Open-E Knowledgebase

[JDSS] SED support in JovianDSS

Article ID: 3381
Last updated: 24 Nov, 2022

What is a self-encrypting drive (SED)?
 

A Self-Encrypting Drive (SED) is a hard disk drive (HDD) or a solid-state drive (SSD) designed to automatically encrypt and decrypt drive data without the need for user input or disk encryption software.

SED support is a new feature in Open-E JovianDSS from version up29r2. Self-encryption is a powerful tool to elevate the security of your data. Thanks to the Open-E Text User Interface, setting it up requires only a few steps.


Why should you use SED?

  • With SEDs, there is no noticeable encryption time as with software encryption.
  • SEDs don’t have the performance overhead that software encryption running on the host has, leading to better overall system performance.
  • Due to increased reads and writes with SW encryption, SEDs may have longer usability than drives used in software-encrypted systems.
  • Because the encryption key is on the storage device, it cannot be accessed through host hacking, as software encryption can be.
  • SEDs are less complex to implement in storage array encryption solutions.
  • Government mandates and regulations are increasing the requirements for privacy and favoring the use of SEDs, particularly those with FIPS 140 certification.
  • Secure erase reduces re-provisioning and end-of-life costs and is the only effective way to make data on an SSD inaccessible.
  • A built-in controller of the used disk runs the data encryption and decryption. It does not introduce any additional performance issues.

Using a self-encrypting disk requires setting a password for your data. If you forget the password, the data is permanently lost!


Supported disks
 

Disks supported by Open-E JovianDSS are present in our Hardware Compatibility List. To find them, search the list for “SED” (case-sensitive) or enter the link below:


SED-enabled disks supported by Open-E JovianDSS
 

Currently, none of the supported disks is FIPS-compliant.


All of those disks support the TCG Enterprise SSC standard of self-encryption. That is the only standard supported by our software.


Enabling SED functionality in TUI
 

To enable SED functionality and access the SED settings, hit the “CTRL-ALT-T” hotkey on the console and enter Boot options → Boot parameters.

Select the “SED libdata.allow_tpm” option and click the “Apply” button. Confirm your choice by selecting the “Save changes!” option and clicking the “Apply” button again. The changes done here will be visible only after a system reboot.

After enabling the SED options and rebooting the system, enter the Extended Tools menu by hitting the “CTRL-ALT-X” hotkey, provide the system password, and choose the “Self-encrypting drives (SED) settings” option.

You will see two distinct options:

  • Set the SED encryption password
  • Select the password-accessed drives

The first option allows you to set a password for selected SED-supporting drives. 

The prompt will ask you to provide this password two times for verification purposes. Do not lose your password. If you forget it and change the password to a new one, all data will be lost! After setting the password successfully, you are allowed to choose the password-accessed drives by choosing the second option, “Select the password-accessed drives”. There, Open-E JovianDSS will ask if the password should be applied to all disks or only to the selected ones.

Choosing the first option will encrypt all drives that support SED encryption. The second option will display a table of disks that can be encrypted. Here you can choose and activate SED for chosen disks by pressing the “Set password access”.

To check whether the SED is active on selected disks, launch a different operating system (e.g. Debian OS) from a bootable drive and check the available disks. If the disk is not visible there, SED has been successfully enabled.

As Open-E JovianDSS supports the Enterprise standard of self-encryption, it is possible that our tool will display SED disks that are not officially supported. In such a case, we strongly recommend to use only recommended drives, as those disks were tested and are guaranteed to work as intended.


DISABLING SED FUNCTIONALITY IN TUI
DANGER: resetting a disk to factory defaults will permanently destroy all data on the disk

 

The only way to disable SED functionality is to reset the disks to the factory default settings. To do that, access Extended settings (hot-key “CTRL-ALT-X”) → Self-encrypting drives (SED) settings → Select the password-accessed drives, where disks that support SED encryption will be displayed. After choosing proper disks and pressing “Reset to defaults” button, provide the PSID of the disk you want to reset. 

If you selected more than one disk, you must provide the PSID for each disk. The PSID can be found on the disk label and can only be obtained by pulling the disk out and checking it manually. Below, you can see an example of such a label for one of our supported drives.

Once you complete the reset, the disk will restore the factory settings, deleting all the data and disabling the SED encryption.

This article was:   Helpful | Not helpful Report an issue


Article ID: 3381
Last updated: 24 Nov, 2022
Revision: 20
Views: 0
Posted: 22 Nov, 2022 by Litwinowicz R.
Updated: 24 Nov, 2022 by Litwinowicz R.
print  Print email  Subscribe email  Email to friend share  Share pool  Add to pool
Prev     Next
General info       [JDSS] [DSS V7] Open-E Samba CVE-2022-0336

The Knowledge base is managed by Open-E data storage software company.