ZFS Self Encrypting Drive (SED) support?

rockybulwinkle

New Member

Reaction score: 1
Messages: 5

Does FreeBSD 12.2-RELEASE support creating ZFS pools with Self Encrypting Drive (SED) hard drives? I am trying to source drives for a new NAS and am struggling to find non-SED drives. Searching the forum and googling I only found threads discussing the merits of SED, not whether it is actually supported. We don't actually need to encryption for our use case; if the drive can be supported with its encryption turned off, that is fine.

Specifically, the model I am considering is ST16000NM004G.

Sorry if this is in the wrong area. I wasn't sure if this belongs in the physical hardware or storage area.

Thanks!
 

mer

Aspiring Daemon

Reaction score: 452
Messages: 723

Interesting question. I don't have personal use with them but:
Is the feature Always enabled by default or does it need to be explicitly enabled?
If it needs to be enabled, they should be fine.

If the data on the disk is always encrypted, even the boot sectors, then I'd guess maybe. Why? Because I think the
boot sectors need to be decrypted so the BIOS can actually use them to boot.
 

ralphbsz

Son of Beastie

Reaction score: 2,518
Messages: 3,382

When you buy a new SED from the factory, it is formatted so it is not encrypted. I think technically the correct way to express that is that there is only one encryption band that covers the whole drive, and that band is configured for "no unlocking required, no keys". So when a SED drive comes from the factory, it will work exactly like a normal drive.

Now, I already know what your next question is going to be: Can you enable SED and actually encrypt the drive? I don't know. Yes, it can be done by issuing SCSI commands (called CDBs) manually to the drive before using it. I know that there are specific SED utils (I don't remember whether they're packaged with the standard SD utils, or a separate package). The bigger problem is orchestrating when to unlock the drive, when to relock it, where to get the keys from, how to make the key storage at least as secure as the rest of the system, and the whole system integration complexity. There may be packaged solutions for that. The nice thing about GELI encryption (software) is that the process is all documented and easy to implement.
 
OP
R

rockybulwinkle

New Member

Reaction score: 1
Messages: 5

Thank you for the responses. I ended up avoiding any potential problem by getting drives that don't support SED as it was not a feature we needed.
For those curious, the model was WUH721816AL5204 and has been working well so far. No bad blocks were found while burning in 8 drives.
 
Top