GuyPaddock · May 2, 2023 03:27 · GuyPaddock · Mar 30, 2024
diff --git a/mount_encrypted_shares.sh b/mount_encrypted_shares.sh
 #!/usr/bin/env bash
 ##
 # @file
 # Mount encrypted Synology shared folders on their NAS over SSH.
 #
 # As long as key files are being stored securely on the system from which this
 # command is being run, this approach offers more security than the
 # "Key Manager" functionality native to Synology NASes since it does not store
 # the encryption keys for volumes on the NAS device itself. This is because
 # Synology uses the same cypher/passphrase on all NASes to decrypt keys stored
 # in Key Manager. An alternative is to move keys to a separate USB thumb drive
 # that has to be inserted to mount volumes, but that thumb drive could be stolen
 # and/or represent an obstacle for teams working remotely.
 #
 # Requirements:
 # - SSH must be enabled on the target Synology server.
 # - The SSH user must be in the local "administrators" group on the Synology
 #   server.
 # - The SSH user must not be subject to entering a password to use `sudo`.
 # - Each encryption key must be stored in a file with the same name as its
 #   corresponding shared folder, suffixed with ".key" (e.g., "My Share.key").
 #
 # Usage: mount_encrypted_shares.sh <SSH_HOST> <KEY_FILE_FOLDER> <SSH_USERNAME>
 #

 function print_usage {
  {
    echo "Usage: '$0' <SSH_HOST> <KEY_FILE_FOLDER> <SSH_USERNAME>"
    echo "Mount encrypted Synology shared folders over SSH."
    echo ""
    echo "Options:"
    echo "  SSH_HOST         The hostname or IP address of the Synology NAS."
    echo "  KEY_FILE_FOLDER  The path to the folder that contains keys for the shares."
    echo "  SSH_USERNAME     The username to use when connecting to the Synology NAS."
    echo ""
  } >&2
  exit 1
 }

 # Parse arguments
 if [[ $# -ne 3 ]]; then
  print_usage
 fi

 ssh_host="${1:-}"
 key_file_directory="${2:-}"
 ssh_username="${3:-}"

 # Yes, Synology uses a hardcoded passphrase for this. Yes, it's the same in all
 # NASes. See:
 # https://blog.elcomsoft.com/2019/11/synology-nas-encryption-forensic-analysis-of-synology-nas-devices/
 # shellcheck disable=SC2016
 synology_passphrase='$1$5YN01o9y'

 for arg in "$@"; do
  if [[ "$arg" == "--help" || "$arg" == "-h" ]]; then
    print_usage
  fi
 done

 if [[ ! -d "${key_file_directory}" ]]; then
  print_usage
 fi

 find "${key_file_directory}" -maxdepth 1 -name '*.key' -type f | sort | while read -r filename; do
  share_name=$(basename "${filename}" ".key")

  echo -n "  - ${share_name}: "
  base64 --wrap=0 "${filename}" |
    ssh "${ssh_username}@${ssh_host}" \
      "base64 --decode >/tmp/share.key;"`
       `"sudo /usr/syno/sbin/synoshare --enc_mount \"${share_name}\" \$("`
        `"echo '$synology_passphrase' | "`
        `"ecryptfs-unwrap-passphrase /tmp/share.key -;"`
      `") && echo \"Mounted successfully.\""

  ssh -n "${ssh_username}@${ssh_host}" "rm /tmp/share.key"
 done

 echo
 echo "Done!"
	#!/usr/bin/env bash
	##
	# @file
	# Mount encrypted Synology shared folders on their NAS over SSH.
	#
	# As long as key files are being stored securely on the system from which this
	# command is being run, this approach offers more security than the
	# "Key Manager" functionality native to Synology NASes since it does not store
	# the encryption keys for volumes on the NAS device itself. This is because
	# Synology uses the same cypher/passphrase on all NASes to decrypt keys stored
	# in Key Manager. An alternative is to move keys to a separate USB thumb drive
	# that has to be inserted to mount volumes, but that thumb drive could be stolen
	# and/or represent an obstacle for teams working remotely.
	#
	# Requirements:
	# - SSH must be enabled on the target Synology server.
	# - The SSH user must be in the local "administrators" group on the Synology
	# server.
	# - The SSH user must not be subject to entering a password to use `sudo`.
	# - Each encryption key must be stored in a file with the same name as its
	# corresponding shared folder, suffixed with ".key" (e.g., "My Share.key").
	#
	# Usage: mount_encrypted_shares.sh <SSH_HOST> <KEY_FILE_FOLDER> <SSH_USERNAME>
	#

	function print_usage {
	{
	echo "Usage: '$0' <SSH_HOST> <KEY_FILE_FOLDER> <SSH_USERNAME>"
	echo "Mount encrypted Synology shared folders over SSH."
	echo ""
	echo "Options:"
	echo " SSH_HOST The hostname or IP address of the Synology NAS."
	echo " KEY_FILE_FOLDER The path to the folder that contains keys for the shares."
	echo " SSH_USERNAME The username to use when connecting to the Synology NAS."
	echo ""
	} >&2
	exit 1
	}

	# Parse arguments
	if [[ $# -ne 3 ]]; then
	print_usage
	fi

	ssh_host="${1:-}"
	key_file_directory="${2:-}"
	ssh_username="${3:-}"

	# Yes, Synology uses a hardcoded passphrase for this. Yes, it's the same in all
	# NASes. See:
	# https://blog.elcomsoft.com/2019/11/synology-nas-encryption-forensic-analysis-of-synology-nas-devices/
	# shellcheck disable=SC2016
	synology_passphrase='$1$5YN01o9y'

	for arg in "$@"; do
	if [[ "$arg" == "--help" \|\| "$arg" == "-h" ]]; then
	print_usage
	fi
	done

	if [[ ! -d "${key_file_directory}" ]]; then
	print_usage
	fi

	find "${key_file_directory}" -maxdepth 1 -name '*.key' -type f \| sort \| while read -r filename; do
	share_name=$(basename "${filename}" ".key")

	echo -n " - ${share_name}: "
	base64 --wrap=0 "${filename}" \|
	ssh "${ssh_username}@${ssh_host}" \
	"base64 --decode >/tmp/share.key;"`
	`"sudo /usr/syno/sbin/synoshare --enc_mount \"${share_name}\" \$("`
	`"echo '$synology_passphrase' \| "`
	`"ecryptfs-unwrap-passphrase /tmp/share.key -;"`
	`") && echo \"Mounted successfully.\""

	ssh -n "${ssh_username}@${ssh_host}" "rm /tmp/share.key"
	done

	echo
	echo "Done!"