Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[6.8.1] SED (self-encrypting drives) in the array

Featured Replies

Hi all,
I am in the process of buying new hard drives for my Unraid system.


I had problems with SAS drives (no spin down) and thus would like to switch to SATA.

 

I was thinking about using the Seagate Exos X16 16TB drives. At the moment, the SATA models with SED (self-encryption) are much cheaper than without the feature, so I was thinking to just use the "transparent SED" mode without BIOS key management, and basically ignore the encryption happening on the disk.

Are there any resources I can read, any experiences with SED in Unraid? I found this thread, but it is from 2017:
https://forums.unraid.net/topic/54440-sed-disks-in-array/

 

Thanks in advance,

BR Andreas

  • 6 months later...

Did you resolve this?

  • Author

The normal drive functionality works fine out of the box with seagate EXOS X16 16TB SATA SED drives. I did not test the key management and unlock-on-boot since I only really care about the quick erase functionality when decommissioning the drives. 
Hope that helps.

 

So all of the sed functions are off by default? Sed drives are cheaper than the standard drives. 

  • Author

Yes and no. The data that is physically stored on the platter is encrypted transparently with the key that was flashed at the factory. When you read it back, the drive decrypts it on the fly. This is what allows you to „wipe“ the drive instantly during decommissioning - change the key and the encrypted data becomes a garbled mess.

 

what is not active by default is that you need to enter a password during boot which unlocks the key, which in turn allows to access the data.

 

here be dragons: this does NOT protect your drive while the pc is in standby, it only helps when power is physically removed from the drive (e.g. somebody disconnects and steals your drive).

 

PS: if my info helped you, please leave a thanks by clicking the heart in the bottom right corner so I can track how many people have similar problems.

Edited by stereobastler

  • 6 months later...

Did you take SED any further, @stereobastler? I'm hoping to investigate the possibility of using hdparm to set the password on SED drives, rather than using the BIOS. There's an hdparm parameter, --sanitize-crypto-scramble, that I believe might do the trick, Do you, or anybody else here, know anything about this?

 

-- 

Chris

  • Author

Not really, sorry to disappoint. There was a distinct lack of both technical information and interest from the community, so I did not investigate further. Also, it is not really a threat scenario for me since my server is located at home.

 

I find the idea of SED drives quite charming, since you get the benefits of encryption without the performance loss that comes along with encrypting your array, so if you find a solution please do let me know. I cannot test this myself at the moment, since I have exactly 2 SED drives which are my data and parity drive.

 

Andreas

  • 2 years later...

I would like to use this quick erase functionality on an IronWolf Pro HDD. 

 

I downloaded the SeaChest utilities as described in this thread:

 

But I get "RevertSP is not supported on this device" when using that option with Seagate's SeaChest_Erase tool. 

 

The SeaChest Erase readme has a section "Enabling TCG Commands In Linux" and the below thread describes how to set libata.allow_tpm to 1 on unRAID, which I did and rebooted. 

 

Still "RevertSP is not supported on this device."

 

 

Then I tried connecting the HDD to a SATA port on the motherboard instead of LSI 9300-8i LBA to see if that made a difference with the libata change. 

 

Still "RevertSP is not supported on this device."

 

I don't see anything on Seagate's website saying this model (ST16000NE000-2RW103) is *not* SED.  Seagate chat support claimed it is SED and after more questions ended the chat with "The recommendation we could provide is to contact with unRAID to further support."  There's a PSID on the label.  Why would there be a PSID on the label if it wasn't SED capable?

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.