I got a partitioned SSD, 300gb for windows (unencrypted) and 200gb for linux debian that I would like to encrypt. Does anyone know how I can encrypt the linux system on the partition using the hardware encryption system from the SSD ? It's a 950 pro SSD.
Asked
Active
Viewed 2,940 times
2
-
To clarify do you mean something like dm-crypt/luks OR sed (Self encrypting devices) ? – linuxdev2013 Dec 09 '15 at 23:20
-
@linuxdev2013 i'm not sure i'm novice i'll try to search those terms, but basically I want to have encrypted logs and data with minimal overhead, meaning I want to use the built in encryption feature in the ssd, I don't care about the rest. Do you have an idea ? – ChiseledAbs Dec 09 '15 at 23:33
2 Answers
1
I'm pretty sure your SSD has OPAL. I have the 850 Evo. You can use sedutil: https://github.com/Drive-Trust-Alliance/sedutil The setup instructions are quite detailed. The worst disadvantage is that it breaks suspend. Otherwise, all good. You might also want to see https://github.com/Drive-Trust-Alliance/sedutil/issues/6 if anything about the PBA does not work properly.
Wilhelm Erasmus
- 161
- 7
-
If you just want to make sure folks aren't noisy use BIOS / Boot (aka power on) and HDD / SSD Passwords --- Saves you if these 'evil players' decide to migrate the drive elsewhere, like another machine OR attempt to boot it via say usb and mount your drive.... ( I do those and more on my personal systems.) – linuxdev2013 Dec 10 '15 at 19:54
-
1@linuxdev2013 I'm a bit suspicious of ATA passwords. I'd recommend OPAL if your device supports it, but yes, I guess it is a risk, especially considering that this project has already switched maintainers. – Wilhelm Erasmus Dec 10 '15 at 19:58
-
-
Protection in layers, most the folks around me are not smart enough to break or ask someone who can break an ATA pass but as I said that is only some of my safeties. OPAL assumes as well that like ata passwords that your trust the Manuf. to not backdoor it. – linuxdev2013 Dec 10 '15 at 20:10
-
0
If the SSD & BIOS both support hardware encryption on the SSD itself (the OS won't even see it or have to do anything, no cpu overhead, I think suspended & hibernate would still work) then there should be an option in the BIOS somewhere to set a drive password - NOT just a boot or BIOS password. If nothing in the BIOS then something doesn't support it. Laptops seem more likely to support it.
It works similar to LUKS where erasing just the master key effectively "wipes" the drive.
Here's a little snippet & useful link from another answer of mine on SSD encrytion, definitely read the VxLabs linked page:
VxLabs' SSDs with usable built-in hardware-based full disk encryption page tells me:
Information on this is incredibly hard to find
In some cases, the manufacterer uses the HDD password or ATA password (configurable via many laptop BIOSes, very few desktop BIOSes, or the ATASX BIOS extension) to encrypt the AES keys.
-
damn I didn't see any drive password in the bios how to know whether it got the function – ChiseledAbs Dec 10 '15 at 03:50
-
Suspend and hibernate would depend from Bios to Bios I think. Mine supports it(or at least it has the option). – Wilhelm Erasmus Dec 10 '15 at 19:59