Playing with sed and QNAP

I own a small Intel Qnap NAS, i wanted to have a form of "security at rest". I tried with the folder and volume encryption but the support to aes-ni is not implemented directly and therefore is slooooooooow and sluggish.

Then i discovered SED disks (wikipedia) that through the logic present -inside- the disk does a pretty decent job, not killing performances.

The documentation is obviously ominous, scarce and missing most of things.

I hereby suggest to use sed drives as non boot disks, so you can login to the NAS and enable them. Then store everything on the sed drives (applications included)

Soon i will add a guide describing how to work with Qnap and bootable SED drives

Warnings

Hacking

If someone is able to connect to the disks to another machine without detaching the power, it can read the data. If you want something more paranoid encrypt the folders too.

Extra security

DO NOT STORE THE KEYS ON THE NAS, NEVER. This way when the NAS reboot you will have to go to the web interface and insert manually the login (for non boot drives).

Hardware

Please be first aware that only disks supporting OPAL are supported. Just to give an example

Others like the Seagate EXOS does support only ENTERPRISE SED

You can check the capablities of your disk with

 sedutil-cli --scan

The result would be like the following

Scanning for Opal compliant disks
/dev/sda  2  Samsung 870 QVO 8TB     2B7QCXE7
/dev/sdb  No Crucial_CT250MX200SSD1  MU04
/dev/sdc  E  WD Ultrastar H550 16TB  0001SDM7
/dev/sdd  12  Unknown  0001SDM7
No more disks present ending scan.

Here we see that the WD has only Enterprise support(E), the Samsung supports Opal 2.0 (2) and the Crucial...nothing. The unknown supports Opal 1 and 2

Add a single (non boot) SED volume

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Now at every restart you will have to unlock the volume :)

Add a Raid 1 (non boot) SED volume

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Now at every restart you will have to unlock the volume :)

Add a Raid 1 (boot) SED volume

To be tested :)


Last modified on: December 20, 2021