Announcement

**Joe2021** · 18 August 2023, 10:17 AM

I admit I do not have a proper understanding of how SED drives are implemented, but I am asking myself how (or whether) it is guaranteed that the hardware itself is not logging the keys, which are retrievable later via an undocumented interface, (hopefully) only known to vendors and those "agencies"? Nobody would notice if a drive with TB of capacity would hide some KB of its capacity to log the key history..

Admitted, it is still useful in situations like a lost notebook or for selling the drive second hand, but that is just part of the story.

**kylew77** · 18 August 2023, 10:31 AM

I agree, I would only trust an open source encryption technology because of fears of hardware having built in back doors. LUNKS with Linux, GEOM with FreeBSD, whatever OpenBSD's native encryption tech is called, all three are good and haven't failed me yet!

**numacross** · 18 August 2023, 10:38 AM

Originally posted by Joe2021 View Post

I admit I do not have a proper understanding of how SED drives are implemented, but I am asking myself how (or whether) it is guaranteed that the hardware itself is not logging the keys, which are retrievable later via an undocumented interface, (hopefully) only known to vendors and those "agencies"? Nobody would notice if a drive with TB of capacity would hide some KB of its capacity to log the key history..

Admitted, it is still useful in situations like a lost notebook or for selling the drive second hand, but that is just part of the story.

It's a matter of trust, but even Microsoft changed the defaults of BitLocker in September 2019 to not use SED functionality:

Changes the default setting for BitLocker when encrypting a self-encrypting hard drive. Now, the default is to use software encryption for newly encrypted drives. For existing drives, the type of encryption will not change.

For me it looks that the security state of hardware encrypted drives was so dire it required a change of policy, which historically is something that Microsoft is conservative about.

**nazar-pc** · 18 August 2023, 11:41 AM

I wouldn't trust their firmware, hardware vendors have a very poor track record with security and fixing vulnerabilities.
Not to mention firmware will most likely be closed source too.

**Jakobson** · 18 August 2023, 12:43 PM

Does OPAL decrease performance with fast SSDs e.g. Samsung EVO 990 pro? Just considering nested OPAL+dm-crypt vs. dm-crypt-only.

**daGraveR** · 18 August 2023, 01:34 PM

Originally posted by Jakobson View Post

Does OPAL decrease performance with fast SSDs e.g. Samsung EVO 990 pro? Just considering nested OPAL+dm-crypt vs. dm-crypt-only.

No, they will operate at the same speed. In fact, even without setting it up, data is already encrypted regardless. It's just that the keys are unlocked by default; at least on the Samsung drives I have: 970 EVO nvme and 870 EVO sata.

**johnp** · 18 August 2023, 04:24 PM

Originally posted by numacross View Post

It's a matter of trust, but even Microsoft changed the defaults of BitLocker in September 2019 to not use SED functionality:

For me it looks that the security state of hardware encrypted drives was so dire it required a change of policy, which historically is something that Microsoft is conservative about.

These changed defaults were on Windows 10.

Windows 11 supports hardware encryption by default again.

**numacross** · 18 August 2023, 04:57 PM

Originally posted by johnp View Post

These changed defaults were on Windows 10.

Windows 11 supports hardware encryption by default again.

It doesn't look like it does according to Microsoft documentation and Group Policy running on Windows 11:

mWPyCvl.png

If you have an official source that they changed it please post it.

**stormcrow** · 18 August 2023, 05:35 PM

Originally posted by numacross View Post

It doesn't look like it does according to Microsoft documentation and Group Policy running on Windows 11:

mWPyCvl.png

If you have an official source that they changed it please post it.

AFAICT, that policy hasn't changed on Windows 11. Drive manufacturer firmware hasn't gotten any more reliable since Microsoft realized SED as a practical matter isn't reliable.

Edit to add: What's really needed are tools to easily verify the encryption integrity on devices with SED so they can actually be used when it does work. Right now, I don't know of any reliable way to do so as all drive manufacturers are dependent on their own secret sauce firmware to the detriment of their customer's data integrity, security, and privacy. The current situation is we've no choice but to default to throwing out the baby with the bathwater because we can't know if both are contaminated.

Announcement

Cryptsetup Lands Support For OPAL Self Encrypting Drives

Cryptsetup Lands Support For OPAL Self Encrypting Drives

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment