You are not logged in.

#1 2015-09-11 13:38:26

raul_l
Member
From: Amsterdam
Registered: 2014-11-04
Posts: 58

[Solved] How to make use of hardware based encryption?

So I purchased a Samsung 850 Pro and went through the installation procedure as usual (/boot is FAT32, swap is encrypted, and the rest is in a LUKS container in my case). Can I assume that encryption is now hardware and not software based or are there perhaps additional kernel flags that I should consider? I suspect that this page answers my question as I can see a tick for LUKS in "hardware-accelerated encryption support", but I'm not sure.

That being said, would it even make a difference? From what I understand, encryption is relatively cheap anyway.

Last edited by raul_l (2015-09-11 15:36:20)


Raul Laasner

Offline

#2 2015-09-11 15:03:47

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: [Solved] How to make use of hardware based encryption?

Encryption using the BIOS is the best and easiest method - check whether your BIOS supports entering a drive password, first.

Offline

#3 2015-09-11 15:29:11

raul_l
Member
From: Amsterdam
Registered: 2014-11-04
Posts: 58

Re: [Solved] How to make use of hardware based encryption?

brebs wrote:

check whether your BIOS supports entering a drive password, first.

Indeed it supports, but no special characters. This would require me to use a very long password, which would not be the preferred option.

09/12/15 EDIT: I just discovered it is also case-insensitive.

Last edited by raul_l (2015-09-12 15:44:33)


Raul Laasner

Offline

#4 2015-09-11 15:30:01

byte
Member
From: Düsseldorf (DE)
Registered: 2006-05-01
Posts: 2,046

Re: [Solved] How to make use of hardware based encryption?

LUKS/dm-crypt is always "software-based", but if your CPU isn't ancient ('grep aes /proc/cpuinfo') it should be hardware-accelerated and not noticable.
The kind of "hardware encryption" that is advertised for SSDs is invisible to Linux and needs to be supported in your BIOS/UEFI Setup, as brebs wrote.

Edit: well, not "invisible", google for 'ata security hdparm', but it's useless without a password prompt from the mainboard

Last edited by byte (2015-09-11 15:33:45)


1000

Offline

#5 2015-09-11 16:36:55

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: [Solved] How to make use of hardware based encryption?

I'm not sure the bios password serves as the encryption password, I've tried to get more info on the whole process from authentication to boot and the information is very scarce and unclear (and I didn't want to dig into very technical documents - not that they are easy to find). I'd say it is advisable to understand the whole process well before using it, otherwise one may have a bad surprise in case the need for data/disaster/borked system recovery arises.

What I could understand is that some drives _might_ use the ata security password (the disk password you set in the bios(1)) also as the encryption password, however this is not guaranteed and sometimes is presented in an ambiguous way. The sure way is to use OPAL and some form of pre boot authentication (PBA)(2), and on this front it is still very poorly supported under linux.

(1) Warning: you can set this password with hdparm but it will most probably differ from the one you set in the bios. Hdparm pads the passwords with nuls until it is 32 bytes long, the bios might not do that or it might use a different padding. This is important if you want to access the disk later in another machine/usb enclosure in case your machine fails.
Note: "Normal" drives (as opposed to self encrypting drives) also support this feature. When ata security is in effect you can't access the disk at all until you unlock it with the correct password.

(2) When using opal you will be presented a small partition/disk size (not sure how big, maybe a couple hundred megabytes) with only the necessary things to authenticate and unlock the drive, at which point you will be presented the whole drive and this initial partition/disk size will be hidden. I don't recall if the mbr will also be switched between pre and pos authentication but it makes sense it will be.


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#6 2015-09-11 16:52:48

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: [Solved] How to make use of hardware based encryption?

raul_l wrote:

but no special characters

So?

a..z and A..Z and 0..9 is already 62 possible chars - that's enough.

If some bad guys want to crack your password *that* badly, they'll just resort to kidnap wink

Edit: Here's a good explanation of self-encrypting drives, and how they can encrypt whilst also allowing a quick password change.

Last edited by brebs (2015-09-11 17:10:20)

Offline

#7 2015-09-11 19:22:56

raul_l
Member
From: Amsterdam
Registered: 2014-11-04
Posts: 58

Re: [Solved] How to make use of hardware based encryption?

R00KIE wrote:

I'm not sure the bios password serves as the encryption password

That's also what I was thinking, although after searching the BIOS manual I finally found where it explicitly states that the HDD password allows to use the hardware encryption feature, if present.

brebs wrote:
raul_l wrote:

but no special characters

So?

a..z and A..Z and 0..9 is already 62 possible chars - that's enough.

I'm not an expert, but I've always thought that special characters are a must for a safe password. Perhaps they are slightly overrated. My current password is 15 characters including special characters, but maybe the same length without special characters is also fine ...

One other thing. In the link you posted it says that deleting the encryption key effectively destroys all data. From what I've heard, the only way to reset the hard disk password is to type in the old password. If you forgot the password, the device becomes unusable. Thus, if I wanted to, let's say, sell the device to someone else, I would need to remove the password and securely erase all data. It is not a big problem, but a minor inconvenience. With software-based encryption, the drive is always usable, whether you know the encryption password or not. Somebody can correct me on this.

Last edited by raul_l (2015-09-11 19:24:48)


Raul Laasner

Offline

#8 2015-09-11 19:43:32

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: [Solved] How to make use of hardware based encryption?

raul_l wrote:

special characters are a must

They are an advantage, but not a necessity.

It is not a big problem, but a minor inconvenience.

Well, make up your mind - first you emphasize keeping the data safe, and then seem disappointed that the drive can't automagically know when you don't care about the drive/data anymore.

Offline

#9 2015-09-11 19:54:57

raul_l
Member
From: Amsterdam
Registered: 2014-11-04
Posts: 58

Re: [Solved] How to make use of hardware based encryption?

I just didn't understand the part about deleting the encryption key. Maybe some special hardware or a newer BIOS are required for that.


Raul Laasner

Offline

#10 2016-05-27 20:55:35

DeadSheep
Member
Registered: 2016-04-17
Posts: 6

Re: [Solved] How to make use of hardware based encryption?

Just adding the information I have since I have the exact same SSD and struggled to understand how this all works.

The SSD encrypts the data encryption key with the HDD password set in the BIOS (/UEFI). Note that, in the end, this password is handled by the SSD controller and is totally independent from the BIOS password, which can be easily bypassed.

My UEFI only supports lowercase letters, no space or special characters. But I have successfully set an uppercase password with hdparm on Linux, which ended up preventing me from booting (I had to extract the drive from my PC and plug it into another PC, to unlock it with hdparm, because I couldn't type my uppercase password in the BIOS). So I think you have to stick with lowercase, which can offer very high security if your password is long and random enough.

As for deleting the encryption key, it's done with the "ATA secure erase" command, which you can issue with hdparm. It will tell the drive to erase the encryption key, deleting access to all the data, and restoring factory state.

Be careful when setting an HDD password, as the drive will be totally bricked if you lose this pass. Bricked as, refusing to talk with any computer without typing the correct password.

Maybe the wiki should be more explicit about SEDs ? I think that, given that more and more people are considering buying SSDs, it would be very helpful.

Offline

#11 2016-05-28 00:53:16

TheChickenMan
Member
From: United States
Registered: 2015-07-25
Posts: 354

Re: [Solved] How to make use of hardware based encryption?

raul_l wrote:

I'm not an expert, but I've always thought that special characters are a must for a safe password. Perhaps they are slightly overrated. My current password is 15 characters including special characters, but maybe the same length without special characters is also fine ...

15 character password (without special characters)
(26+26+10)^15 = 62^15 = 7.7E26
7.7E26 / 4E9 = 1.92E17
1.92E17 > the number of seconds there has been in the age of the universe

A 4GHz processor (guessing one password per clock tick) would still be working to crack that password.
** Oversimplification ** but 15 characters is more than sufficient assuming they are randomly chosen characters.


If quantum mechanics hasn't profoundly shocked you, you haven't understood it yet.
Niels Bohr

Offline

Board footer

Powered by FluxBB