Synology DSM 7.2 introduced Full-Volume Encryption.
Encryption Key Vault can by stored locally or on a remote Synology NAS (KMIP server).
Local Encryption Key Vault is protected with a password, but it doesn't protect against
loss of an entire NAS device (by design, see [1]), because encrypted volumes are
automatically unlocked on boot. See [2] for a way to access an encrypted volume.
I don't know why Synology doesn't offer to store the Encryption Key Vault on USB drive
as it does with Key Manager/Key Store used by encrypted shared folders.

Anyway, DSM 7.2 does support Encryption Key Vault on USB drive, it's just not exposed
to the user. Maybe it's not yet ready for prime time?

The script creates an empty Encryption Key Vault on USB drive and enables it.
Then you can repair Encryption Key Vault via UI to put encryption keys of
unlocked encrypted volumes into it.

The script needs to be run a Synology NAS as a root (sudo).

[1]: https://kb.synology.com/en-global/WP/Synology_Volume_Encryption_White_Paper/4
[2]: https://forums.spacerex.co/t/bounty-first-person-to-share-how-to-break-into-dsm-7-2-encryption-keys-stored-on-box-gets-a-ds923/641/2