Ask Your Question
2

how do enable encryption I have M.2 Sumsung 960 Pro

asked 2017-04-17 19:36:44 -0500

NVMeistheanswer gravatar image

I have a M.2 Samsung 960 Pro that is TCG and Opal compliant. The question is how do i encript this drive? I'm almost have it?

These are the commands on how to encrypt a drive. It somewhat gets it working. Let me say that I don’t think steps 1, 2, 3, and 8 are really needed for data drives, but I will go ahead and include them since I did execute them.

  1. yum install ncurses-devel
  2. cd <dist>/LinuxPBA
  3. make CONF=ReleaseX8664
  4. cd <dist>/linux/CLI
  5. make CONF=ReleaseX8664
  6. No libata kernel flag is required for NVMe drives
  7. sedutil-cli –initialSetup <password> /dev/nvme0
  8. sedutil-cli --loadPBAimage <password> <file created="" in="" step="" 3=""> /dev/nvme0
  9. sedutil-cli --setMBREnable on <password> /dev/nvme0
  10. sedutil-cli --enableLockingRange 0 <password> /dev/nvme0
  11. Power off the server and remove power, don’t just reboot
  12. Drive should now be locked a. Verify with: sedutil-cli --listlockingranges <password> /dev/nvme0 b. Look at range 0 and verify read and write are enabled and locked
  13. To unlock: a. sedutil-cli –setMBRdone on <password> /dev/nvme0 b. sedutil-cli --setlockingrange 0 RW <password> /dev/nvme0
  14. Now you can mount the partition on the drive a. I have only tried this once, and it couldn’t read the super blocks, so this is where I am in the investigation
edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
2

answered 2017-04-17 21:08:33 -0500

florian gravatar image

updated 2017-04-18 09:26:42 -0500

data drive, I would use an encrypted LVM volume (encrypted with dm-crypt/LUKS), which can easily be created during installation process (or later using command line tools or blivet-gui). Volumes can easily be resized if needed, you can create snapshots, ...

Take a look at the Arch wiki containing good overview of available methods.

You may wonder why I recommend a software encryption over a maybe faster hardware encryption. That's easy, because it's open-source and free. I don't believe that the OEMs don't have backdoors built into their controllers, probably labelled as recovery function. (many other exploits possible, even without compromised firmware)

And again, the Arch Wiki has plenty of information about SEDs

edit flag offensive delete link more

Comments

thank you for the reply. In our case, we’d rather unlock the drives from the command line using the sedutil-cli command.

NVMeistheanswer gravatar imageNVMeistheanswer ( 2017-04-18 10:58:23 -0500 )edit
1

cryptsetup luksOpen /dev/... works just fine, but I got it, you want sed... - sorry, I can't help with that.

florian gravatar imageflorian ( 2017-04-18 11:06:21 -0500 )edit

Thanks for the help anyway! Maybe there is somebody else with experience using SED drives.

NVMeistheanswer gravatar imageNVMeistheanswer ( 2017-04-18 11:53:55 -0500 )edit
0

answered 2017-04-19 09:09:16 -0500

NVMeistheanswer gravatar image

I figured out the issue and i have it working via sedutil-cli command.

edit flag offensive delete link more

Comments

Do you maybe want to share the solution here?

florian gravatar imageflorian ( 2017-04-19 11:10:34 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2017-04-17 19:36:44 -0500

Seen: 697 times

Last updated: Apr 19 '17