Sedutil and encrypted second drives?

Support
1

I am struggling to understand sed, opal2 and TGC
When I bought an SSD for my Lenovo T420s I got a Samsung EVO 860 mSATA SSD and my understanding was that this supported hardware encryption (so no performance hit) but I could not get it to work. This was long time ago and I don’t remember the details but from memory it was something to do with the T420s bios.

So now I want a put second drive in the laptop.

Given that the OS won’t be booting from this drive, it will be used only as storage, is there a way to use hardware encryption on it?
If I run sedutil-cli on the T420s right now I get this output:

[T420s philip]# sedutil-cli --scan
Scanning for Opal compliant disks
The Kernel flag libata.allow_tpm is not set correctly
Please see the readme note about setting the libata.allow_tpm 
/dev/sda   No  Crucial_CT256MX100SSD1                   MU01    
The Kernel flag libata.allow_tpm is not set correctly
Please see the readme note about setting the libata.allow_tpm 
/dev/sdb   No  Samsung SSD 860 EVO mSATA 250GB          RVT41B6Q
No more disks present ending scan

So basically it is something to do with tpm ?

I understand why one might need a tpm to boot from a drive, as there is no OS already running, but is there a way to do this in software (but leveraging the hardware encryption/decryption) on a second drive when an OS is already running?

2

:+1: Welcome to Manjaro! :+1:

  1. Please read this:
    How to provide good information
    and post some more information so we can see what’s really going on. Now we know the symptom of the disease, but we need some more probing to know where the origin lies…

  2. An inxi --admin --verbosity=7 --filter --no-host --width would be the minimum required information… (Personally Identifiable Information like serial numbers and MAC addresses will be filtered out by the above command)

:+1:

3

Hi,

I’m currently trying to use Hardware encryption on my SSDs as well. So here is what I know:

As far as I understood SED with Opal 2 support, it doesn’t really matter whether the BIOS Supports it or not. The encryption is done by the drive’s Firmware internally which should be transparent to the BIOS.

Anyway, with SEDs, all the data is always encrypted automatically. However the key that is used for encryption and decryption is also in the drive’s Firmware in it’s unlocked state, so the data on the drive can always be accessed directly as if it weren’t encrypted at all. This is referred to as the MEK.

What you need to do now is to lock the drive, so that the key to decrypt the data is encrypted with your password. That can be easily done with sedutil. Once locked, the drive needs to be unlocked first before any useful data can be seen again.

At this point it is important to understand that SEDs in the locked state utilize a built-in, unencrypted section of the drive that is called Shadow MBR. The Shadow MBR typically contains what is known as the PBA, a pre Boot authentication that can be used to unlock the drive.

What happens is this: when you turn on your PC, the drive is locked. The only thing visible to the outside is the Shadow MBR which the BIOS will Boot if a bootable Image can be found there.

Assume you can boot a PBA and you unlock the drive. The PC is then rebooted by the PBA but this time, the drive is unlocked. This means that your drive presents the regular data to the BIOS including your regular Boot loader which will then Boot your OS. The drive will remain unlocked as long as it stays powered on.

Now, what about secondary or non Boot drives. You need to have a way to unlock them as well and this is where I’m currently struggeling. A PBA on that drive will not work bevause gives that is a non Boot drive the PBA will never be loaded.

It might be possible to encrypt all drives including the Boot drive and than unlock all drive’s from that PBA. I’m not sure whether this can be done with the sedutil-provided PBA. Apparently you can built your PBA that includes that functionality but I do not know how this can be accomplished.

I have also found other Software on github that seems more suitable for non Boot drive’s but for those to work you seem to required to built this into an initrmfs. Again, I do not know how to this as well.

I will keep investigating this and Post an articles once I am successful.

Hope this helps a bit,
Andi

4