

To test the connection between the remote key client and server:

After setting up the connection, you can click Test Connection to make sure the connection between the remote key client and server is fine.

Remote Key Server

In this section, you can set your Synology NAS as a remote key server, storing the encryption keys of encrypted volumes from other remote key clients.

To set your Synology NAS as a remote key server:

  1. On the Synology NAS acting as the remote key server, perform the following steps:
    1. Go to Control Panel > Security > Certificate and click Settings.
    2. From the KMIP drop-down menu, select a desired certificate and click OK.
    3. Go to Control Panel > Security > KMIP.
    4. Select Set as remote key server.
    5. Enter the port for KMIP.
    6. Select a key store location.
    7. In the Manage Client Connection section, click Manage.
    8. Click Add and upload the certificate you exported from the remote key client. To export the certificate from the remote key client, refer to Step 1 in the To set your Synology NAS as a remote key client section.
    9. Click Save.
  2. On the Synology NAS acting as the remote key client, perform the following steps:
    1. Go to Control Panel > Security > KMIP.
    2. Select Set as a remote key client.
    3. Enter the connection information of the remote key server.
    4. Click Trust to connect with the server.

Note:

  • The default Synology certificate or QuickConnect certificate cannot be selected for KMIP service.
  • After changing the certificate for the KMIP service or remote key server you have set, you will need to use the respective recovery key to unlock each encrypted volume the next time you start up Synology NAS.
  • If the key store location is an encrypted volume, make sure the volume is unlocked for the remote key client to access the encryption keys.
  • A remote key server can protect encryption keys from multiple remote key clients. However, two Synology NAS cannot be set as the remote key server and client for each other at the same time. For example, if "NAS A" is the remote key server for "NAS B", you cannot set "NAS B" as the remote key server for "NAS A".

To manage the remote key client connections:

  1. Sign in to the Synology NAS at which you want to store the keys. Go to Control Panel > Security > KMIP.
  2. In the Remote Key Server section, click Settings.
  3. In the Manage Client Connection section, click Manage.
  4. You can add, edit, or delete the client certificates.

To delete all KMIP data in the remote key server:

You can delete all of the KMIP data in the remote key server, including the settings, connected clients' information, and stored keys. Once the data are deleted, the connected remote key clients will not be able to access the encryption keys or unlock the encrypted volumes.

  1. In the Remote Key Server section, click Settings.
  2. In the Reset section, click Erase All Data.
  3. Enter the password of your DSM account to confirm the deletion.

Note:

  • Before you delete the data, make sure you have other copies of the encryption keys or store the keys in other locations.
Remote Key Client
Remote Key Server