Modern (NVMe) SSDs encrypt all data by default. Also called self-encrypting drive (SED). They just don’t require a password to access the data. Instead of adding an additional layer of encryption e.g. using LUKS (additional power usage), I opted to use the capabilities of the device to secure access to the stored data.
I use this setup for my installation of Pop! OS 21.04 – This guide is mostly for my own memory.
I use a fork of sedutil as that supports newer systems and for S3 sleep support
WARNING: This fork of sedutil is not compatible with the original one, as it uses a different hashing algorithm
Very high level overview of the boot process
The self encrypting device (SED) presents a (strangely) named read only ShadowMBR.
Those 128MB of memory contain the pre-boot authentication image (PBA) with tools to unlock the drive and after that chain-boot (or restart) to boot your real system. It is currently based on syslinux, but can hopefully be replaced by systemd-boot sometime in the future https://github.com/systemd/systemd/issues/16089.
Switching into S3 sleep shuts down the drive, locking it.
A systemd service is setup to store the unlock key in the kernel and unlock the drive on resume.
Backup all your data!
Download the rescue image from https://github.com/ChubbyAnt/sedutil/releases/tag/1.15-5ad84d8
(For S3 sleep support) Checkout and build sedutil-cli from https://github.com/ratcashdev/sedutil/tree/badicsalex-s3-sleep-support, or use my self-compiled version
Setup full disk encryption
Create and rearrange the following boot entries (I did this from within my EFI settings)
- The EFI boot file in the ShadowMBR
- Your normal EFI boot entry
Setup S3 Sleep Support
Based on https://github.com/ladar/sedutil/issues/4
Install sedutil-cli with S3 sleep support (see preparations).
Get your hashed password
sedutil-cli --printPasswordHash <password> /dev/nvme?
Create the systemd service file
the password hash and /dev/nvme0n1)
NOTE: The additional
n1 is no error
ExecStart=/opt/sedutil-1.15.1-87/sedutil-cli -n -x --prepareForS3Sleep 0 <Admin1 password hash> /dev/nvme0n1
Enable this service. # systemctl enable seds3sleep.service && systemctl start seds3sleep.service