Kubernetes AppOps Security Series

In 2019 I wrote a series of articles comprising six articles on Kubernetes AppOps Security (Network Policies, Security Context and PodSecurityPolicies) that has successively been published on German magazine JavaSPEKTRUM, starting in it’s 05/2019 issue.

I’m pleased to announce that the series is now completely published and available in English and German on the Cloudogu Blog:

  1. Network Policies – Part 1 – Good Practices | 🖺 original article PDF (German)
  2. Network Policies – Part 2 – Advanced Topics and Tips | 🖺 original article PDF (German)
  3. Security Context – Part 1: Good Practices | 🖺 original article PDF (German)
  4. Security Context – Part 2: Background | 🖺 original article PDF (German)
  5. Pod Security Policies – Part 1: Good Practices | 🖺 original article PDF (German)
  6. Pod Security Policies – Part 2: Exceptions and Troubleshooting | 🖺 original article PDF (German)

Going along with the articles went some open source demos showcasing the appOps security features: cloudogu/k8s-security-demos.

In addition, I had the honor of presenting the topic on several conferences.

Finally, we created a “Cloud Native Appli­cation Security” training at Cloudogu where you can get your hands on these topics, among others.

It has been a most intersting journey on which I learned a lot and experienced lots of support from my dear colleages at Cloudogu. Thank you so much!

Automatic checks for vulnerabilities in Java project dependencies

 Java aktuell published an article I wrote on a topic at work for TRIOLOGY GmbH.

You can find an English version on the TRIOLOGY Blog: Automatic checks for vulnerabilities in Java project dependencies. The article shows an approach to keeping your Java project dependencies free of known vulnarabilities (e.g. CVEs) using the OWASP Dependency check with Jenkins and Maven. There also is an example project on GitHub.

The original article PDF (in German) is available for download here: Automatisierte Überprüfung von Sicherheitslücken in Abhängigkeiten  von Java-Projekten.

TRIOLOGY also published a short Q&A on the article, which can be found here.

Synology: Backup and restore encrypted folders

This post quickly introduces encrypted folders and backing them up on a Synology NAS. It focuses on how to restore those backups, as this is not straightforward.

Encrypting shared folders

Creating an encrypted folder on a Synology NAS can be done easily, as described in detail by Synology here. Note: Don’t store you password on the NAS (Mount automatically on startup option), because this will render encryption useless! You don’t write the password to your computer on the display, do you?

Versioned backups – only for unencrypted folders!

Synology offers the Time Machine package that can be used to create different versions of stored file. However, this does still not work with encrypted folders (as of version 1.2-2300). Why Synology, why?

A simple backup solution for encrypted folders

Fortunately, there is an alternative that provides at least rudimentary ways for backing up data: The Backup and Restore package.

Backup and Restore icon
Backup and Restore

Once the encrypted folder is mounted, Backup and Restore can be used to create a local backup for all or some of the folders contained within the encrypted folder. Backups can be create for example on a daily, weekly or monthly basis. Unfortunately, it’s not possible to keep several versions of a backup – that’s what Time Machine would be for 😦

Note: The Maximum number of kept versions only relates to the NAS configuration, not to the data!

Restoring encrypted backups – almost impossible?

By now, our data gets backed up regularly by the NAS. But how to restore a file, in case of emergency? There is the Restore tab within the Backup and Restore package. For encrypted backups, you can only use it to restore all or nothing. You can’t even choose where to restore the data to. That is, if you want to restore a single file, your only option is to overwrite all of your productive data. In other words: This is useless.

Restoring encrypted backups – a comfortable workaround

There is a workaround, however, that will make the backups accessible like any other shared folder:

  1. On the web interface of your NAS: Create a new shared folder, use the same password as for the encrypted folder that should be backed up. Let’s call it myBackup.
    Use the Read only permission within the Privileges setup in order to protected your backups.
  2. Unmount the new folder
  3. SSH to your NAS
  4. Delete the container you just created. For example:
    rm -r /volume1/@myBackup@
  5. Create a link to the backup that is named just like the container. For example:
    ln -s /volume1/backup/folder/@folder@ /volume1/@myBackup@

    Where backup is the shared folder where the backup was written to by the Backup and Restore package and folder is the name of the folder within backup that was set up in Backup and Restore.

  6. Go back to the web interface and mount the folder using the password of the encrypted container.

That’s it. You can now access the backup like any other folder (SMB/CIFS, NFS, FTP, …)

Restoring encrypted backups – mount backup on separate system

As an alternative, you could also mount the encrypted folder on any other Linux system.

Synology uses EcrytpFS to encrypt shared folders. Those can be mounted on a separate Linux system, as described here:

This is useful for remote backups or when your Synology Diskstation should be damaged but the hard disks still work.

NAS: DS213+ & WD20NPVT – 3. Performance and Encryption

As announced in the first and second post about Synology DS213+ and the Western Digital WD20NPVT, this post is about the effective data rates achieved by the NAS and the hard drives. It contains the data rates measured when reading files from the DS213+ (download), as well as the ones measured when writing to it (upload) for both unencrypted and encrypted folders on the NAS. For measurement both one large file (1 x 50GB) as well as many small files (100,000 x 10KB) have been transfered to/from the NAS.

Measured Values

The following tables compare the measured data rates to the ones published by Synology.

Large file

Note that for the measurement in this post a 50GB file was used, whereas Synology transfered a 5GB file, which should not make much of a difference.

Operation Data rate (measured) Data rate (Synology)
Upload 51.87 MB/s 84.31 MB/s
Upload (encrypted) 21.32 MB/s 24.65 MB/s
Download 40.89 MB/s 110.36 MB/s
Download (encrypted) 37.21 MB/s 49.58 MB/s
Client (internal) 111.55MB/s

Small files

Note that for the measurement in this post a 100,000 10KB files were used, whereas Synology transfered 1,000 5MB files. So the rates here cannot really be compared, as transferring more smaller files results in a bigger overhead and therefore in a lower transfer rate.

Still, it is remarkable, that Synology only measured the performance when transferring small files to unencrypted folders. Maybe the data rates measured for encrypted folders didn’t look too good?

Operation Data rate (measured) Data rate (Synology)
Upload 0.44 MB/s 43.82MB/s
Upload (encrypted) 0.05 MB/s
Download 0.75 MB/s 58.15MB/s
Download (encrypted) 0.49 MB/s
Client (internal) 4.52MB/s


All data rates have been measured from the same client PC using Microsoft Robocopy, connecting to the NAS via SMB protocol.

The Client and the NAS are connected via a Linksys SE2800 switch, using Gigabit Ethernet.

The following table lists the NAS details, as well as the client PCs’ used for measurement in this post. In addition, the details of the client PC used by Synology are listed in the table.

Synology DS213+ Client PC Client PC (Synology)
OS DSM 4.1-2657 Windows 8×64 Windows 7
CPU Freescale MPC8544E 2x 1.067GHz Intel T7250 2×2.0GHz Intel Core i5 750 2.67GHz
SSD/HDD Western Digital Green WD20NPVT x2, RAID 1 Samsung 840 Pro (256GB) SVP200S3 (60GB) SSD x 2, RAID 0

Conclusion / Differences

There obviously are differences between the values measured here and the ones published by Synology. What are the reasons for this?

For the small files, the main reason for the difference surely is the smaller size of the files copied, as mentioned above. Why did I choose this smaller size and bigger number? It was not my main objective to compare the values to the ones measured by Synology. However, I was interested at what rate small files are actually copied. For me, small files are less than 1MB. Have you ever tried to copy a directory with a large quantity of small files (several KB each) such as an eclipse workspace or an SVN repo? It takes ages. I never thought, though, that they are copied with a data rate of less than a MB per sec.

For the large file I presume the difference between the measured values and the ones by Synology can be found in the differences in measurement set up. Synology used a faster CPU, fast RAM, an Raid 0 and direct connection between client PC and NAS.

Moreover, I don’t know what software and protocol Synology used for transfer. Maybe they used FTP, which might perform better than SMB. In addition, it might be even faster for small files, because they can be transfered using several concurrent connections and not sequentially, as it is done by robocopy.

Anyway, Synology’s download rate of 110 MB/s somehow still is a miracle to me, as this is almost as fast as when I write to my local SSD with robocopy…

Finally, I must say that it is astonishing why uploading (that is writing) large file is faster than downloading (for unencrypted files). I repeated measurement of all four large file operations several times but I got nearly the same results every time (± 1 MB/s). This seems to have something to do with Robocopy or SMB, because downloading the exact same file via FTP (Filezilla) yields a data rate of about 65 MB/s.

Maybe I should write another post comparing FTP and SMB, when I have time 🙂

NAS: DS213+ & WD20NPVT – 1. Conclusion


I have been looking for a Network Attached Storage which sufficient performance but rather low power consumption.

As a NAS needs to be running 24/7, the power consumption is of particular importance. On the other hand, whenever the NAS is in active usage it can’t provide data too fast.

The crucial component for both the power consumption and the data rate is the processor.

The best compromise it could find in October 2012 was the DS213+ NAS. It features a Freescale Dual Core CPU with 2x 1.067GHz, which should provide more performance as the single core CPUs used in most other NAS in medium price range, but consumes less power than the Intel Atom Dual Cores used in NAS in higher price ranges.

As storage device, I decided to purchase two Western Digital Scorpio Green (WD20NPVT), a 2.5″ drive which seems to be designed exactly for this use case: It has low power consumption, but still provides enough space (2 TB). From a economical point of view, it would probably have made more sense to purchase a 3.5″ drive (such as the Western Digital Red (WD20EFRX), which has a higher power consumption (4.4w compared to 1.4w), but is cheaper (about 65 Euros in Germany, as of January 2013).

Still, I thought it’s a kind of statement that we (the consumers) are interested in energy efficient devices, and not only as much GB per quid as possible.

Or maybe I’m just an idealist 🙂


So, after having used the NAS for over two months now it’s time for a little resume. Just for a change, I’m going to start with the conclusion. My first post (the one you’re reading at the moment) contains the benefits and drawbacks of the device – What I like about my DS213+ and what problems I encountered.

In addition, I measured power consumption of DS213+ and the two WD20NPVT, which I will publish in a second post.

I also measured data rates and encryption performance of DS213+, which will be published in further upcoming posts.


Synology’s Operating System, Diskstation Manager (DSM), which is shipped with DS213+ provides a real lot of features. In this post I’m only going to mention the most important ones to me. For more details see Synology.

The device can be set up via an ajax-driven web interface. In fact, it’s one of the best web interfaces I have seen recently. Synology provides a demo here. As an alternative you can configure it via SSH. Synology also included a plugin system which allows you to extend DSM with different packages to be used in your LAN (such as a web interface to the stored files, photographs, music, movies, etc.), but also tools intended to be used on the Internet (like Drupal, wordpress, etc.). In addition Synology provides several free mobile Apps for Android, iOS and Windows Phone that provide those features using interfaces that are optimized for mobile devices.

Another feature which is important to me is encryption. You can set up different folders on the hard drive which are encrypted with different keys and can be accessed by different users. As per DS213’s spec, the encryption is done in a dedicated hardware module, so the NAS performs well, even when encrypting. At least better than ordinary TrueCrypt on my PC 😉

In addition, you can encrypt all communication via HTTPS.

Another neat feature is that images stored on the device are not only indexed so they are quickly accessible via DLNA, but the device also creates thumbnails. This allows for viewing images for example on mobile devices via WiFi very smoothly. Almost feels like viewing local pictures on my mobile. However, it takes what feels like ages to create the thumbs. More precisely, it took about three days to create the 30k images on my NAS. That’s just a one-time expense, though.

As low power consumption was one of my main objectives, I very much appreciate the hibernation mode, offered by DS213+. The disks are spun down after a configurable time period. In addition, you can set up the NAS to hibernate the whole system 60 seconds after the disks are down. For this hibernation mode, you can set up if the system can be switched on again via network – Wake On LAN (WOL). This results in slighly higher power consumption but is a lot more comfortable. Of course, it would be even more comfortable to have the NAS running 24/7, but at the cost of a higher power consumption. As mentioned, I’m going to publish the actual power consumption I measured in the next post.


Enough words of praise. I have some issues with DS213+.

Most of them seem to be in conjunction with the encryption functionality. The DS offers versioning functionality which is one of the features I am particularly interested in, to use as part of my backup strategy. This feature can be used via a comfortable web interface. Only, that the feature cannot be used with encrypted folders whilst all my important folders are encrypted. That is, I can’t use this feature at all. The same applies to the pictures web interface: Even though you can view pictures stored in encrypted folders via DNLA, they cannot be found via the web interface or picture app. However, encrypted music can be played via the web interface. Not real consistent behaviour, is it?

In addition, I wasted almost a whole precious day off trying to figure out why I could not access encrypted sub folders via SMB. After trying about every possible configuration of DS’s SAMBA server, I found out that it was a bug in DSM relating to case-sensitive file names. Fortunately, it had been fixed just a couple of days before (Version 4.1-2647). So I upgraded to the next DSM version an the problem was gone. The good news is Synology keeps improving the DSM Software and provides the new versions to customers for free. Still, it seems as if DSM has a bit of “banana software” (it “ripes” at the customer) – at least where encryption is concerned.
22 January, 2013: After updating to DSM 4.1-2668 the bug re-appeared! I filed a bug at Synology and received the following answer one day later:

The developer confirmed that this is a known issue that our developer is currently working on. The issue will be improved in our future official update in the future.

Let’s hope so! If you didn’t update yet, better wait for the next version.
Another issue that seems to occurr every now an then with Synology devices, is hibernation. See for example here and there. I’m experiencing unexpected behavior myself. Every now and then I’m surprised that the device is not in hibernation, even though there should be no reason for it to be not. For example, I was wondering why it was switched on every now and then when I went to work, early in the morning. On the other hand it seems to ignore some of my WOL packages sent from my PC or my phone. I started debugging, but haven’t quite figured out why it behaves like this.

There’s one more thing (though less important): The DS sparkles like a christmas tree. There are five LEDs in different sizes and colours that are twinkling in different frequencies. Unfortunately, they cannot be deactivated via the web interface. Some of them can be switched off via the command line, but the device keeps switching them on. Still looking for a solution to permanently switch them off.


Despite these issues pointed out above, I don’t regret buying DS213+. It meets most of my expectations, but still, some things could be more elaborate, especially when it comes to encryption. There also are a lot of features that I’m not using yet but might be of good use in the future (like rsync).

So wrapping things up, DS213+ is real good NAS device with lots of features and rather small energy consumption. If you’re interested in using the encryption features, you might have a look at different devices. I can’t say, however, if there are a better ones.