[CentOS] self-encrypting drives

Sun Sep 23 13:29:11 UTC 2012
Leonard den Ottolander <leonard at den.ottolander.nl>

Hello Paul,

On Wed, 2012-09-19 at 09:37 -0700, Paul Heinlein wrote:
> Management of Full Disk Encryption (FDE) drives is usually handled in 
> BIOS or via central Windows application.

Indeed. The scenario I mentioned of course does not work when one boots
from the encrypted drive, only if one attaches it after the system has
booted from another drive.

> Once the key has been encrypted, the drive cannot be accessed unless 
> connected directly to, say, the system's SATA bus. I haven't seen any 
> mechanisms by which the key can be unlocked via things like external 
> USB adapters.

As the interface for encrypting and locking an SED appears to be the
same as for locking a normal drive using the security commands from
hdparm should in theory work. This is assuming the BIOS pads passwords
that are smaller than 32 bytes the same way as hdparm does, which is
with NUL bytes.

Hdparm currently only accepts passwords as strings, so if the BIOS uses
binary/hex strings for the password it could be problematic to unlock
the same drive with hdparm. It should be quite simple to patch hdparm to
accept hex strings as passwords though.

I have used drive (un)locking with hdparm on USB drives so (un)locking
an external SED should be possible.

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research