using sed encryption on harddrives

Disk encryption can be accomplished on Linux in many ways depending on your hardware. LUKS provides block-layer level encryption, and most modern Linux distros provide easy ways to use and setup keys with the device. The eCryptFS project provides filesystem level encryption which gives a bit more flexibility.

However, many new disks have encryption built-in to the drive’s controller and can be interfaced with utilities such as hdparm and sedutil-cli. This built in encryption is called FDE (Full Disk Encryption) or SED (Self Encrypting Drives). When these disks have encryption keys enabled, upon power loss they become locked and must be unlocked before they are used. Different protocols can be used for disks, here I’ll cover OPAL and ATA type commands.


For OPAL drives you can use sedutil-cli to scan for drives:

sedutil-cli --scan

Here you can determine if devices you have are capable. If you have devices behind a hardware RAID controller you may need to access the device via the scsi_generic layer via /dev/sgX.

First you need to initially setup the drive using this command:

sedutil-cli --initialsetup <password> <device>

Once you set the password you can lock the drive:

sedutil-cli --enableLockingRange 0 <password> <device>

At this point if you remove power from the device you will need to unlock it. To unlock the drive:

sedutil-cli --setLockingRange 0 rw <password> <device>

Or disable drive locking:

sedutil-cli --disableLockingRange 0 <password> <device>

For OPAL drives there are multiple password users: SID and Admin1. Admin1 can manage locking and SID can manage everything. When you initialize with –initialsetup both SID and Admin1 passwords are set to the same thing.

You can also change the individual passwords using the following:

sedutil-cli --setSIDPassword <SIDpassword> <newSIDpassword> <device>
sedutil-cli --setAdmin1Pwd <Admin1password> <newAdmin1password> <device>

Secure erase can be accomplished using the SID password if you know it:

seduitl-cli --revertTPer <SIDpassword> <device>

If you no longer have the password you’ll need to physically look at the drive and get the PSID. This will be on the sticker on the drive and some even have QR codes with this information on the drive. To revert with the PSID use:

sedutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSIDALLCAPSNODASHED> <device>

ATA SED Drives

Some devices such as INTEL, Micron, or Samsung SSDs with SED encryption can only be driven via an ATA interface and do not implement the OPAL interface.

To query the device use the standard:

hdparm -I /dev/sgX

Here you’ll see a section as follows from the output:

	Master password revision code = 65534
	not	enabled
	not	locked
	not	expired: security count
		supported: enhanced erase

If you see supported you can use hdparm to enable locking the drives. Other fields of note are enabled which indicates if a password is set or not. The locked field indicates if the drive is locked or unlocked.

There are two passwords ‘user’ and ‘master’ which can have different capabilities depending on how things are set up. The flag --user-master can specify ‘u’ for user or ’m’ for master.

To set a password for the user account:

hdparm --user-master u --security-set-pass <password> /dev/sgX

Locking the drive will happen when you completely remove power from the disk. To unlock the drive you can use:

hdparm --user-master u --security-unlock <password> /dev/sgX

To disable the password:

hdparm --user-master u --security-disable <password> /dev/sgX

To secure erase the drive first ensure drive is not frozen and security is enabled then run:

hdparm --user-master u --security-erase <password> /dev/sgX