How do I tell a SED to regenerate the encryption key?












1















I recently purchased a Crucial MX300 to use as a boot drive, and I want to take advantage of its self encrypting functionality. I've been reading up on SEDs and I understand they use a Data Encryption Key or DEK (sometimes called a Media Encryption Key) and an Authorization Key which encrypts the DEK.



From the TCG Opal FAQ on SEDs (emphasis added):




A: The encryption key is generated on board the drive and NEVER LEAVES
THE DRIVE. The manufacturer does NOT retain or even have access to the
key. Moreover, you do not have to trust it. When putting an SED into
service it is considered good practice to start by directing the SED
to regenerate its encryption key.
Doing this before loading any
software on the drive eliminates the possibility of the drive
manufacturer ,or anyone else who might have had a chance to access the
drive before the current owner, acquiring any secret, like the
encryption key, that could be later used to break into the user data.




My question is, how do I direct the SED to regenerate its encryption key? The only free tool I know about for working with SEDs is sedutil. I have been all over the documentation for that tool and I can't find anything about regenerating the DEK.



Does anyone know how to instruct the SED to regenerate the encryption key?










share|improve this question





























    1















    I recently purchased a Crucial MX300 to use as a boot drive, and I want to take advantage of its self encrypting functionality. I've been reading up on SEDs and I understand they use a Data Encryption Key or DEK (sometimes called a Media Encryption Key) and an Authorization Key which encrypts the DEK.



    From the TCG Opal FAQ on SEDs (emphasis added):




    A: The encryption key is generated on board the drive and NEVER LEAVES
    THE DRIVE. The manufacturer does NOT retain or even have access to the
    key. Moreover, you do not have to trust it. When putting an SED into
    service it is considered good practice to start by directing the SED
    to regenerate its encryption key.
    Doing this before loading any
    software on the drive eliminates the possibility of the drive
    manufacturer ,or anyone else who might have had a chance to access the
    drive before the current owner, acquiring any secret, like the
    encryption key, that could be later used to break into the user data.




    My question is, how do I direct the SED to regenerate its encryption key? The only free tool I know about for working with SEDs is sedutil. I have been all over the documentation for that tool and I can't find anything about regenerating the DEK.



    Does anyone know how to instruct the SED to regenerate the encryption key?










    share|improve this question



























      1












      1








      1


      1






      I recently purchased a Crucial MX300 to use as a boot drive, and I want to take advantage of its self encrypting functionality. I've been reading up on SEDs and I understand they use a Data Encryption Key or DEK (sometimes called a Media Encryption Key) and an Authorization Key which encrypts the DEK.



      From the TCG Opal FAQ on SEDs (emphasis added):




      A: The encryption key is generated on board the drive and NEVER LEAVES
      THE DRIVE. The manufacturer does NOT retain or even have access to the
      key. Moreover, you do not have to trust it. When putting an SED into
      service it is considered good practice to start by directing the SED
      to regenerate its encryption key.
      Doing this before loading any
      software on the drive eliminates the possibility of the drive
      manufacturer ,or anyone else who might have had a chance to access the
      drive before the current owner, acquiring any secret, like the
      encryption key, that could be later used to break into the user data.




      My question is, how do I direct the SED to regenerate its encryption key? The only free tool I know about for working with SEDs is sedutil. I have been all over the documentation for that tool and I can't find anything about regenerating the DEK.



      Does anyone know how to instruct the SED to regenerate the encryption key?










      share|improve this question
















      I recently purchased a Crucial MX300 to use as a boot drive, and I want to take advantage of its self encrypting functionality. I've been reading up on SEDs and I understand they use a Data Encryption Key or DEK (sometimes called a Media Encryption Key) and an Authorization Key which encrypts the DEK.



      From the TCG Opal FAQ on SEDs (emphasis added):




      A: The encryption key is generated on board the drive and NEVER LEAVES
      THE DRIVE. The manufacturer does NOT retain or even have access to the
      key. Moreover, you do not have to trust it. When putting an SED into
      service it is considered good practice to start by directing the SED
      to regenerate its encryption key.
      Doing this before loading any
      software on the drive eliminates the possibility of the drive
      manufacturer ,or anyone else who might have had a chance to access the
      drive before the current owner, acquiring any secret, like the
      encryption key, that could be later used to break into the user data.




      My question is, how do I direct the SED to regenerate its encryption key? The only free tool I know about for working with SEDs is sedutil. I have been all over the documentation for that tool and I can't find anything about regenerating the DEK.



      Does anyone know how to instruct the SED to regenerate the encryption key?







      security disk-encryption opal self-encrypting-drive sedutil






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 15 at 14:46









      ͏͏͏

      2,67211214




      2,67211214










      asked Sep 23 '16 at 16:52









      Dominic PDominic P

      2712317




      2712317






















          1 Answer
          1






          active

          oldest

          votes


















          2














          Note: I don't have SED drive nor have I tried the below. Please use at your own risk



          From:




          • https://wiki.archlinux.org/index.php/Self-Encrypting_Drives


          in section Secure disk erasure:




          Simply passing a cryptographic disk erasure (or crypto erase) command
          (after providing the correct authentication credentials) will have the
          drive self-generate a new random encryption key (DEK) internally. This
          will permanently discard the old key, thus rendering the encrypted
          data irrevocably un-decryptable.




          From this:




          • https://library.netapp.com/ecmdocs/ECMP1636022/html/GUID-68D4D72F-8884-4AAE-B8C6-CCF0A8D6129B.html



          Using the PSID to perform a factory reset causes all disk parameters
          to be reset to factory original settings, including the following:




          • The encryption key used to encrypt and decrypt the data on the media
            is changed to an unknown value.




          From this:





          • https://github.com/Drive-Trust-Alliance/sedutil/blob/master/linux/PSIDRevert_LINUX.txt (Linux)


          • https://github.com/Drive-Trust-Alliance/sedutil/wiki/PSID-Revert (Windows)


          you have this:




          Warning: This function will erase all of your data
          ...




          Linux:



          setutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSIDALLCAPSNODASHES> /dev/sd?


          Windows:



          sedutil-cli -–yesIreallywanttoERASEALLmydatausingthePSID <YOURPSID> \.PhysicalDrive?



          You should see INFO: revertTper completed successfully.



          If you get a message that says NOT_AUTHORIZED you entered the PSID wrong.




          Hope this helps.






          share|improve this answer
























          • You are a freaking genius! Thanks. I had found the first and last sources, but I was missing the middle one about what a PSID revert actually does.

            – Dominic P
            Sep 23 '16 at 19:32











          • @DominicP No problem, glad to help!

            – levant pied
            Sep 23 '16 at 19:36











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1127610%2fhow-do-i-tell-a-sed-to-regenerate-the-encryption-key%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          2














          Note: I don't have SED drive nor have I tried the below. Please use at your own risk



          From:




          • https://wiki.archlinux.org/index.php/Self-Encrypting_Drives


          in section Secure disk erasure:




          Simply passing a cryptographic disk erasure (or crypto erase) command
          (after providing the correct authentication credentials) will have the
          drive self-generate a new random encryption key (DEK) internally. This
          will permanently discard the old key, thus rendering the encrypted
          data irrevocably un-decryptable.




          From this:




          • https://library.netapp.com/ecmdocs/ECMP1636022/html/GUID-68D4D72F-8884-4AAE-B8C6-CCF0A8D6129B.html



          Using the PSID to perform a factory reset causes all disk parameters
          to be reset to factory original settings, including the following:




          • The encryption key used to encrypt and decrypt the data on the media
            is changed to an unknown value.




          From this:





          • https://github.com/Drive-Trust-Alliance/sedutil/blob/master/linux/PSIDRevert_LINUX.txt (Linux)


          • https://github.com/Drive-Trust-Alliance/sedutil/wiki/PSID-Revert (Windows)


          you have this:




          Warning: This function will erase all of your data
          ...




          Linux:



          setutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSIDALLCAPSNODASHES> /dev/sd?


          Windows:



          sedutil-cli -–yesIreallywanttoERASEALLmydatausingthePSID <YOURPSID> \.PhysicalDrive?



          You should see INFO: revertTper completed successfully.



          If you get a message that says NOT_AUTHORIZED you entered the PSID wrong.




          Hope this helps.






          share|improve this answer
























          • You are a freaking genius! Thanks. I had found the first and last sources, but I was missing the middle one about what a PSID revert actually does.

            – Dominic P
            Sep 23 '16 at 19:32











          • @DominicP No problem, glad to help!

            – levant pied
            Sep 23 '16 at 19:36
















          2














          Note: I don't have SED drive nor have I tried the below. Please use at your own risk



          From:




          • https://wiki.archlinux.org/index.php/Self-Encrypting_Drives


          in section Secure disk erasure:




          Simply passing a cryptographic disk erasure (or crypto erase) command
          (after providing the correct authentication credentials) will have the
          drive self-generate a new random encryption key (DEK) internally. This
          will permanently discard the old key, thus rendering the encrypted
          data irrevocably un-decryptable.




          From this:




          • https://library.netapp.com/ecmdocs/ECMP1636022/html/GUID-68D4D72F-8884-4AAE-B8C6-CCF0A8D6129B.html



          Using the PSID to perform a factory reset causes all disk parameters
          to be reset to factory original settings, including the following:




          • The encryption key used to encrypt and decrypt the data on the media
            is changed to an unknown value.




          From this:





          • https://github.com/Drive-Trust-Alliance/sedutil/blob/master/linux/PSIDRevert_LINUX.txt (Linux)


          • https://github.com/Drive-Trust-Alliance/sedutil/wiki/PSID-Revert (Windows)


          you have this:




          Warning: This function will erase all of your data
          ...




          Linux:



          setutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSIDALLCAPSNODASHES> /dev/sd?


          Windows:



          sedutil-cli -–yesIreallywanttoERASEALLmydatausingthePSID <YOURPSID> \.PhysicalDrive?



          You should see INFO: revertTper completed successfully.



          If you get a message that says NOT_AUTHORIZED you entered the PSID wrong.




          Hope this helps.






          share|improve this answer
























          • You are a freaking genius! Thanks. I had found the first and last sources, but I was missing the middle one about what a PSID revert actually does.

            – Dominic P
            Sep 23 '16 at 19:32











          • @DominicP No problem, glad to help!

            – levant pied
            Sep 23 '16 at 19:36














          2












          2








          2







          Note: I don't have SED drive nor have I tried the below. Please use at your own risk



          From:




          • https://wiki.archlinux.org/index.php/Self-Encrypting_Drives


          in section Secure disk erasure:




          Simply passing a cryptographic disk erasure (or crypto erase) command
          (after providing the correct authentication credentials) will have the
          drive self-generate a new random encryption key (DEK) internally. This
          will permanently discard the old key, thus rendering the encrypted
          data irrevocably un-decryptable.




          From this:




          • https://library.netapp.com/ecmdocs/ECMP1636022/html/GUID-68D4D72F-8884-4AAE-B8C6-CCF0A8D6129B.html



          Using the PSID to perform a factory reset causes all disk parameters
          to be reset to factory original settings, including the following:




          • The encryption key used to encrypt and decrypt the data on the media
            is changed to an unknown value.




          From this:





          • https://github.com/Drive-Trust-Alliance/sedutil/blob/master/linux/PSIDRevert_LINUX.txt (Linux)


          • https://github.com/Drive-Trust-Alliance/sedutil/wiki/PSID-Revert (Windows)


          you have this:




          Warning: This function will erase all of your data
          ...




          Linux:



          setutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSIDALLCAPSNODASHES> /dev/sd?


          Windows:



          sedutil-cli -–yesIreallywanttoERASEALLmydatausingthePSID <YOURPSID> \.PhysicalDrive?



          You should see INFO: revertTper completed successfully.



          If you get a message that says NOT_AUTHORIZED you entered the PSID wrong.




          Hope this helps.






          share|improve this answer













          Note: I don't have SED drive nor have I tried the below. Please use at your own risk



          From:




          • https://wiki.archlinux.org/index.php/Self-Encrypting_Drives


          in section Secure disk erasure:




          Simply passing a cryptographic disk erasure (or crypto erase) command
          (after providing the correct authentication credentials) will have the
          drive self-generate a new random encryption key (DEK) internally. This
          will permanently discard the old key, thus rendering the encrypted
          data irrevocably un-decryptable.




          From this:




          • https://library.netapp.com/ecmdocs/ECMP1636022/html/GUID-68D4D72F-8884-4AAE-B8C6-CCF0A8D6129B.html



          Using the PSID to perform a factory reset causes all disk parameters
          to be reset to factory original settings, including the following:




          • The encryption key used to encrypt and decrypt the data on the media
            is changed to an unknown value.




          From this:





          • https://github.com/Drive-Trust-Alliance/sedutil/blob/master/linux/PSIDRevert_LINUX.txt (Linux)


          • https://github.com/Drive-Trust-Alliance/sedutil/wiki/PSID-Revert (Windows)


          you have this:




          Warning: This function will erase all of your data
          ...




          Linux:



          setutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSIDALLCAPSNODASHES> /dev/sd?


          Windows:



          sedutil-cli -–yesIreallywanttoERASEALLmydatausingthePSID <YOURPSID> \.PhysicalDrive?



          You should see INFO: revertTper completed successfully.



          If you get a message that says NOT_AUTHORIZED you entered the PSID wrong.




          Hope this helps.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Sep 23 '16 at 18:13









          levant piedlevant pied

          14411




          14411













          • You are a freaking genius! Thanks. I had found the first and last sources, but I was missing the middle one about what a PSID revert actually does.

            – Dominic P
            Sep 23 '16 at 19:32











          • @DominicP No problem, glad to help!

            – levant pied
            Sep 23 '16 at 19:36



















          • You are a freaking genius! Thanks. I had found the first and last sources, but I was missing the middle one about what a PSID revert actually does.

            – Dominic P
            Sep 23 '16 at 19:32











          • @DominicP No problem, glad to help!

            – levant pied
            Sep 23 '16 at 19:36

















          You are a freaking genius! Thanks. I had found the first and last sources, but I was missing the middle one about what a PSID revert actually does.

          – Dominic P
          Sep 23 '16 at 19:32





          You are a freaking genius! Thanks. I had found the first and last sources, but I was missing the middle one about what a PSID revert actually does.

          – Dominic P
          Sep 23 '16 at 19:32













          @DominicP No problem, glad to help!

          – levant pied
          Sep 23 '16 at 19:36





          @DominicP No problem, glad to help!

          – levant pied
          Sep 23 '16 at 19:36


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1127610%2fhow-do-i-tell-a-sed-to-regenerate-the-encryption-key%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Сан-Квентин

          8-я гвардейская общевойсковая армия

          Алькесар