Use sedutil to enable drive self encryption

kubesail / pibox-host

8 stars 0 forks source link

Use sedutil to enable drive self encryption #1

Closed pastudan closed 12 months ago

pastudan commented 1 year ago

https://github.com/Drive-Trust-Alliance/sedutil

pastudan commented 1 year ago

## info
sedutil-cli --scan

## setup & lock
sedutil-cli --initialSetup password /dev/sda

## unlock
sedutil-cli --setLockingRange 1 rw password /dev/sda
sedutil-cli --setmbrenable on password /dev/sda

For disabling mbr requirement (might not be necessary, could just leave it): https://github.com/Drive-Trust-Alliance/sedutil/issues/331#issuecomment-669550543

pastudan commented 1 year ago

For storing the drive password, let either user passwords or device keys be valid passphrases to decrypt a "key" and then use the "key" as the password on the drive https://security.stackexchange.com/a/138141

pastudan commented 1 year ago

great resource: https://teejeetech.com/2021/11/28/using-self-encrypting-drives-on-linux/

pastudan commented 1 year ago

sudo apt-get install binutils make csh g++ sed gawk autoconf automake autotools-dev
git clone https://github.com/Drive-Trust-Alliance/sedutil.git
cd sedutil
autoreconf -i
make

pastudan commented 1 year ago

closing in favor of luks, which has better documentation and is currently fast enough on a pi4. Pi5 CPU has support for crypto extensions, so this should further speed things up