iX Information Library

A one-stop shop for product information.

Using Self-Encrypting Drives

Version 11.1-U5 of FreeNAS and TrueNAS introduced Self-Encrypting Drive (SED) support. This article provides an overview of the SED implementation and how to manage these devices on a FreeNAS or TrueNAS system.

SED Overview

Three types of SED devices are supported:

  • Legacy interface for older ATA devices (not recommended for security-critical environments)
  • TCG OPAL 2 standard for newer consumer-grade devices (HDD or SSD over PCIe or SATA)
  • TCG Enterprise standard for newer enterprise-grade SAS devices

The FreeNAS and TrueNAS middleware implement the security capabilities of camcontrol (for legacy devices) and sedutil-cli (for TCG devices). When managing SED devices from the command line, it is important to use sedutil-cli (rather than camcontrol) in order to access the full capabilities of the device. FreeNAS provides the sedhelper wrapper script to ease SED device administration from the command line.

By default, SED devices are not locked until the administrator takes ownership of them. This is done by explicitly configuring a global or per-device password and adding the password to the SED devices.

Once configured, the system automatically unlocks all SEDs during the boot process, without requiring manual intervention. This allows a pool to contain a mix of SED and non-SED devices.

A password-protected SED device protects the data stored on the device when the device is physically removed from the FreeNAS system. This allows secure disposal of the device without having to first wipe its contents. If the device is instead removed to be repurposed on another system, it can only be unlocked if the password is known. This means that is important to remember the password! Without it, the device is unlockable and its data remains unavailable. While it is possible to specify the PSID number on the label of the device with the sedutil-cli command, doing so will erase the contents of the device rather than unlock it. Always record SED passwords whenever they are configured or modified and store them in a safe place!

Managing SED Devices

When SED devices are detected during system boot, the middleware checks for global and device-specific passwords. Devices with their own password are unlocked with their password and any remaining devices, without a device-specific password, are unlocked using the global password.

To configure a global password, go to System → Advanced → SED Password and input the password. Be sure to record the password and store it in a safe place!

To determine which devices support SED and their device names, type:

sedutil-cli --scan

In the results:

  • no indicates a non-SED device
  • 1 indicates a legacy TCG OPAL 1 device
  • 2 indicates a modern TCG OPAL 2 device
  • E indicates a TCG Enterprise device

To specify a password for a device, go to Storage → View Disks. Highlight the device name for the confirmed SED device and click Edit. Input and confirm the password in the Password for SED and Confirm SED Password fields. Disks that have a configured password will show bullets in their row of the Password for SED column of Storage → View Disks. Conversely, the rows in that column will be empty for disks that do not support SED or which will be unlocked using the global password.

Remember to take ownership of the devices:

sedhelper setup password

This command ensures that all detected SED disks are properly setup using the specified password.

Note: Rerun that command every time a new SED disk is placed in the system.

This command can be used to unlock all available SED disks:

sedhelper unlock