Synology DiskStation Manager (DSM) 7.x supports delegating NAS volume encryption key management to an external KMIP-compliant Key Management Server. By connecting a Synology NAS to Eviden KMS, you ensure that volume encryption keys are never stored on the NAS itself: they live in a centrally managed, audited, and optionally HSM-backed key store.
| Item | Details |
|---|---|
| Protocol | KMIP 1.2 over TCP/TLS with mutual certificate authentication |
| Port | 5696 (IANA-registered KMIP port) |
| Key type | AES-256 symmetric key |
| DSM version | DSM 7.1 and above |
| Eviden KMS feature | Requires non-FIPS build (PKCS#12 TLS + AES-CBC key wrapping) |
When you configure an external KMS in DSM, the NAS performs the following KMIP operations on every volume creation and every subsequent volume mount:
| Step | KMIP Operation | Purpose |
|---|---|---|
| 1 | DiscoverVersions |
Negotiate KMIP protocol version |
| 2 | Query |
Enumerate server capabilities (6 query functions) |
| 3 | Locate |
Check whether the volume key already exists |
| 4 | Register |
Register a SecretData object (opaque 32-byte key material, KMIP 1.x OperationPolicyName="default" attribute included) |
| 5 | Activate |
Transition the key from PreActive to Active state |
| 6 | ModifyAttribute |
Rename the key to the volume UUID |
| 7 | GetAttributes |
Verify key attributes (state, object type) |
| 8 | Get |
Retrieve key material to mount the encrypted volume |
| 9 | Locate |
Find the key by name after a NAS reboot |
| 10 | Revoke |
Revoke the key during volume deletion or key rotation |
| 11 | Destroy |
Delete the key from the KMS |
!!! note "Compatibility fixes" Two fixes were required for full Synology DSM 7.2.2 compatibility:
- **`OperationPolicyName` (issue #796)**: DSM includes this KMIP 1.x attribute
(deprecated in 1.3, removed in 2.0) in every `Register` request. The server
now silently ignores it instead of emitting a confusing `WARN` log entry.
- **`ModifyAttribute` (issue #760)**: DSM calls `ModifyAttribute` immediately after
`Register` to rename the key to the volume UUID. This operation was not fully
implemented and caused DSM to report "cannot create keys". It is now fully
supported.
- Eviden KMS server running in non-FIPS mode
- TLS enabled on the KMS server with a valid PKCS#12 certificate
- Client certificate and CA certificate for mutual TLS authentication
- DSM 7.1 or later with the Encryption Key Manager feature enabled (see Control Panel → Security → Encryption Key Manager)
Synology DSM requires mutual certificate authentication over TLS. Edit your
kms.toml:
[tls]
tls_p12_file = "/etc/cosmian/kms/server.p12"
tls_p12_password = "your-p12-password"
clients_ca_cert_file = "/etc/cosmian/kms/clients-ca.crt"
[socket_server]
socket_server_start = true
socket_server_port = 5696 # standard KMIP port
socket_server_hostname = "0.0.0.0"The NAS identifies itself to the KMS using a client TLS certificate signed by
the clients_ca_cert_file CA. Use OpenSSL or the cosmian CLI to generate
the certificate:
# Generate a CA and a client certificate (example using OpenSSL)
openssl genrsa -out clients-ca.key 4096
openssl req -new -x509 -days 3650 -key clients-ca.key \
-subj "/CN=KMS Clients CA" -out clients-ca.crt
openssl genrsa -out synology-nas.key 2048
openssl req -new -key synology-nas.key \
-subj "/CN=synology-nas-01" -out synology-nas.csr
openssl x509 -req -days 3650 -in synology-nas.csr \
-CA clients-ca.crt -CAkey clients-ca.key -CAcreateserial \
-out synology-nas.crtcosmian_kms --config /etc/cosmian/kms/kms.tomlOr via Docker:
docker run -p 9998:9998 -p 5696:5696 \
-v /etc/cosmian/kms:/etc/cosmian/kms:ro \
-e COSMIAN_KMS_CONF=/etc/cosmian/kms/kms.toml \
ghcr.io/cosmian/kms:latest- Log in to Synology DSM as an administrator.
- Go to Control Panel → Security → Encryption Key Manager.
- Click Add KMS Server.
- Fill in the connection details:
| Field | Value |
|---|---|
| KMS Server Address | IP or hostname of the Eviden KMS host |
| Port | 5696 |
| Client Certificate | PEM or PKCS#12 file you issued for the NAS |
| Private Key | Matching private key (if not bundled in PKCS#12) |
| CA Certificate | clients-ca.crt (the CA that signed the KMS server cert) |
- Click Test Connection — DSM will run a
DiscoverVersions+Queryprobe. - Click Save.
- Open Storage Manager.
- Select the volume you want to encrypt.
- Click Encrypt and choose the KMS server you just configured.
- DSM will call
Create → Activate → Get → GetAttributesand mount the encrypted volume.
Because Synology DSM is proprietary hardware/software, there is no official
Docker image available for automated testing. Instead, the Eviden KMS test
suite includes a Python simulation client (scripts/synology_dsm_client.py)
that replays the exact KMIP operation sequence performed by DSM.
# Build KMS server (non-FIPS required)
cargo build --bin cosmian_kms --features non-fips
# Start the KMS server with KMIP socket enabled (uses scripts/kms.toml)
COSMIAN_KMS_CONF=scripts/kms.toml \
cargo run --bin cosmian_kms --features non-fips &
# Wait until both ports are ready (HTTP: 9998, KMIP: 15696)
# Then run the DSM simulation
python3.11 scripts/synology_dsm_client.py \
--configuration scripts/pykmip.conf \
--verboseOr use the convenience test runner:
bash scripts/test_synology_dsm.sh simulatebash .github/scripts/nix.sh --variant non-fips test synology_dsmThe Synology DSM simulation is included in the CI matrix in
.github/workflows/test_all.yml under the synology_dsm job (non-FIPS only):
matrix:
type:
- ...
- synology_dsm
features: [fips, non-fips]
exclude:
- type: synology_dsm
features: fipsThe CI job:
- Builds Eviden KMS with
--features non-fips. - Starts the server with TLS and the KMIP socket enabled.
- Runs
scripts/synology_dsm_client.pyagainst it. - Asserts that all 10 steps (DiscoverVersions → Destroy) succeed.
| Script | Purpose |
|---|---|
scripts/synology_dsm_client.py |
Python KMIP client replicating DSM's operation sequence |
scripts/test_synology_dsm.sh |
Local test runner (prereq checks + venv activation) |
.github/scripts/test_synology_dsm.sh |
CI entry point (builds server, starts it, runs test) |
scripts/pykmip.conf |
Shared PyKMIP TLS configuration (host, port, certs) |
scripts/kms.toml |
KMS server configuration used by KMIP tests |
- Verify that port 5696 is reachable from the NAS (firewall rules).
- Confirm
socket_server_start = trueandtls_p12_fileis set inkms.toml. - Check KMS logs:
RUST_LOG=cosmian_kms_server=debug cargo run …
- The NAS client certificate must be signed by the CA listed in
clients_ca_cert_fileinkms.toml. - The KMS server certificate must be trusted by the NAS. Upload the server's CA certificate to DSM under Control Panel → Security → Certificate.
- Ensure you are running Eviden KMS ≥ 5.17 which includes the
ModifyAttributefix for Synology DSM compatibility (issue #760). - The operation requires the key to be in Active state. Call
ActivatebeforeModifyAttribute.
- DSM uses
Locatewith the key name to reconnect. Ensure the key name is unique and consistent across reboots. - Check that the client certificate presented on reconnect is the same one used at creation time (or that both have access rights granted in the KMS access policy).
Older DSM versions (using the KMIP 1.0 protocol) include an OperationPolicyName
attribute in their Register/Create requests. This attribute was deprecated in
KMIP 1.3 and removed in KMIP 2.0+. Eviden KMS ≥ 5.18 silently ignores it
(issue #796). Earlier versions log
a harmless WARN entry; the key operation still succeeds.
- Mutual TLS: Always require client certificate authentication
(
clients_ca_cert_fileset inkms.toml) so that only authorised NAS devices can access keys. - Key access policy: Use the Eviden KMS policy to restrict each NAS to its own keys.
- Key rotation: Revoke and re-create keys periodically. DSM will re-encrypt the volume DEK with the new KMS key on the next mount.
- Audit logging: Enable KMS access logs (
RUST_LOG=info) and forward them to a SIEM for compliance.