SED password

[peteb]

I have a system with all SED drives (TCG Enterprise) and just discovered the Global and Disk password options and found out that currently they are not locked. From the guide:
"By default, SED devices are not locked until the administrator explicitly configures a global or per-device password and initializes the devices."
https://www.ixsystems.com/documentation/freenas/11.1/system.html#self-encrypting-drives

**Does anyone know if this is destructive to the data on the devices?

When I see "initialize the devices", I think of a destructive operation, however the wording in the documentation sounds as though it may not be and also there are no warnings. I have 8TB of data that I cannot lose, so I need to be certain before I enable this.

Thank you,
Peter

 

[HoneyBadger]

I would have to imagine that "initializes the devices" in this case would imply "erases them to a clean slate after activating encryption on the entire LBA range" so that would be a destructive operation.

Given the 8TB of data at risk here, I would wait for an official answer from an iXsystems employee who has tested this.

 

[peteb]

I would have to imagine that "initializes the devices" in this case would imply "erases them to a clean slate after activating encryption on the entire LBA range" so that would be a destructive operation.

Given the 8TB of data at risk here, I would wait for an official answer from an iXsystems employee who has tested this.

Thanks for the reply. Glad I'm not the only feeling that way as that is what I thought too when I read 'initialize the device", but the more I read (I'm still researching this like crazy) the less I think that it is destructive. The documentation is not clear and the word 'initialize' scares me. I agree that I need an answer from someone who has worked with this before risking it, otherwise I'll have to make an off system copy of the data before attempting.

Apparently the authentication key (AK) (which would be this password) can be changed without wiping the data: https://wiki.archlinux.org/index.php/Self-Encrypting_Drives but even this is not clear about first turning it on. Some other blogs/forums lead me to believe that the initialize is safe, but I'll wait to see if anyone else has experience.

 

[peteb]

Update!
For anyone wanting to know, this is NOT destructive.
I bit the bullet and went for it and thankfully all is well.
Steps:
In System / Advanced menu, I set the the SED Password and saved.
Then, from an SSH session to the CLI, I ran the sedhelper setup password command (replace password with actual password used).
Wait for it to run through each disk where you will see something like "da31[OK]" per line for each disk.
Not sure it was needed but I rebooted then I verified access to data.

Hope this helps anyone else venturing down this path.

 

[MrT_134]

I discussed this with one of the iX FreeNAS developers who confirmed this is not a destructive procedure. PR 674 adjusts that statement in the FreeNAS guide to hopefully prevent further confusion. Thanks!

 

[glauco]

then I verified access to data.

Thank you for sharing this!
I've done the same things you did but I'm still wondering how do I verify that the data on that SED is actually encrypted now?
And finally, after one year, would you recommend going SED?
Thanks.

 

[sretalla]

I've done the same things you did but I'm still wondering how do I verify that the data on that SED is actually encrypted now?

Pull the drives and put them in a system where you have not entered the SED password.

 

[glauco]

Pull the drives and put them in a system where you have not entered the SED password.

Thank you, that's what I thought!