Last modified date: 2022-10-12
This tutorial introduces self-encrypting drives (SEDs) and how to utilize and manage them on your QNAP NAS.
| Applicable Products | Details |
|---|---|
| NAS | All QNAP NAS models |
| Operating system | QTS, QuTS hero |
- Self-Encrypting Drives (SEDs)
- Why Use SEDs?
- SED Types
- SED Storage Creation
- SED Management
- SED Status
- Glossary
Self-Encrypting Drives (SEDs)
A self-encrypting drive (SED) is a drive with encryption hardware built into the drive controller. SEDs automatically encrypt all data as it is written to the drive and decrypt all data as it is read from the drive. Data stored on SEDs are always fully encrypted by a data encryption key, which is stored on the drive’s hardware and cannot be accessed by the host operating system or unauthorized users. The encryption key can also be encrypted by a user-specified encryption password that allows the SED to be locked and unlocked.
Because encryption and decryption are handled by the drive, accessing data on SEDs does not require any extra CPU resources from the host device. Data on SEDs also become inaccessible if the SEDs are physically stolen or lost. For these reasons, SEDs are widely preferred for storing sensitive information.
You can use SEDs to create SED secure storage pools in QTS and QuTS hero, and SED secure static volumes in QTS. You can also use SEDs to create regular storage pools or volumes, but the self-encrypting function on the SEDs would remain deactivated.
Why Use SEDs?
Data storage security is an extremely important matter for many enterprises and organizations, especially when they store personal data such as credit card information and identity card numbers, or industry secrets such as product blueprints and intellectual property.
If a data leak occurs, the enterprise or organization can face serious consequences. Apart from sensitive information being exposed, a data leak can also result in customer and client damages, revenue loss, and legal penalties.
Because SEDs use hardware-based full disk encryption, both the encryption and decryption processes occur in the disk hardware. This separation from the host operating system makes hardware encryption more secure than software encryption. Moreover, unlike software encryption, hardware encryption does not require extra CPU resources. If a SED is physically stolen or lost, it becomes practically impossible to obtain intelligible information from the SED.
For these reasons, SEDs are often a specified data security requirement in bidding processes for government agencies, health care institutions, and financial and banking services.
SED Types
QNAP categorizes SED types according to the industry-standard specifications defined by the Trusted Computing Group (TCG). Supported SED types are listed in the following table.
To check the SED type of an installed SED, go to Storage & Snapshots > Storage > Disks/VJBOD and click a SED.
| SED Type | Supported |
|---|---|
| TCG Opal | Yes |
| TCG Enterprise | Yes, in QTS 5.0.1 (or later) and QuTS hero h5.0.1 (or later) |
SED Storage Creation
You can use SEDs to create SED secure storage pools in QTS and QuTS hero, and SED secure static volumes in QTS. For details, see the corresponding QNAP operating system user guide.
| Action | Details |
|---|---|
| Create a SED secure storage pool in QTS | The latest version of the QTS User Guide is available at https://www.qnap.com/go/doc/qts/.You can find the relevant topic by searching “self-encrypting drives”. |
| Create a SED secure static volume in QTS | |
| Create a SED secure storage pool in QuTS hero | The latest version of the QuTS hero User Guide is available at https://www.qnap.com/go/doc/quts-hero/.You can find the relevant topic by searching “self-encrypting drives”. |
SED Management
SED Storage Pool and Static Volume Actions
To perform the following actions, go to Storage & Snapshots > Storage > Storage/Snapshots, select a SED pool or volume, click Manage, then select Actions > SED Settings.
| Action | Description |
|---|---|
| Change SED Pool PasswordChange SED Volume Password | Change the encryption password.Warning:Remember this password. If you forget the password, the pool or volume will become inaccessible and all data will be unrecoverable.You can also enable Auto unlock on startup.This setting enables the system to automatically unlock and mount the SED pool or volume whenever the NAS starts, without requiring the user to enter the encryption passwordWarning:Enabling this setting can result in unauthorized data access if unauthorized personnel are able to physically access the NAS.Tip:In some earlier versions of QTS and QuTS hero, this setting is known as Save encryption key. |
| Lock | Lock the pool or volume. All volumes/shared folders, LUNs, snapshots, and data in the pool or volume will be inaccessible until it is unlocked. |
| Unlock | Unlock a locked SED pool or volume. All volumes/shared folders, LUNs, snapshots, and data in the pool or volume will become accessible. |
| Disable SED Security | Remove the encryption password and disable the ability to lock and unlock the pool or volume. |
| Enable SED Security | Add an encryption password and enable the ability to lock and unlock the pool or volume. |
Removing a Locked SED Storage Pool or Static Volume
- Go to Storage & Snapshots > Storage > Storage/Snapshots.
- Select a locked SED storage pool or static volume.Note:Static volumes are only available in QTS.
- Click Manage, and then click Remove.The Removal Wizard window opens.
- Select a removal option.OptionDescriptionUnlock and remove pool, data, and saved keyThis option unlocks the SED disks in the storage pool or static volume, and then deletes all data. The storage pool or static volume is removed from the system.You must enter the encryption password.Remove pool without unlocking itThis option removes the storage pool or static volume without unlocking the disks. The SED disks cannot be used again until you perform one of the following actions:
- Unlock the disks. Go to Disks/VJBOD, click Recover, and then select Attach and Recover Storage Pool.
- Erase the disks using SED erase.
- Click Apply.
The system removes the locked SED storage pool or static volume.
Migrating a SED Secure Storage Pool to a New NAS
The following requirements apply when migrating a storage pool to a new NAS.
- The two NAS devices must both be running QTS, or both be running QuTS hero. Migration between QTS and QuTS hero is not possible.
- The version of QTS or QuTS hero running on the new NAS must be the same or newer than the version running on the original NAS.
- On the original NAS, go to Storage & Snapshots > Storage > Storage/Snapshots.
- Select a SED secure storage pool.
- Click Manage.The Storage Pool Management window opens.
- Click Action, and then select Safely Detach Pool.
A confirmation message appears. - Click Yes.The storage pool status changes to Safely Detaching…. After the system has finished detaching the pool, it disappears from Storage & Snapshots.
- Remove the drives containing the storage pool from the NAS.
- Install the drives in the new NAS.
- On the new NAS, go to Storage & Snapshots > Storage > Disks/VJBOD .
- Click Recover, and then select Attach and Recover Storage Pool.A confirmation message appears.
- Enter the encryption password.You must enter this password if you are using self-encrypted drives (SEDs) with encryption activated.
- Click Attach.The system scans the disks and detects the storage pool.
- Click Apply.
A confirmation message appears.The storage pool appears in Storage & Snapshots on the new NAS.
Erasing a Disk Using SED Erase
SED Erase erases all of the data on a locked or unlocked SED disk and removes the encryption password.
- Go to Storage & Snapshots > Storage > Disks/VJBOD.
- Select a SED disk.
- Click Actions, and then select SED Erase.The SED Erase window opens.
- Enter the disk’s Physical Security ID (PSID).Tip:The PSID can usually be found on the disk label.If you cannot find the PSID, contact the disk manufacturer.
- Click Apply.
If you cannot find the PSID, contact the disk manufacturer.The system erases all data on the SED.
SED Status
To view the status of a SED, go to Storage & Snapshots > Storage > Disks/VJBOD and click an installed SED.
| SED Status | Description |
|---|---|
| Uninitialized | The SED is uninitialized. Drive encryption is deactivated. |
| Unlocked | The SED is initialized and unlocked. Drive encryption is activated. Data on the SED is encrypted and accessible. |
| Locked | The SED is initialized and locked. Drive encryption is activated. Data on the SED is encrypted and inaccessible. |
| Blocked | The SED is blocked for security reasons. The drive cannot be initialized.Note:To unblock the SED, reinsert the disk or erase the disk using SED Erase. For details, see Erasing a Disk Using SED Erase. |
Glossary
| Gloss | Definition |
|---|---|
| Auto unlock on startup | Setting that allows the system to automatically unlock a SED secure storage pool or SED secure static volume after the NAS restarts |
| Encryption key | A unique, randomized cryptographic string physically stored within the hardware in self-encrypting drives (SEDs) for encrypting data written to the drive and decrypting data as it is read from the drive |
| Encryption password | A user-defined password for locking and unlocking a SED secure storage pool or static volume |
| PSID (Physical Secure ID) | A unique key usually labeled on a self-encrypting drive (SED) for resetting the drive to factory default |
| SED Erase | Storage & Snapshots function for erasing all data on a self-encrypting drive (SED) and removing the encryption password |