Using Self-Encrypting Drives on Linux

Many solid-state drives (SSDs) available in the market these days come with built-in hardware encryption. These are called self-encrypting drives (SED) and they provide full-disk encryption (FDE) in a way that is transparent to the user.

How It Works

The SSD controller encrypts the data before it is written to the drive, and decrypts the data when it is read. The data is encrypted using a Disk-Encryption Key (DEK) that is set at the factory and stored on the drive. To protect the DEK, it is encrypted with another key called the Authentication Encryption Key (AEK). AEK is set by the user in the form of a password.

When the drive is connected to a PC and the PC is powered on, the BIOS/UEFI firmware on the PC will prompt you to enter the password (AEK). The AEK is used to decrypt the DEK, and the DEK is used to decrypt the data on the drive.

Unlike software-based encryption (LUKS) there is no additional load on the CPU. All the work is done by the “encryption engine” on the SSD which is a dedicated chip that handles encryption. The operating system sees the drive as a normal SSD. This avoids the complexity of setting up a system with software-based (LUKS) encryption.

Setting The Password

All SEDs are shipped with a blank password by default for the AEK. The data on the drive is still encrypted and decrypted using the DEK but since the AEK password is blank, the PC can unlock the drive without prompting for a password. Anybody with physical access to the drive can access the data on it. The drive behaves like a normal SSD and the user may not even know that the drive has hardware encryption features. I have seen many people use LUKS encryption on their SSDs without realizing that it supports hardware encryption. All they need to do is to set the user password (AEK) and they can avoid the complexity and CPU overhead of software encryption methods.

Once the user password is set, the drive is fully protected and can be accessed only after the user provides the password during boot. The drive will remain unlocked as long as it is powered on and will lock automatically when you switch off your PC.

Most manufacturers provide software for setting and resetting passwords. Sadly all of them are for Windows and are extremely bloated with unnecessary features. Crucial’s Storage Executive, for example, is available only for Windows and is 250 MB in size. On Linux, we have tools like sedutil which provide the same functionality and is less than 1 MB in size.

SED drives on the market follow industry standards like TCG Opal 2.0. Thanks to this there is no need for special software to set the password. You can do it simply by going into your BIOS/UEFI. Press F2 or DEL when your system is booting to enter the BIOS/UEFI interface. Go to the section for Security and you will find your SED drive listed there, with an option to set the password.

Resetting The Password

There’s no way to recover the data on the drive if you forget the password. However, you can reset the drive to factory state so that a new password can be set and the drive can be used again. This will ERASE ALL DATA on the drive so make sure that this is what you really want to do.

• Download the disk image named RESCUE64-**.img.gz from the sedutils GitHub page.
• Write it to a USB drive using Etcher . Reboot your PC and boot from the USB drive.
• It will boot into a terminal-based Linux system. Login with username as root. The password is blank. Just press Enter when prompted for password.
• Connect the SED drive to the PC and scan for it with the command given below. SED drives will be listed with Yes in the second column.

> sedutil-cli --scan

Scanning for Opal 2.0 compliant disks
/dev/sd0  No  ATA     KINGSTON SV100S21205 
/dev/sd1  No  ATA     Hitachi HDT72504V5CO 
/dev/sd4  No  Generic-Compact Flash   1.00 
/dev/sd8  Yes ATA     Crucial_CT120M50MU05
No more disks present ending scan

• Query the drive to make sure that is locked. Look for “LockingSupported = Y” and “LockingEnabled = Y”

> sedutil-cli --query /dev/sd8

/dev/sd8 ATA ATA     Crucial_CT120M50MU05 

TPer function (0x0001)
    ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
    Locked = N, <strong>LockingEnabled = Y, LockingSupported = Y</strong>, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
Geometry function (0x0003)
    Align = Y, Alignment Granularity = 8 (4096), Logical Block size = 512, Lowest Aligned LBA = 0
SingleUser function (0x0201)
    ALL = N, ANY = N, Policy = Y, Locking Objects = 9
DataStore function (0x0202)
    Max Tables = 9, Max Size Tables = 94371840, Table size alignment = 1
OPAL 2.0 function (0x0203)
    Base comID = 0x1000, Initial PIN = 0x0, Reverted PIN = 0x0, comIDs = 1
    Locking Admins = 4, Locking Users = 9, Range Crossing = N

• Look for the PSID key printed on the drive label. The PSID is a 32 character password that proves that you have physical access to the drive. The PSID is all CAPS without dashes (ignore the dashes printed on the label).

• Reset the drive with the following command. This will ERASE ALL DATA and reset the drive to factory settings. The PSID must be entered in ALL CAPS without dashes.

> sedutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSIDALLCAPSNODASHES> /dev/sd8
- 01:14:10.996 INFO: Performing a PSID Revert on /dev/sd8 with password <PSIDALLCAPSNODASHES>
- 01:14:11.165 INFO: revertTper completed successfully

If you get a message that says “revertTper completed successfully” then the reset was successful.

If you get a message that says “NOT_AUTHORIZED” then you have entered the PSID incorrectly. Try again with the correct PSID.

The drive is now as good as new and can be used for storing data. The previous data has been erased.

Notes

• The sedutil-cli tool is available both as a standalone binary and as a bootable image. It is recommended to use the bootable image.
• If you download and run the binary then you need to set some kernel options on your system so that the commands execute successfully. If you use the bootable image then the kernel options are already set and the commands will work without additional steps.
• The bootable image can be booted in either BIOS or UEFI mode. To boot it in UEFI mode, secure-boot must be disabled.
• Some motherboard models are buggy and may “eat up” some characters from the password as you type. If you enter the correct password during boot but it says that the password is invalid then try typing the password again slowly. Make sure that the number of asterisks displayed on the screen match the number of characters that you typed. Check for a motherboard firmware update if you have such problems.
• The drive will lock-out after a certain number of incorrect attempts. The system will continue to boot but the drive will remain unavailable. Power-off your PC and power it back on to try unlocking it again.