Self Encrypting Drives Support in the Installer This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. Wiki Announced 🔗 Summary Add optional support for using native hardware encryption on TCG OPAL2 compliant drives when configuring disk encryption in th...
A new proposal to have optional support for native hardware encryption (TCG OPAL2 standard)
Some SATA and NVMe devices support hardware encryption (TCG OPAL2 standard) and with the latest cryptsetup LUKS devices can be configured to use hardware encryption to encrypt the data either by itself or together with the existing dm-crypt software encryption. Support for this feature was added in the latest cryptsetup upstream release and we’d like to provide an option for users to use this feature when installing Fedora with disk encryption.
As this is an expert option, it will be available only through the kickstart interface. […] There will be two new options to select either hardware encryption only or hardware encryption in combination with software encryption (analogous to the --hw-opal-only and --hw-opal options used when configuring hardware encryption with cryptsetup).
I wouldn’t trust any drive that offers the feature. We already know that those that have that thing to delete files or wtv it is called doesn’t work well, I would not touch with a foot long stick anything related to crypto on the hardware level.
For a drive with throwaway data where performance might be a concern but data protect is a nice-to-have it’s fine. Think games or a cache disk for art workstations
How do we know that the hardware encrypts the data correctly? Can we observe ciphertext?
I wouldn’t trust any drive that offers the feature. We already know that those that have that thing to delete files or wtv it is called doesn’t work well, I would not touch with a foot long stick anything related to crypto on the hardware level.
For a drive with throwaway data where performance might be a concern but data protect is a nice-to-have it’s fine. Think games or a cache disk for art workstations