hardware full disk encryption

Wolfgang S. Rupprecht wolfgang.rupprecht at gmail.com
Fri Dec 13 01:23:14 UTC 2013 

Chris Murphy <lists at colorremedies.com> writes:
> On Dec 12, 2013, at 1:36 PM, "Wolfgang S. Rupprecht"
> <wolfgang.rupprecht at gmail.com> wrote:
>> 
>> If I didn't have always on, hardware FDE for free in the SSD, I'm
>> sure I'd be happy with LUKS.
>
> Yes, it's annoying. But the task is also difficult to do correctly in
> a preboot environment. Arguably they got ahead of themselves and
> should have first come up with an open SDK so that at the least we
> could easily use the SED feature for data drives, rather than the much
> more complex case of booting from them.

Thanks for this and the previous reply.  That gave me a good background
and a bunch of new acronyms to google for.  I found an interesting white
paper by the Intel IT dept.  They tried dogfooding their own SSD's and
if I'm understanding things correctly, the boot-time bios hooks are
sufficient to query the user for the disk password and unlock the SSD.

http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/it-management-wde-ssd-amt-encryption-paper.pdf

It also strikes me that one can set the ssd disk password at any time
after OS installation.  Since the disk contents are already encrypted
and will continue to be encrypted by the same AES key, from the data's
perspective nothing has changed.

> CRYPTO ERASE is part of the same ATA command set as SECURITY ERASE and
> ENHANCED SECURITY ERASE. Those last two commands cause the drive to
> erase itself, all physical sectors, one by one, even ones that don't
> have LBA mappings. It's quite a bit faster than writing zeros. Only
> one of those commands or fstrim is recommended for SSDs, not writing
> zeros. But from the current hdparm man page I'm not seeing an option
> to issue this command to drives that support it.

I figured out how to do the SECURITY ERASE a while back.  The biggest
complication is that for most bioses the disk has to be connected to a
pcie disk controller.  All the mobo sata ports have their attached disks
ata "frozen" by the bios as an "aid" to users of virus-ridden OS's.  In
the absence of a pcie sata controller, one must power cycle the SSD
while the computer is up.  (I forget if pulling the sata and replugging
it is good enough.  it might be.) This clears the "frozen" bit.

Then one does the following:

    disk=/dev/sdb
    pass=funkystuff

    hdparm -I $disk
    echo 'Should say "not frozen"'
    hdparm --user-master u --security-set-pass $pass $disk  || exit
    time hdparm --user-master u --security-erase $pass $disk
    hdparm --user-master u --security-disable $pass $disk
    hdparm -I $disk
    echo "should say 'not enabled'"

-wolfgang

More information about the users mailing list