English
Ask Your Question
2

how do enable encryption I have M.2 Sumsung 960 Pro

asked 2017-04-18 00:36:44 +0000

NVMeistheanswer gravatar image

I have a M.2 Samsung 960 Pro that is TCG and Opal compliant. The question is how do i encript this drive? I'm almost have it?

These are the commands on how to encrypt a drive. It somewhat gets it working. Let me say that I don’t think steps 1, 2, 3, and 8 are really needed for data drives, but I will go ahead and include them since I did execute them.

  1. yum install ncurses-devel
  2. cd <dist>/LinuxPBA
  3. make CONF=ReleaseX8664
  4. cd <dist>/linux/CLI
  5. make CONF=ReleaseX8664
  6. No libata kernel flag is required for NVMe drives
  7. sedutil-cli –initialSetup <password> /dev/nvme0
  8. sedutil-cli --loadPBAimage <password> <file created="" in="" step="" 3=""> /dev/nvme0
  9. sedutil-cli --setMBREnable on <password> /dev/nvme0
  10. sedutil-cli --enableLockingRange 0 <password> /dev/nvme0
  11. Power off the server and remove power, don’t just reboot
  12. Drive should now be locked a. Verify with: sedutil-cli --listlockingranges <password> /dev/nvme0 b. Look at range 0 and verify read and write are enabled and locked
  13. To unlock: a. sedutil-cli –setMBRdone on <password> /dev/nvme0 b. sedutil-cli --setlockingrange 0 RW <password> /dev/nvme0
  14. Now you can mount the partition on the drive a. I have only tried this once, and it couldn’t read the super blocks, so this is where I am in the investigation
edit retag flag offensive close merge delete

2 answers

Sort by » oldest newest most voted
2

answered 2017-04-18 02:08:33 +0000

florian gravatar image

updated 2017-04-18 14:26:42 +0000

data drive, I would use an encrypted LVM volume (encrypted with dm-crypt/LUKS), which can easily be created during installation process (or later using command line tools or blivet-gui). Volumes can easily be resized if needed, you can create snapshots, ...

Take a look at the Arch wiki containing good overview of available methods.

You may wonder why I recommend a software encryption over a maybe faster hardware encryption. That's easy, because it's open-source and free. I don't believe that the OEMs don't have backdoors built into their controllers, probably labelled as recovery function. (many other exploits possible, even without compromised firmware)

And again, the Arch Wiki has plenty of information about SEDs

edit flag offensive delete link more

Comments

thank you for the reply. In our case, we’d rather unlock the drives from the command line using the sedutil-cli command.

NVMeistheanswer ( 2017-04-18 15:58:23 +0000 )edit
1

cryptsetup luksOpen /dev/... works just fine, but I got it, you want sed... - sorry, I can't help with that.

florian ( 2017-04-18 16:06:21 +0000 )edit

Thanks for the help anyway! Maybe there is somebody else with experience using SED drives.

NVMeistheanswer ( 2017-04-18 16:53:55 +0000 )edit
0

answered 2017-04-19 14:09:16 +0000

NVMeistheanswer gravatar image

I figured out the issue and i have it working via sedutil-cli command.

edit flag offensive delete link more

Comments

Do you maybe want to share the solution here?

florian ( 2017-04-19 16:10:34 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Use your votes!

  • Use the 30 daily voting points that you get!
  • Up-vote well framed questions that provide enough information to enable people provide answers.
  • Thank your helpers by up-voting their comments and answers. If a question you asked has been answered, accept the best answer by clicking on the checkbox on the left side of the answer.
  • Down-voting might cost you karma, but you should consider doing so for incorrect or clearly detrimental questions and answers.

Stats

Asked: 2017-04-18 00:36:44 +0000

Seen: 382 times

Last updated: Apr 19