English Community

Linux Operating SystemsOther Linux Discussions
All Forum Topics

10 Posts



10 Signins

133 Page Views

  • Posts: 10
  • Registered: ‎07-21-2017
  • Location: AT
  • Views: 133
  • Message 1 of 4

self-encrypting SSD on Linux

2017-07-21, 10:12 AM



I'm using a Lenovo ThinkPad X1 carbon with a self-encyrpting SSD (M.2 SSD TCG Opal Encryption 2, NVMe).


My question is how do I make it work under Linux (RHEL 7 / Fedora 26). Is the encryption of that particular drive completely transparent / invisible to the OS? Is the encryption activated in the BIOS by setting a drive password, or is that completely unrelated to the encryption.


Hope someone knows more about it and could help me out. Thanks!



30 Posts



40 Signins

248 Page Views

  • Posts: 30
  • Registered: ‎10-04-2015
  • Location: FR
  • Views: 248
  • Message 2 of 4

Re: self-encrypting SSD on Linux

2018-05-13, 19:10 PM

I'm also interesting in knowing how to activate that on linux.
Did you find some answers to your questions DrNukular?
Does anyone can help?

Thanks in advance :)

9 Posts



18 Signins

358 Page Views

  • Posts: 9
  • Registered: ‎08-03-2018
  • Location: AU
  • Views: 358
  • Message 3 of 4

Re: self-encrypting SSD on Linux

2018-08-04, 7:09 AM


As far as I know, the encryption/decryption is handled by the controller on NVMe SSD. The data sent over PCIe bus is unencrypted and the controller will encrypt it before it's been written on NAND. It's hardware-based on-the-fly encryption and does not require any software/driver implementation in Linux.

The NVMe SSD manage the encryption key, and the hard disk password will be used to protect the key. The data on the SSD is always encrypted, no matter the user has configured the hard drive password or not. If the hard drive password was not set, the data on the NAND is encrypted with the key, however, the key was not been protected.


I did some experiment on X280 equipped with Samsung MZVLB512HAJQ-000L7 right before I install Ubuntu. I reset the cryptographic key by using "ThinkPad Drive Erase Utility for Resetting the Cryptographic Key and Erasing the Solid State Drive" as a way to erase any traces of Windows (and Windows recovery partition). The key reset process takes less than 30 seconds. After key reset, the first few sectors on the SSD will become 0x00, and the rest is not 0x00, probably due to decryption failure.


3 Posts


Silicon Valley

3 Signins

36 Page Views

  • Posts: 3
  • Registered: ‎12-18-2015
  • Location: Silicon Valley
  • Views: 36
  • Message 4 of 4

Re: self-encrypting SSD on Linux

2019-05-25, 15:45 PM

I have a 5th gen X1 Carbon with a dead motherboard. According to your answer then, it seems I should be able to put the NVMe in another identical model X1 Carbon, provide the password, and it should boot up. Is this your understanding as well? And do you know if this has been tested?

Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop