How to setup zero overhead full disk encryption with S3 sleep support


Modern (NVMe) SSDs encrypt all data by default. Also called self-encrypting drive (SED). They just don’t require a password to access the data. Instead of adding an additional layer of encryption e.g. using LUKS (additional power usage), I opted to use the capabilities of the device to secure access to the stored data.

I use this setup for my installation of Pop! OS 21.04 – This guide is mostly for my own memory.

More information:

I use a fork of sedutil as that supports newer systems and for S3 sleep support,
This fork of sedutil is not compatible with the original one, as it uses a different hashing algorithm

Very high level overview of the boot process

Cold boot:
The self encrypting device (SED) presents a (strangely) named read only ShadowMBR.
Those 128MB of memory contain the pre-boot authentication image (PBA) with tools to unlock the drive and after that chain-boot (or restart) to boot your real system. It is currently based on syslinux, but can hopefully be replaced by systemd-boot sometime in the future

S3 sleep:
Switching into S3 sleep shuts down the drive, locking it.
A systemd service is setup to store the unlock key in the kernel and unlock the drive on resume.


Backup all your data!

Download the rescue image from

(For S3 sleep support) Checkout and build sedutil-cli from, or use my self-compiled version

Setup full disk encryption


EFI Setup

Create and rearrange the following boot entries (I did this from within my EFI settings)

  1. The EFI boot file in the ShadowMBR
  2. Your normal EFI boot entry

Setup S3 Sleep Support

Based on

Install sedutil-cli with S3 sleep support (see preparations).

Get your hashed password

sedutil-cli --printPasswordHash <password> /dev/nvme?

Create the systemd service file /etc/systemd/system/seds3sleep.service

(adjust the password hash and /dev/nvme0n1)

NOTE: The additional n1 is no error

ExecStart=/opt/sedutil-1.15.1-87/sedutil-cli -n -x --prepareForS3Sleep 0 <Admin1 password hash> /dev/nvme0n1

Enable this service. # systemctl enable seds3sleep.service && systemctl start seds3sleep.service

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert