07-21-2017 03:12 AM - edited 07-21-2017 11:37 AM
I'm using a Lenovo ThinkPad X1 carbon with a self-encyrpting SSD (M.2 SSD TCG Opal Encryption 2, NVMe).
My question is how do I make it work under Linux (RHEL 7 / Fedora 26). Is the encryption of that particular drive completely transparent / invisible to the OS? Is the encryption activated in the BIOS by setting a drive password, or is that completely unrelated to the encryption.
Hope someone knows more about it and could help me out. Thanks!
08-04-2018 12:09 AM
As far as I know, the encryption/decryption is handled by the controller on NVMe SSD. The data sent over PCIe bus is unencrypted and the controller will encrypt it before it's been written on NAND. It's hardware-based on-the-fly encryption and does not require any software/driver implementation in Linux.
The NVMe SSD manage the encryption key, and the hard disk password will be used to protect the key. The data on the SSD is always encrypted, no matter the user has configured the hard drive password or not. If the hard drive password was not set, the data on the NAND is encrypted with the key, however, the key was not been protected.
I did some experiment on X280 equipped with Samsung MZVLB512HAJQ-000L7 right before I install Ubuntu. I reset the cryptographic key by using "ThinkPad Drive Erase Utility for Resetting the Cryptographic Key and Erasing the Solid State Drive" as a way to erase any traces of Windows (and Windows recovery partition). The key reset process takes less than 30 seconds. After key reset, the first few sectors on the SSD will become 0x00, and the rest is not 0x00, probably due to decryption failure.
05-25-2019 08:45 AM
I have a 5th gen X1 Carbon with a dead motherboard. According to your answer then, it seems I should be able to put the NVMe in another identical model X1 Carbon, provide the password, and it should boot up. Is this your understanding as well? And do you know if this has been tested?