this post was submitted on 15 Jul 2024
62 points (100.0% liked)

Linux

4812 readers
295 users here now

A community for everything relating to the linux operating system

Also check out !linux_memes@programming.dev

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 1 year ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
62
Fedora 41 Change Proposal: Self Encrypting Drives Support in the Installer (self-contained) (discussion.fedoraproject.org)
submitted 1 month ago by lemmee_in@lemm.ee to c/linux@programming.dev
5 comments fedilink hide all child comments
 

A new proposal to have optional support for native hardware encryption (TCG OPAL2 standard)

you are viewing a single comment's thread
view the rest of the comments
[–] unskilled5117 7 points 1 month ago (1 children)

Some SATA and NVMe devices support hardware encryption (TCG OPAL2 standard) and with the latest cryptsetup LUKS devices can be configured to use hardware encryption to encrypt the data either by itself or together with the existing dm-crypt software encryption. Support for this feature was added in the latest cryptsetup upstream release and we’d like to provide an option for users to use this feature when installing Fedora with disk encryption.

As this is an expert option, it will be available only through the kickstart interface. […] There will be two new options to select either hardware encryption only or hardware encryption in combination with software encryption (analogous to the --hw-opal-only and --hw-opal options used when configuring hardware encryption with cryptsetup).

[–] henfredemars@infosec.pub 3 points 1 month ago (1 children)

How do we know that the hardware encrypts the data correctly? Can we observe ciphertext?

[–] devfuuu@lemmy.world 4 points 1 month ago (1 children)

I wouldn't trust any drive that offers the feature. We already know that those that have that thing to delete files or wtv it is called doesn't work well, I would not touch with a foot long stick anything related to crypto on the hardware level.

[–] 4am@lemm.ee 2 points 1 month ago

For a drive with throwaway data where performance might be a concern but data protect is a nice-to-have it’s fine. Think games or a cache disk for art workstations