Is there support in Coreboot for FDE / SED ? (full disk encryption)


#1

Especially on a laptop that might be lost on the road I want to encrypt my data.

Many SSDs (Samsung 830, 840 Pro, 840 Evo, 850 Pro, 850 Evo, Plextor M5P, M5S, Crucial M500, M550, Intel 520 etc. no name a few) support hardware based encryption, which is running anyway all the time and has to be enabled by setting a disk password in the BIOS/UEFI.

FDE / SED SSDs have the advantage that you don’t need to configure the encryption on an OS level and any OS can be encrypted.

Does any one have info about that?

Finder: full disk encryption, self encrypting disk


#2

not answering the question, just a reminder that these FW/HW based encryption mechanisms are usually not as secure as plain old dmcrypt/luks approach.


#3

I am not an expert in this field. Currently I’ m using FDE with a ThinkPad and I’ m very happy to know that if my laptop gets lost chances that some one can read my data are very small. I remember having read this study which gives good results for HW based encryption https://www1.cs.fau.de/filepool/projects/sed/seds-at-risks.pdf
As far as I know in software based encryption the key is always stored on the storage device which is partly available to a potential hacker.
While the HW based encryption has its weak point once it is decrypted and power isn’t lost. Unfortunately firmwares of SSDs aren’t open source. I understand very well that this is not a bearable situation.