hardware full disk encryption

Wolfgang S. Rupprecht wolfgang.rupprecht at gmail.com
Thu Dec 12 20:36:59 UTC 2013

Bruno Wolff III <bruno at wolff.to> writes:
> On Thu, Dec 12, 2013 at 11:32:41 -0800,
>   "Wolfgang S. Rupprecht" <wolfgang.rupprecht at gmail.com> wrote:
>>Google is failing me here due to search spam for LUKS which doesn't
>>appear to be capable of *full* *disk* encryption.  It only seems to
>>encrypt individual partitions.
> It can do full encryption of block devices. If you aren't booting of
> the SSD you could encrypt the whole drive. The luks header will still
> be on the SSD. If you didn't want that either, you could do some
> trickiness with dm to have the header on a different physical
> device. This is all going to need manual setup, as it isn't the normal
> case. (For most people leaking the partition information isn't a
> significant risk and encrypting by partition is simpler.)

No, leaking the partition info for the bootstrap isn't a worry for me
either.  ;-) It's just that LUKS shows up and dominates searches for
FDE.  If I didn't have always on, hardware FDE for free in the SSD, I'm
sure I'd be happy with LUKS.

After a bit more research it appears that the SSD FDE machinery is
always on, even with a blank password protecting the internally
generated random AES key.  It is impressive that the disk does ~ 480
MBytes/sec (actual measured speed) even when squeezing all the data
through AES-128.

Of course, with the Snowden revelations, one has to wonder how random
the randomly chosen internal AES key is.  If it is from an intentionally
crippled RNG, it may be easy for someone in the know to do a brute-force
search for it.


More information about the users mailing list