[6.8.1] SED (self-encrypting drives) in the array


Recommended Posts

Hi all,
I am in the process of buying new hard drives for my Unraid system.


I had problems with SAS drives (no spin down) and thus would like to switch to SATA.

 

I was thinking about using the Seagate Exos X16 16TB drives. At the moment, the SATA models with SED (self-encryption) are much cheaper than without the feature, so I was thinking to just use the "transparent SED" mode without BIOS key management, and basically ignore the encryption happening on the disk.

Are there any resources I can read, any experiences with SED in Unraid? I found this thread, but it is from 2017:
https://forums.unraid.net/topic/54440-sed-disks-in-array/

 

Thanks in advance,

BR Andreas

Link to comment
  • 6 months later...

Yes and no. The data that is physically stored on the platter is encrypted transparently with the key that was flashed at the factory. When you read it back, the drive decrypts it on the fly. This is what allows you to „wipe“ the drive instantly during decommissioning - change the key and the encrypted data becomes a garbled mess.

 

what is not active by default is that you need to enter a password during boot which unlocks the key, which in turn allows to access the data.

 

here be dragons: this does NOT protect your drive while the pc is in standby, it only helps when power is physically removed from the drive (e.g. somebody disconnects and steals your drive).

 

PS: if my info helped you, please leave a thanks by clicking the heart in the bottom right corner so I can track how many people have similar problems.

Edited by stereobastler
  • Thanks 1
Link to comment
  • 6 months later...

Not really, sorry to disappoint. There was a distinct lack of both technical information and interest from the community, so I did not investigate further. Also, it is not really a threat scenario for me since my server is located at home.

 

I find the idea of SED drives quite charming, since you get the benefits of encryption without the performance loss that comes along with encrypting your array, so if you find a solution please do let me know. I cannot test this myself at the moment, since I have exactly 2 SED drives which are my data and parity drive.

 

Andreas

Link to comment
  • 2 years later...

I would like to use this quick erase functionality on an IronWolf Pro HDD. 

 

I downloaded the SeaChest utilities as described in this thread:

 

But I get "RevertSP is not supported on this device" when using that option with Seagate's SeaChest_Erase tool. 

 

The SeaChest Erase readme has a section "Enabling TCG Commands In Linux" and the below thread describes how to set libata.allow_tpm to 1 on unRAID, which I did and rebooted. 

 

Still "RevertSP is not supported on this device."

 

 

Then I tried connecting the HDD to a SATA port on the motherboard instead of LSI 9300-8i LBA to see if that made a difference with the libata change. 

 

Still "RevertSP is not supported on this device."

 

I don't see anything on Seagate's website saying this model (ST16000NE000-2RW103) is *not* SED.  Seagate chat support claimed it is SED and after more questions ended the chat with "The recommendation we could provide is to contact with unRAID to further support."  There's a PSID on the label.  Why would there be a PSID on the label if it wasn't SED capable?

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.