How to setup zero overhead full disk encryption with S3 sleep support

Background

Modern (NVMe) SSDs encrypt all data by default. Also called self-encrypting drive (SED). They just don’t require a password to access the data. Instead of adding an additional layer of encryption e.g. using LUKS (additional power usage), I opted to use the capabilities of the device to secure access to the stored data.

Disclaimer:
I use this setup for my installation of Pop! OS 21.04 – This guide is mostly for my own memory.

More information:

I use a fork of sedutil as that supports newer systems and for S3 sleep support
https://github.com/ChubbyAnt/sedutil, https://github.com/ratcashdev/sedutil/tree/badicsalex-s3-sleep-support
WARNING:
This fork of sedutil is not compatible with the original one, as it uses a different hashing algorithm

Very high level overview of the boot process

Cold boot:
The self encrypting device (SED) presents a (strangely) named read only ShadowMBR.
Those 128MB of memory contain the pre-boot authentication image (PBA) with tools to unlock the drive and after that chain-boot (or restart) to boot your real system. It is currently based on syslinux, but can hopefully be replaced by systemd-boot sometime in the future https://github.com/systemd/systemd/issues/16089.

S3 sleep:
Switching into S3 sleep shuts down the drive, locking it.
A systemd service is setup to store the unlock key in the kernel and unlock the drive on resume.

Preparations

Backup all your data!

Download the rescue image from https://github.com/ChubbyAnt/sedutil/releases/tag/1.15-5ad84d8

(For S3 sleep support) Checkout and build sedutil-cli from https://github.com/ratcashdev/sedutil/tree/badicsalex-s3-sleep-support, or use my self-compiled version

Setup full disk encryption

Follow: https://github.com/ChubbyAnt/sedutil#encrypting-your-drive

EFI Setup

Create and rearrange the following boot entries (I did this from within my EFI settings)

  1. The EFI boot file in the ShadowMBR
  2. Your normal EFI boot entry

Setup S3 Sleep Support

Based on https://github.com/ladar/sedutil/issues/4

Install sedutil-cli with S3 sleep support (see preparations).

Get your hashed password

sedutil-cli --printPasswordHash <password> /dev/nvme?

Create the systemd service file /etc/systemd/system/seds3sleep.service

(adjust the password hash and /dev/nvme0n1)

NOTE: The additional n1 is no error

[Service]
Type=oneshot
ExecStart=/opt/sedutil-1.15.1-87/sedutil-cli -n -x --prepareForS3Sleep 0 <Admin1 password hash> /dev/nvme0n1

[Install]
WantedBy=multi-user.target
Enable this service. # systemctl enable seds3sleep.service && systemctl start seds3sleep.service

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert