Chris Murphy <lists@xxxxxxxxxxxxxxxxx> writes: > On Dec 12, 2013, at 1:36 PM, "Wolfgang S. Rupprecht" > <wolfgang.rupprecht@xxxxxxxxx> wrote: >> >> If I didn't have always on, hardware FDE for free in the SSD, I'm >> sure I'd be happy with LUKS. > > Yes, it's annoying. But the task is also difficult to do correctly in > a preboot environment. Arguably they got ahead of themselves and > should have first come up with an open SDK so that at the least we > could easily use the SED feature for data drives, rather than the much > more complex case of booting from them. Thanks for this and the previous reply. That gave me a good background and a bunch of new acronyms to google for. I found an interesting white paper by the Intel IT dept. They tried dogfooding their own SSD's and if I'm understanding things correctly, the boot-time bios hooks are sufficient to query the user for the disk password and unlock the SSD. http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/it-management-wde-ssd-amt-encryption-paper.pdf It also strikes me that one can set the ssd disk password at any time after OS installation. Since the disk contents are already encrypted and will continue to be encrypted by the same AES key, from the data's perspective nothing has changed. > CRYPTO ERASE is part of the same ATA command set as SECURITY ERASE and > ENHANCED SECURITY ERASE. Those last two commands cause the drive to > erase itself, all physical sectors, one by one, even ones that don't > have LBA mappings. It's quite a bit faster than writing zeros. Only > one of those commands or fstrim is recommended for SSDs, not writing > zeros. But from the current hdparm man page I'm not seeing an option > to issue this command to drives that support it. I figured out how to do the SECURITY ERASE a while back. The biggest complication is that for most bioses the disk has to be connected to a pcie disk controller. All the mobo sata ports have their attached disks ata "frozen" by the bios as an "aid" to users of virus-ridden OS's. In the absence of a pcie sata controller, one must power cycle the SSD while the computer is up. (I forget if pulling the sata and replugging it is good enough. it might be.) This clears the "frozen" bit. Then one does the following: disk=/dev/sdb pass=funkystuff hdparm -I $disk echo 'Should say "not frozen"' hdparm --user-master u --security-set-pass $pass $disk || exit time hdparm --user-master u --security-erase $pass $disk hdparm --user-master u --security-disable $pass $disk hdparm -I $disk echo "should say 'not enabled'" -wolfgang -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
