Full disk encryption with Ubuntu

[Ralf Mardorf]

> I think before deciding on option 1, I would investigate what's going to 
> be involved in getting your SED to work with linux.

Hi,

the Arch Wiki might be a starting point. However, apart from the
compromised firmware I mentioned by my first reply, there are other
security risks.

"Disadvantages

    Constant-power exploits

    Typical self-encrypting drives, once unlocked, will remain unlocked
as long as power is provided. This vulnerability can be exploited by
means of altering the environment external to the drive, without cutting
power, in effect keeping the drive in an unlocked state. For example, it
has been shown (by researchers at University of Erlangen-Nuremberg) that
it is possible to reboot the computer into an attacker-controlled
operating system without cutting power to the drive. The researchers
have also demonstrated moving the drive to another computer without
cutting power.[1]

    Key-in-memory exploits

    When the system is powered down into S3 ("sleep") mode, the drive is
powered down, but the drive keeps access to the encryption key in its
internal memory (NVRAM) to allow for a resume ("wake"). This is
necessary because for system booted with an arbitrary operating system
there is no standard mechanism to prompt the user to re-enter the pre-
boot decryption passphrase again. An attacker (with physical access to
the drive) can leverage this to access the drive. Taking together known
exploits the researchers summarize "we were able to break hardware-based
full-disk encryption on eleven [of twelve] of those systems provided
they were running or in standby mode".[2] Note, however, S3 ("sleep") is
not currently supported by sedutil (the current available toolset for
managing a TCG OPAL 2.0 self-encrypting drives via Linux)" -
https://wiki.archlinux.org/title/Self-encrypting_drives

Regards,
Ralf