[ltp] is there a way to mount an encrypted USB drive?

Henrique de Moraes Holschuh linux-thinkpad@linux-thinkpad.org
Sun, 1 Jul 2012 12:29:32 -0300

On Thu, 28 Jun 2012, tony.martin-5nwd8ls@cool.fr.nf wrote:
> The thinkpad BIOS supports hardware encryption, but it only prompts
> for passwords on SATA-attached drives.  It does not find USB-attached
> HDDs that have hardware encryption, and does not prompt for a
> password.  How can these drives be mounted?

USB drives implement an usually broken subset of the SAS/SCSI commands.
Only the very BEST ones[1] can actually do SCSI passthrough, but unless
Lenovo started selling one that it supports as an encripted *boot* drive,
chances of it working are basically zero.

Call Lenovo support, and ask for a external encripted boot HDD.  Don't
mention Linux.  If they say it exists...

> There is a TPM project called "trousers", but the documentation is
> vague.  Can trousers be used to mount a USB-attached
> hardware-encrypted device?

AFAIK, it is not easy.  But it *can* store the key, and you could maybe
convince a LUKS helper to retrieve the key for the disk from the TPM.  Won't
work as the boot device, obviously.

[1] Almost always the issue is the USB-SATA or USB-SAS bridge chip.  I have
no idea how well it works with native USB HDDs, or even if such a beast even

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh