Contents x
    Enabling Self encryption Drive for SSD
    • 02 May 2024
    • 2 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Enabling Self encryption Drive for SSD

    • Updated on 02 May 2024
    • 2 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    This document guides you to enable a Self-encryption Drive (SED) for an SSD.

    What is SED?

    SED, short for Self-encryption Drive, encrypts the disks within a Nodegrid device, ensuring data privacy and security against SSD theft.

    How to Enable SED?

    To enable SSD data encryption, you need an authentication password. This password unlocks the drive during boot-up using the Pre-Boot Authentication (PBA). PBA is an extension of the BIOS, UEFI, and boot firmware, ensuring a secure, tamper-proof environment before the operating system kicks in.

    Essentially, it prevents anything from being read from the disk until you provide the correct password.

    Note:

    You can enable SED only for the primary SSD. Nodegrid device does not support SED for a secondary SSD.

    Where's the SED password stored?

    The SED password is safely kept in the TPM non-volatile memory.

    Which Nodegrid models support SED?

    SED feature is currently supported on the following models:

    • Nodegrid Serial Console (NSC) 
    • Nodegrid Net Services Router (NSR) 
    • Nodegrid Gate SR (GSR)
    • Nodegrid Bold SR (BSR) 
    • Nodegrid Link SR (LSR) 
    • Nodegrid Hive SR (HSR) 
    • Nodegrid Mini SR 
    • Nodegrid NSR Lite

    Pre-requisites

    Before enabling SED, make sure you have:

    • A SED-compatible BIOS and SSD. If your BIOS is not compatible contact ZPE support.
    • TPM 2.0 version and above: To verify the TPM version on the Nodegrid device use the following command: /usr/sbin/sed_info.sh tpm_available
    • The Pre-boot authentication (PBA) is installed

    Checking Compatibility

    Verify if these device parameters on your box are compatible with SED using the following CLI command: show /system/about/:

    •  Verify the output for the following fields:
      bios sed compatible: yes 
ssd sed compatible: yes 
sed pba version: yes
    • If the values for these fields are yes, the SSD is SED compatible.
    • If the Pre-boot authenticator is not installed the sed pba version field value is set to no. You need to install PBA before you enable SED.

    How to Enable SED using the Nodegrid Web UI?

    To enable SED, perform the following action:

    1. Log in to the Nodegrid UI.
    2. Go to Security:: Services:: Intrusion Prevention.
    3. For maximum security, it is recommended to enable the following settings: 
      1. Enable Secure Boot
      2. Authentication for Rescue Mode
      3. Password protected boot
    4. Verify the SED PBA Version.
    5. Copy the Generated password or enter a defined password. You need this password if you want to disable SED in the future.

    6. Save and then power cycle the machine.

    If your SSD is not SED compatible this field will not be displayed in the UI. If the SSD is incompatible, you must get a new SED-compatible SSD.

    Disabling SED

    To disable SED:

    1. Go to Security :: Services :: Intrusion Prevention.
    2. Disable the Self-encrypting drive checkbox.
    3. Enter the Unlock Password that was set while enabling SED.
    4. Click Save.

    SED is now disabled. If you power cycle you will not see the Drive Encryption section.

    With these steps, you should be all set to enable, disable, and manage SED on your Nodegrid device.

    Was this article helpful?
    What's Next
    ESC

    Eddy, a generative AI, facilitating knowledge discovery through conversational intelligence