cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
DrNukular
Paper Tape
Posts: 5
Registered: ‎07-21-2017
Location: AT
Views: 1,230
Message 1 of 4

self-encrypting SSD on Linux

Hi,

 

I'm using a Lenovo ThinkPad X1 carbon with a self-encyrpting SSD (M.2 SSD TCG Opal Encryption 2, NVMe).

 

My question is how do I make it work under Linux (RHEL 7 / Fedora 26). Is the encryption of that particular drive completely transparent / invisible to the OS? Is the encryption activated in the BIOS by setting a drive password, or is that completely unrelated to the encryption.

 

Hope someone knows more about it and could help me out. Thanks!

 

nibalo
Fanfold Paper
Posts: 21
Registered: ‎10-04-2015
Location: FR
Views: 731
Message 2 of 4

Re: self-encrypting SSD on Linux

Hi,

I'm also interesting in knowing how to activate that on linux.
Did you find some answers to your questions DrNukular?
Does anyone can help?

Thanks in advance Smiley Happy
orange-kao
Ctrl-Alt-Del
Posts: 6
Registered: ‎08-03-2018
Location: AU
Views: 616
Message 3 of 4

Re: self-encrypting SSD on Linux

Hi.

As far as I know, the encryption/decryption is handled by the controller on NVMe SSD. The data sent over PCIe bus is unencrypted and the controller will encrypt it before it's been written on NAND. It's hardware-based on-the-fly encryption and does not require any software/driver implementation in Linux.

The NVMe SSD manage the encryption key, and the hard disk password will be used to protect the key. The data on the SSD is always encrypted, no matter the user has configured the hard drive password or not. If the hard drive password was not set, the data on the NAND is encrypted with the key, however, the key was not been protected.

 

I did some experiment on X280 equipped with Samsung MZVLB512HAJQ-000L7 right before I install Ubuntu. I reset the cryptographic key by using "ThinkPad Drive Erase Utility for Resetting the Cryptographic Key and Erasing the Solid State Drive" as a way to erase any traces of Windows (and Windows recovery partition). The key reset process takes less than 30 seconds. After key reset, the first few sectors on the SSD will become 0x00, and the rest is not 0x00, probably due to decryption failure.

Tyrant917
Paper Tape
Posts: 2
Registered: ‎12-17-2015
Location: Silicon Valley
Views: 266
Message 4 of 4

Re: self-encrypting SSD on Linux

I have a 5th gen X1 Carbon with a dead motherboard. According to your answer then, it seems I should be able to put the NVMe in another identical model X1 Carbon, provide the password, and it should boot up. Is this your understanding as well? And do you know if this has been tested?

Check out current deals!


Shop current deals

Top Kudoed Authors