Search

How to use self-encrypting drives (SEDs) on your QNAP NAS?

Last modified date: 2023-12-26

This tutorial introduces self-encrypting drives (SEDs) and how to utilize and manage them on your QNAP NAS.

Applicable ProductsDetails
Hardware
  • All QNAP NAS models
  • TL series JBOD enclosures
Operating system
  • QTS
  • QuTS hero
Note
QTS and QuTS hero do not support SED features for drives installed on drive adapters with hardware RAID (such as the QDA-A2AR and QDA-A2MAR).

Self-Encrypting Drives (SEDs)

A self-encrypting drive (SED) is a drive with encryption hardware built into the drive controller. SEDs automatically encrypt all data as it is written to the drive and decrypt all data as it is read from the drive. Data stored on SEDs are always fully encrypted by a data encryption key, which is stored on the drive's hardware and cannot be accessed by the host operating system or unauthorized users. The encryption key can also be encrypted by a user-specified encryption password that allows the SED to be locked and unlocked.

Because encryption and decryption are handled by the drive, accessing data on SEDs does not require any extra CPU resources from the host device. Data on SEDs also become inaccessible if the SEDs are physically stolen or lost. For these reasons, SEDs are widely preferred for storing sensitive information.

You can use SEDs to create SED secure storage pools in QTS and QuTS hero, and SED secure static volumes in QTS. You can also use SEDs to create regular storage pools or volumes, but the self-encrypting function on the SEDs would remain deactivated.

Why Use SEDs?

Data storage security is an extremely important matter for many enterprises and organizations, especially when they store personal data such as credit card information and identity card numbers, or industry secrets such as product blueprints and intellectual property.

If a data leak occurs, the enterprise or organization can face serious consequences. Apart from sensitive information being exposed, a data leak can also result in customer and client damages, revenue loss, and legal penalties.

Because SEDs use hardware-based full disk encryption, both the encryption and decryption processes occur in the disk hardware. This separation from the host operating system makes hardware encryption more secure than software encryption. Moreover, unlike software encryption, hardware encryption does not require extra CPU resources. If a SED is physically stolen or lost, it becomes practically impossible to obtain intelligible information from the SED.

For these reasons, SEDs are often a specified data security requirement in bidding processes for government agencies, health care institutions, and financial and banking services.

SED Types

QNAP categorizes SED types according to the industry-standard specifications defined by the Trusted Computing Group (TCG). Supported SED types are listed in the following table.

To check the SED type of an installed SED, go to Storage & Snapshots > Storage > Disks/VJBOD > Disks and click a SED.

SED TypeSupported
TCG OpalYes
TCG EnterpriseYes, in QTS 5.0.1 (or later) and QuTS hero h5.0.1 (or later)

SED Storage Creation

You can use SEDs to create SED secure storage pools in QTS and QuTS hero, and SED secure static volumes in QTS.

Important
You cannot enable SED security after creating a standard pool or standard static volume. You must create a SED secure storage pool or SED secure static volume from the beginning.

Creating a SED Secure Storage Pool

  1. Open Storage & Snapshots.
  2. Verify the SED disks are uninitialized.
    1. Go to Storage > Disks/VJBOD.
    2. Select a SED disk.
    3. Verify the SED Status is "Uninitialized".
    4. Repeat the above steps for each SED disk.
  3. Create a SED secure storage pool.
    Note
    This topic only covers the minimum steps to create a SED secure storage pool.
    For complete instructions and configuration details, see "Creating a SED Secure Storage Pool" in one of the following user guides:
    1. Go to Storage > Storage/Snapshots.
    2. Click Create > New Storage Pool.
      The Create Storage Pool Wizard opens.
    3. Click Next.
    4. Optional: Select an expansion unit from the Enclosure Unit list.
    5. Select Create SED secure storage pool.
    6. Select one or more SED disks.
    7. Select a RAID type.
    8. Click Next.
    9. Specify the encryption password.
    10. Click Next.
    11. Click Create.
      The system creates the SED secure storage pool.

Creating a SED Secure Static Volume

  1. Open Storage & Snapshots.
  2. Verify the SED disks are uninitialized.
    1. Go to Storage > Disks/VJBOD > Disks.
    2. Select a SED disk.
    3. Verify the SED Status is "Uninitialized".
    4. Repeat the above steps for each SED disk.
  3. Create a SED secure static volume.
    Note
    This topic only covers the minimum steps to create a SED secure static volume.
    For complete instructions and configuration details, see "Creating a SED Secure Static Volume" in the QTS User Guide.
    1. Go to Storage > Storage/Snapshots.
    2. Click Create > New Volume.
      The Create Volume Wizard opens.
    3. Select Static volume.
    4. Click Next.
    5. Optional: Select an expansion unit from the Enclosure Unit list.
    6. Select Create a SED secure static volume.
    7. Select one or more SED disks.
    8. Select a RAID type.
    9. Click Next.
    10. Specify the encryption password.
    11. Click Next.
    12. Click Finish.
      The system creates the SED secure static volume.

SED Management

SED Storage Pool and Static Volume Actions

To perform the following actions, go to Storage & Snapshots > Storage > Storage/Snapshots, select a SED pool or volume, click Manage, then select Actions > SED Settings.

ActionDescription
Change SED Pool Password
Change SED Volume Password		Change the encryption password.
Warning
Remember this password. If you forget the password, the pool or volume will become inaccessible and all data will be unrecoverable.
You can also enable Auto unlock on startup.
This setting enables the system to automatically unlock and mount the SED pool or volume whenever the NAS starts, without requiring the user to enter the encryption password.
Warning
Enabling this setting can result in unauthorized data access if unauthorized personnel are able to physically access the NAS.
Tip
In some earlier versions of QTS and QuTS hero, Auto unlock on startup is known as Save encryption key.
LockLock the pool or volume. All volumes/shared folders, LUNs, snapshots, and data in the pool or volume will be inaccessible until it is unlocked.
UnlockUnlock a locked SED pool or volume. All volumes/shared folders, LUNs, snapshots, and data in the pool or volume will become accessible.
Disable SED SecurityRemove the encryption password and disable the ability to lock and unlock the pool or volume.
Enable SED SecurityAdd an encryption password and enable the ability to lock and unlock the pool or volume.

Removing a Locked SED Storage Pool or Static Volume

  1. Go to Storage & Snapshots > Storage > Storage/Snapshots.
  2. Select a locked SED storage pool or static volume.
    Note
    Static volumes are only available in QTS.
  3. Click Manage, and then click Remove.
    The Removal Wizard window opens.
  4. Select a removal option.
    OptionDescription
    Unlock and remove pool, data, and saved keyThis option unlocks the SED disks in the storage pool or static volume, and then deletes all data. The storage pool or static volume is removed from the system.
    You must enter the encryption password.
    Remove pool without unlocking itThis option removes the storage pool or static volume without unlocking the disks. The SED disks cannot be used again until you perform one of the following actions:
    • Unlock the disks. Go to Disks/VJBOD, click Recover, and then select Attach and Recover Storage Pool.
    • Erase the disks using SED erase.
  5. Click Apply.

The system removes the locked SED storage pool or static volume.

Migrating a SED Secure Storage Pool to a New NAS

The following requirements apply when migrating a storage pool to a new NAS.

  • The two NAS devices must both be running QTS, or both be running QuTS hero. Migration between QTS and QuTS hero is not possible.
  • The version of QTS or QuTS hero running on the new NAS must be the same or newer than the version running on the original NAS.
  1. On the original NAS, go to Storage & Snapshots > Storage > Storage/Snapshots.
  2. Select a SED secure storage pool.
  3. Click Manage.
    The Storage Pool Management window opens.
  4. Click Action, and then select Safely Detach Pool.
    A confirmation message appears.
  5. Click Yes.
    The storage pool status changes to "Safely Detaching...".
    After the system finishes detaching the pool, the pool disappears from Storage & Snapshots.
  6. Remove the drives containing the storage pool from the NAS.
  7. Install the drives in the new NAS.
  8. On the new NAS, go to Storage & Snapshots > Storage > Disks/VJBOD.
  9. Click Recover, and then select Attach and Recover Storage Pool.
    A confirmation message appears.
  10. Enter the encryption password.
    You must enter this password if you are using self-encrypted drives (SEDs) with encryption activated.
  11. Click Attach.
    The system scans the disks and detects the storage pool.
  12. Click Apply.
    The storage pool appears in Storage & Snapshots on the new NAS.

Erasing a Disk Using SED Erase

SED Erase erases all of the data on a locked or unlocked SED disk and removes the encryption password.

To perform SED Erase, the disk must not be in use by the system or assigned any purpose (for example, it should not be in a storage pool or configured as a spare disk). Ensure the disk is free before performing SED Erase.

  1. Go to Storage & Snapshots > Storage > Disks/VJBOD > Disks.
  2. Select a SED disk.
  3. Click Action, and then select SED Erase.
    Note

    This function is only available when the disk's used type status is "Free". To check this status, go to Storage & Snapshots > Storage > Disks/VJBOD > Disks, locate the disk in the table, and look under the "Used Type" column. For details, see "Disk statuses" in the QTS User Guide or QuTS hero User Guide.

    The SED Erase window opens.
  4. Enter the disk's Physical Security ID (PSID).
    Tip
    The PSID can usually be found on the disk label.

    If you cannot find the PSID, contact the disk manufacturer.
  5. Click Apply.
    The system erases all data on the SED.

SED Status

To view the status of a SED, go to Storage & Snapshots > Storage > Disks/VJBOD > Disks and click an installed SED.

SED StatusDescription
UninitializedThe SED is uninitialized. Drive encryption is deactivated.
UnlockedThe SED is initialized and unlocked. Drive encryption is activated. Data on the SED is encrypted and accessible.
LockedThe SED is initialized and locked. Drive encryption is activated. Data on the SED is encrypted and inaccessible.
BlockedThe SED is blocked for security reasons. The drive cannot be initialized.
Note
To unblock the SED, reinsert the disk or erase the disk using SED Erase. For details, see Erasing a Disk Using SED Erase.

Glossary

GlossDefinition
Auto unlock on startupSetting that allows the system to automatically unlock a SED secure storage pool or SED secure static volume after the NAS restarts
Encryption keyA unique, randomized cryptographic string physically stored within the hardware in self-encrypting drives (SEDs) for encrypting data written to the drive and decrypting data as it is read from the drive
Encryption passwordA user-defined password for locking and unlocking a SED secure storage pool or static volume
PSID (Physical Secure ID)A unique key usually labeled on a self-encrypting drive (SED) for resetting the drive to factory default
SED EraseStorage & Snapshots function for erasing all data on a self-encrypting drive (SED) and removing the encryption password

Was this article helpful?

Yes. No.
66% of people think it helps.
Thank you for your feedback.

Please tell us how this article can be improved:

If you want to provide additional feedback, please include it below.

Teknik Özellik sSçin

      Daha fazla göster Daha az

      Diğer ülkelerde/bölgelerde bu site:

      open menu
      back to top