[ltp] X60s/200s with SSD, encrypted disk

Fabrice Bellet linux-thinkpad@linux-thinkpad.org
Sat, 20 Jun 2015 22:12:39 +0200 

Hi,

On Fri, Jun 19, 2015 at 07:38:33PM +0200, Bjørn Mork wrote:
> Uwe Brauer <oub.oub.oub@gmail.com> writes:
> >>> "Bjørn" == Bjørn Mork <bjorn@mork.no> writes:
> >
> >    > If your SSD supports encryption "in hardware", and you don't need to
> >    > protect your data against any entity likely to be able to break or
> >    > backdoor that implementation, then that's an obvious choice.
> >
> >    > Advantages: No performance impact whatsoever (the SSD will run your data
> >    > through the same encryption controller whether or not you set a
> >    > password).  OS independent.  Encrypting everything, including the boot
> >    > loader and boot loader configuration.
> >
> > Hm, sounds interesting. I have Samsung 840 EVO installed, 
> >
> >     -  how do I know this feature is supported.
> 
> See the SSD documentation.  I don't know any other way.  Google found
> this, which looks promising:
> http://www.samsung.com/global/business/semiconductor/minisite/SSD/global/html/whitepaper/whitepaper06.html
> 
> >     -  how do I enable it?
> 
> By setting the ATA password.  You can do this in the BIOS setup.

Not _exactly_ on my X220. The password you choose in the BIOS is
somewhat "mangled" before being sent to the disk, with the ATA password
mechanism (ATA Security Feature Set). I remember some information,
explaining that _what_ is sent to the disk is somehow related to the
keycodes of the keyboard.

The consequence is that, when the disk is locked in this way, it cannot
be unlocked on another computer (it would probably work with a same
model). Which could be an important feature to recover data when the
hardware needs to be serviced...

For this reason, I reverted back to dm-crypt software encryption,
because I want to be the owner of my encryption key, and I want
to able to unlock my disk everywhere :)

Note that most recent processors handle aes encryption in hardware, and
dm-crypt will use this feature when possible, so performance is quite
decent IMO (grep aes /proc/cpuinfo) 

Best wishes,
-- 
fabrice