hardware full disk encryption

Bruno Wolff III bruno at wolff.to
Thu Dec 12 20:21:25 UTC 2013


On Thu, Dec 12, 2013 at 11:32:41 -0800,
   "Wolfgang S. Rupprecht" <wolfgang.rupprecht at gmail.com> wrote:
>
>I've got a standard consumer Intel 520 SSD, which claims to do hardware
>based AES disk encryption with no speed penalty.  It sounds like a
>useful way to protect laptop data if the laptop is ever stolen.  Has
>anyone tried to do hardware-based full disk encryption with Fedora?
>Does one need to boot from a live usb or something in order to get to an
>environment where one can even enter the AES key for the disk
>decryption?
>
>Google is failing me here due to search spam for LUKS which doesn't
>appear to be capable of *full* *disk* encryption.  It only seems to
>encrypt individual partitions.

It can do full encryption of block devices. If you aren't booting of 
the SSD you could encrypt the whole drive. The luks header will still 
be on the SSD. If you didn't want that either, you could do some trickiness 
with dm to have the header on a different physical device. This is all 
going to need manual setup, as it isn't the normal case. (For most people 
leaking the partition information isn't a significant risk and encrypting 
by partition is simpler.)


More information about the users mailing list