I asked on the forum if there was a right order to enable SED(Self Encrypted Drive) for a single drive used as data pool, in my case an NVME ssd. I was asked to create a case here to have it checked and maybe improve the documentation. I'm using freenas-11.2-U6 and this probably apply to future releases as well.
SED can be enabled in one of these two orders, "1. Create pool, 2. Enable SED" or "1. Enable SED, 2. Create pool".
Is there a right order of enabling SED?
Will any of the two orders create any issues with partition alignment and things like that?
Also, SED can be enabled in two ways, with or without a PBA boot partition needed for unlocking a boot drive. sedutil-cli has two settings that are a bit confusing as they are not very well documented, MBRDone and MBREnable. When enabling SED with either sedutil-cli or sedhelper, the MBRDone is enabled and will remain enabled. MBREnable is "off" right after enabling SED, but wil change to "ON" and always be "ON" after the first power cycle of the drive. Once MBREnable is "ON" then it's no longer possible to create a pool or erase the disks. It seems to be locked. MBRDone and MBREnable seem to work together, so disabling one of them might affect the other.
The way I understand it is that MBREnable "ON" is what controls if the PBA boot partition is enabled or not. If freenas is not using the PBA boot partiton, should this setting then be "ON"? If so, then the freenas manual should include info about why the user will get error when trying to create or erase a pool when this setting is "ON".
The second option MBRDone is also not very well documented in sedutil-cli. The way I understand it is that if both MBRDone and MBREnable are "ON", then the shadow partition table is visible to the OS, however this shadow partition is empty if PBA image is not loaded into the partition. After enabling SED on freenas, there is a warning during boot when loading pools saying something like(i dont have the exact warning availble right now) "there was a problem with the first partition table, using secondary table. recovery recommend". This warning is most likely created because sedutil-cli creates an extra partition table for the PBA boot partition(not used) as primary partition table.
So the question is, will enabling MBRDone have any effect of partition alignment and other partition functions when creating a zfs pool?
Should MBRDone be enabled for SEDs not using the PBA boot partition?
If MBRDone should be "on", then there should be some info in the freenas documentation about the warning when loading the pool at boot, as this warning seems serious but might be normal if sedutil-cli creates an extra partition table.