Remove SED Password on Seagate ES.2 Constellation Drives

Ever since applying a drive password on these ES.2 drives, I’ve been getting READ:CAM status ATA errors whenever the system is rebooted – causing increased boot time and an annoying export/import of the pool using the ES.2 drives.

Issue

The issue was caused by the SED password defined in the FreeNAS OS not applying/retaining during boot up. This means that the drives aren’t being decrypted and thus FreeNAS believes there is a drive error. Technically there is since it cannot communicate with the drives. The status of the pool would be “unknown”. Exporting the pool would work, but reimporting wouldn’t as it wouldn’t be listed.

Workaround

In order to get around this, we need to have the ATA errors time out. Once timed out, we are able to go into the WebUI and reapply the SED password. This only works if you remember what you set it to. Navigating to Storage > Disk > Edit Disk, you can set the SED password you’ve set when using sedutil-cli –scan and sedhelper setup <password>

Enter it into the SED Password field and hit save. Do this for all the SEDs in the VDev used by the pool. Once you’re done, Export the pool, and in CLI, type in: sedhelper unlock.

Reimporting should be show now list the pool.

Solution: Removing the SED Password altogether

This will wipe all data and recovery would be impossible. Do this only if you want to repurpose the disks, sell them, or use them in a non-FreeNAS/non-SED supported OS.

The prerequisite is that these drives MUST be connected via SATA and NOT USB.

A 32 character string (PSID) is printed on each drive. Take a photo of this as this will be used to erase the SED.

Plug the drives into a FreeNAS system. Open CLI (via SSH or console) and run the following command:

sedutil-cli --scan

Match the device string with the drive. You can associate the device string by going into Storage > Disks and matching the Serial number to the name of the drive.

Once you get the device ID and the PSID from the sticker, run the following command:

sedutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSIDALLCAPSNODASHED>
The PSID is different in this screenshot but it is what you should be replacing.

Once you run this util, the drive is wiped and should be accessible on other systems.