TrueNAS Open Storage Logo
TrueNAS.com Products Enterprise Support Community Support Truenas Security Get TrueNAS Enterprise Download TrueNAS Community Edition About TrueNAS Careers
TrueNAS Open Storage Logo
F-Series
F-Series

All-Flash NVMe Performance.

H-Series
H-Series

Big business performance. Entry level pricing.

Mini Series
Mini Series

Home Labs, Small Office & SMB Applications.

M-Series
M-Series

All-Flash or Hybrid Enterprise Performance.

R-Series
R-Series

Single Controller Storage Appliances.

TrueNAS Enterprise Icon
TrueNAS Enterprise

Mission Critical Storage. 24×7 Enterprise Support.

TrueCommand Icon
TrueCommand

Manage Your TrueNAS Fleet All From One Place.

Use Cases

Analytics Backup & Archival Cloud Data Mobility File Sharing
iX-Storj Media & Entertainment Surveillance Veeam Backup Virtualization

Industry

Audio Broadcasting Gaming Healthcare Manufacturing Media & Entertainment
Automotive Education Government MSP Research & AI

Support

Enterprise Support

For customers with active support contracts.

Community Support

For peer-to-peer, open-source support.

Resources

Case Studies Documentation Apps TrueNAS Security FAQ ZFS Overview
TrueNAS Blog Solution Guides Datasheets Software Status Videos TrueCommand Cloud
TrueNAS Community Edition Community Forum Discord TrueNAS GitHub TrueNAS Merch Store
About TrueNAS Awards Careers Contact Us Our Clients Reviews
Contact Icon
Contact an Enterprise Specialist

Speak with an enterprise storage specialist to find the right solutions for your business needs.

TrueNAS Enterprise Icon
TrueNAS Enterprise

Enterprise-grade storage appliances designed for business and mission-critical environments.

TrueNAS Community Edition Icon
Download TrueNAS Community Edition

Test Drive TrueNAS in Your Environment.

  1. Documentation Hub
  2. /
  3. TrueNAS 25.10 (Early)
  4. /
  5. TrueNAS Tutorials
  6. /
  7. Storage
  8. /
  9. Disks
  10. /
  11. Managing Self-Encrypting Drives (SED)
Edit page
TrueNASTrueNAS Nightly Development Documentation
This content follows experimental nightly development software. Pre-release software is intended for testing purposes only.
Use the Product and Version selectors above to view content specific to a stable software release.

Managing Self-Encrypting Drives (SED)

  4 minute read.

TrueNAS Enterprise

UI management of Self-Encrypting Drives (SED) is an Enterprise-licensed feature in TrueNAS 25.04 (and later). SED configuration options are not visible in the TrueNAS Community Edition. Community users wishing to implement SEDs can continue to do so using the command line sedutil-cli utility.

Note: Additional changes to SED management options in the TrueNAS UI ahead of the 25.04.0 release version, with documentation updates to follow.

Supported Specifications

  • Legacy interface for older ATA devices (Not recommended for security-critical environments!)
  • TCG Opal 1 legacy specification
  • TCG Opal 2 standard for newer consumer-grade devices
  • TCG Opalite which is a reduced form of OPAL 2
  • TCG Pyrite Version 1 and Version 2 are similar to Opalite, but with hardware encryption removed Pyrite provides a logical equivalent of the legacy ATA security for non-ATA devices. Only the drive firmware protects the device.
    Pyrite Version 1 SEDs do not have PSID support and can become unusable if the password is lost.
  • TCG Enterprise designed for systems with many data disks. These SEDs cannot unlock before the operating system boots.
  • TCG Ruby 1.0

See this Trusted Computing Group and NVM Express® joint white paper for more details about these specifications.

TrueNAS Implementation

TrueNAS implements the security capabilities of sedutil-cli for TCG compliant devices.

You can configure a SED before or after assigning the device to a pool.

By default, SEDs are not locked until the administrator takes ownership of them. Ownership is taken by explicitly configuring a global or per-device password in the web interface and adding the password to the SEDs. Adding SED passwords in the web interface also allows TrueNAS to automatically unlock SEDs on boot.

A password-protected SED protects the data stored on the device when the device is physically removed from the system. This allows secure disposal of the device without having to first wipe the contents. Repurposing a SED on another system requires the SED password or a full cryptographic erase with PSID revert.

Deploying SEDs

TrueNAS supports setting a global password for all detected SEDs or setting individual passwords for each SED. Using a global password for all SEDs is strongly recommended to simplify deployment and avoid maintaining separate passwords for each SED.

SED passwords are used during initial set up and for unlocking SEDs.

Configuring Global SED Settings

To configure global SED settings, go to the System > Advanced Settings screen and locate the Self-Encrypting Drive widget.

Click Configure to open the Self-Encrypting Drive configuration screen.

Select the user to unlock SEDs from the ATA Security User dropdown list. Options are USER or MASTER.

Enter the global SED password in SED Password and in Confirm SED Password.

Click Save.

Remember SED passwords! If you lose the SED password, you cannot unlock SEDs or access their data. After configuring or modifying SED passwords, always record and store them in a secure location!

Configuring Individual SED Passwords

To configure individual, per-disk SED passwords, go to Storage and click Disks in the top right of the screen to open the Disks screen. Click the row or expand_more for a confirmed SED to expand the row. Click Edit to open the Edit Disk screen.

Enter and confirm the password in the SED Password fields to assign an individual SED password. If both an individual and global SED password are present, the individual SED password overrides the global password for the disk it is configured on.

Repeat this process for each SED and any SEDs added to the system in the future.

Check SED Functionality

When SED devices are detected during system boot, TrueNAS checks for configured global and device-specific passwords.

Unlocking SEDs allows a pool to contain a mix of SED and non-SED devices. Devices with individual passwords are unlocked with their password. Devices without a device-specific password are unlocked using the global password.

Managing SED Disks and Data

Improper use of the sedutil-cli can be destructive to data and passwords. Keep backups and use with caution.

Additional SED management options are available using a shell session and the sedutil-cli utility. Enter sedutil-cli -h or see the sedutil-cli.8 man page for more information.

TrueNAS Enterprise

TrueNAS Enterprise customers should contact TrueNAS Enterprise Support for assistance with the initial set up and management of SEDs using sedutil-cli.

Contacting TrueNAS Enterprise Support

Customers who purchase TrueNAS hardware or that want additional support must have a support contract to use TrueNAS Support Services. The TrueNAS Community forums provides free support for users without a TrueNAS Support contract.

TrueNAS Customer Support
Support Portalhttps://support.ixsystems.com
Emailsupport@ixsystems.com
Telephone and Other Resourceshttps://www.ixsystems.com/support/

Related Content

Tutorials
UI Reference

Have more questions?

For further discussion or assistance, see these resources:

Found content that needs an update?  You can suggest content changes directly! To request changes to this content, click the Feedback button located on the middle-right side of the page (might require disabling ad blocking plugins).