-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-ID: <alpine.LSU.2.21.1712041918560.31553@Telcontar.valinor> On Sunday, 2017-12-03 at 18:47 +0100, Richard Brown wrote:
On 3 December 2017 at 17:10, listreader <> wrote:
On Sun, 3 Dec 2017 09:58:46 +0100 Richard Brown <> wrote: ... I bought a new workstation a couple weeks ago and one of the options was various Samsung 960 NVMe PRO's including the 2 TB at ~$1300 (~€1100 ?) the later to which I said, umm, no thank you for that :-/
My question to you, and to Greg F who also apparently has experience with these things, is: these come with hardware encryption. How does that work with linux, specifically openSUSE of course. Can you boot 42.3 off a hardware encrypted NVMe? If so, anything special need to be done to permit said booting?
I haven't used it much myself - all of the production nvme openqa.opensuse.org workers (which were/are Leap 42.2/3) didn't use the feature - We don't want to enter passwords when we're rebooting them.
However I did my homework and currently the commonly believed 'best' way of using the hardware encryption is by using the support (if your BIOS has it) for unlocking it in and with the BIOS
That way, when the BIOS is loading, it unlocks the device, and from that point on Linux we see and use the device just like a regular nvme (which is pretty much seen the same as a regular disk, just with a funny naming convention, eg /dev/nvme0n1p1)
The advantage here is that the disk i/o is really fast, doesn't load the OS. There is /some/ support in hdparm for it (search "ATA Security Feature Set" on the man page). There is a huge caveat, though: when the password is entered via the BIOS, apparently the password itself is modified in a way that is difficult to predict, and the disk will only be operable on that machine and no other. If the machine breaks down, your data is lost. I read about this in a detailed article, but I don't remember the details in order to locate it, and it is not in my notes, sorry. Hopefully somebody else does remember and posts a link. - -- Cheers, Carlos E. R. (from openSUSE 42.2 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlolkawACgkQtTMYHG2NR9WJgACgjbrbiZsJ6zsnhFNOt2Seq+0K TgYAn0NIxX5vIzapdEdmguDZGi7c9BGa =zOkE -----END PGP SIGNATURE-----