How do I tell a SED to regenerate the encryption key?
I recently purchased a Crucial MX300 to use as a boot drive, and I want to take advantage of its self encrypting functionality. I've been reading up on SEDs and I understand they use a Data Encryption Key or DEK (sometimes called a Media Encryption Key) and an Authorization Key which encrypts the DEK.
From the TCG Opal FAQ on SEDs (emphasis added):
A: The encryption key is generated on board the drive and NEVER LEAVES
THE DRIVE. The manufacturer does NOT retain or even have access to the
key. Moreover, you do not have to trust it. When putting an SED into
service it is considered good practice to start by directing the SED
to regenerate its encryption key. Doing this before loading any
software on the drive eliminates the possibility of the drive
manufacturer ,or anyone else who might have had a chance to access the
drive before the current owner, acquiring any secret, like the
encryption key, that could be later used to break into the user data.
My question is, how do I direct the SED to regenerate its encryption key? The only free tool I know about for working with SEDs is sedutil. I have been all over the documentation for that tool and I can't find anything about regenerating the DEK.
Does anyone know how to instruct the SED to regenerate the encryption key?
security disk-encryption opal self-encrypting-drive sedutil
edited Jan 15 at 14:46
͏͏͏
2,67211214
asked Sep 23 '16 at 16:52
Dominic PDominic P
2712317
add a comment |
I recently purchased a Crucial MX300 to use as a boot drive, and I want to take advantage of its self encrypting functionality. I've been reading up on SEDs and I understand they use a Data Encryption Key or DEK (sometimes called a Media Encryption Key) and an Authorization Key which encrypts the DEK.
From the TCG Opal FAQ on SEDs (emphasis added):
A: The encryption key is generated on board the drive and NEVER LEAVES
THE DRIVE. The manufacturer does NOT retain or even have access to the
key. Moreover, you do not have to trust it. When putting an SED into
service it is considered good practice to start by directing the SED
to regenerate its encryption key. Doing this before loading any
software on the drive eliminates the possibility of the drive
manufacturer ,or anyone else who might have had a chance to access the
drive before the current owner, acquiring any secret, like the
encryption key, that could be later used to break into the user data.
My question is, how do I direct the SED to regenerate its encryption key? The only free tool I know about for working with SEDs is sedutil. I have been all over the documentation for that tool and I can't find anything about regenerating the DEK.
Does anyone know how to instruct the SED to regenerate the encryption key?
security disk-encryption opal self-encrypting-drive sedutil
edited Jan 15 at 14:46
͏͏͏
2,67211214
asked Sep 23 '16 at 16:52
Dominic PDominic P
2712317
add a comment |
I recently purchased a Crucial MX300 to use as a boot drive, and I want to take advantage of its self encrypting functionality. I've been reading up on SEDs and I understand they use a Data Encryption Key or DEK (sometimes called a Media Encryption Key) and an Authorization Key which encrypts the DEK.
From the TCG Opal FAQ on SEDs (emphasis added):
A: The encryption key is generated on board the drive and NEVER LEAVES
THE DRIVE. The manufacturer does NOT retain or even have access to the
key. Moreover, you do not have to trust it. When putting an SED into
service it is considered good practice to start by directing the SED
to regenerate its encryption key. Doing this before loading any
software on the drive eliminates the possibility of the drive
manufacturer ,or anyone else who might have had a chance to access the
drive before the current owner, acquiring any secret, like the
encryption key, that could be later used to break into the user data.
My question is, how do I direct the SED to regenerate its encryption key? The only free tool I know about for working with SEDs is sedutil. I have been all over the documentation for that tool and I can't find anything about regenerating the DEK.
Does anyone know how to instruct the SED to regenerate the encryption key?
security disk-encryption opal self-encrypting-drive sedutil
edited Jan 15 at 14:46
͏͏͏
2,67211214
asked Sep 23 '16 at 16:52
Dominic PDominic P
2712317
I recently purchased a Crucial MX300 to use as a boot drive, and I want to take advantage of its self encrypting functionality. I've been reading up on SEDs and I understand they use a Data Encryption Key or DEK (sometimes called a Media Encryption Key) and an Authorization Key which encrypts the DEK.
From the TCG Opal FAQ on SEDs (emphasis added):
A: The encryption key is generated on board the drive and NEVER LEAVES
THE DRIVE. The manufacturer does NOT retain or even have access to the
key. Moreover, you do not have to trust it. When putting an SED into
service it is considered good practice to start by directing the SED
to regenerate its encryption key. Doing this before loading any
software on the drive eliminates the possibility of the drive
manufacturer ,or anyone else who might have had a chance to access the
drive before the current owner, acquiring any secret, like the
encryption key, that could be later used to break into the user data.
My question is, how do I direct the SED to regenerate its encryption key? The only free tool I know about for working with SEDs is sedutil. I have been all over the documentation for that tool and I can't find anything about regenerating the DEK.
Does anyone know how to instruct the SED to regenerate the encryption key?
security disk-encryption opal self-encrypting-drive sedutil
security disk-encryption opal self-encrypting-drive sedutil
edited Jan 15 at 14:46
͏͏͏
2,67211214
asked Sep 23 '16 at 16:52
Dominic PDominic P
2712317
edited Jan 15 at 14:46
͏͏͏
2,67211214
asked Sep 23 '16 at 16:52
Dominic PDominic P
2712317
edited Jan 15 at 14:46
͏͏͏
2,67211214
edited Jan 15 at 14:46
͏͏͏
2,67211214
edited Jan 15 at 14:46
͏͏͏
2,67211214
2,67211214
asked Sep 23 '16 at 16:52
Dominic PDominic P
2712317
asked Sep 23 '16 at 16:52
Dominic PDominic P
2712317
asked Sep 23 '16 at 16:52
Dominic PDominic P
2712317
2712317
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Note: I don't have SED drive nor have I tried the below. Please use at your own risk
From:
- https://wiki.archlinux.org/index.php/Self-Encrypting_Drives
in section Secure disk erasure:
Simply passing a cryptographic disk erasure (or crypto erase) command
(after providing the correct authentication credentials) will have the
drive self-generate a new random encryption key (DEK) internally. This
will permanently discard the old key, thus rendering the encrypted
data irrevocably un-decryptable.
From this:
- https://library.netapp.com/ecmdocs/ECMP1636022/html/GUID-68D4D72F-8884-4AAE-B8C6-CCF0A8D6129B.html
Using the PSID to perform a factory reset causes all disk parameters
to be reset to factory original settings, including the following:
- The encryption key used to encrypt and decrypt the data on the media
is changed to an unknown value.
From this:
https://github.com/Drive-Trust-Alliance/sedutil/blob/master/linux/PSIDRevert_LINUX.txt (Linux)
https://github.com/Drive-Trust-Alliance/sedutil/wiki/PSID-Revert (Windows)
you have this:
Warning: This function will erase all of your data
...
Linux:
setutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSIDALLCAPSNODASHES> /dev/sd?
Windows:
sedutil-cli -–yesIreallywanttoERASEALLmydatausingthePSID <YOURPSID> \.PhysicalDrive?
You should see INFO: revertTper completed successfully.
If you get a message that says NOT_AUTHORIZED you entered the PSID wrong.
Hope this helps.
answered Sep 23 '16 at 18:13
levant piedlevant pied
14411
You are a freaking genius! Thanks. I had found the first and last sources, but I was missing the middle one about what a PSID revert actually does.
– Dominic P
Sep 23 '16 at 19:32
@DominicP No problem, glad to help!
– levant pied
Sep 23 '16 at 19:36
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1127610%2fhow-do-i-tell-a-sed-to-regenerate-the-encryption-key%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Note: I don't have SED drive nor have I tried the below. Please use at your own risk
From:
- https://wiki.archlinux.org/index.php/Self-Encrypting_Drives
in section Secure disk erasure:
Simply passing a cryptographic disk erasure (or crypto erase) command
(after providing the correct authentication credentials) will have the
drive self-generate a new random encryption key (DEK) internally. This
will permanently discard the old key, thus rendering the encrypted
data irrevocably un-decryptable.
From this:
- https://library.netapp.com/ecmdocs/ECMP1636022/html/GUID-68D4D72F-8884-4AAE-B8C6-CCF0A8D6129B.html
Using the PSID to perform a factory reset causes all disk parameters
to be reset to factory original settings, including the following:
- The encryption key used to encrypt and decrypt the data on the media
is changed to an unknown value.
From this:
https://github.com/Drive-Trust-Alliance/sedutil/blob/master/linux/PSIDRevert_LINUX.txt (Linux)
https://github.com/Drive-Trust-Alliance/sedutil/wiki/PSID-Revert (Windows)
you have this:
Warning: This function will erase all of your data
...
Linux:
setutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSIDALLCAPSNODASHES> /dev/sd?
Windows:
sedutil-cli -–yesIreallywanttoERASEALLmydatausingthePSID <YOURPSID> \.PhysicalDrive?
You should see INFO: revertTper completed successfully.
If you get a message that says NOT_AUTHORIZED you entered the PSID wrong.
Hope this helps.
answered Sep 23 '16 at 18:13
levant piedlevant pied
14411
You are a freaking genius! Thanks. I had found the first and last sources, but I was missing the middle one about what a PSID revert actually does.
– Dominic P
Sep 23 '16 at 19:32
@DominicP No problem, glad to help!
– levant pied
Sep 23 '16 at 19:36
add a comment |
Note: I don't have SED drive nor have I tried the below. Please use at your own risk
From:
- https://wiki.archlinux.org/index.php/Self-Encrypting_Drives
in section Secure disk erasure:
Simply passing a cryptographic disk erasure (or crypto erase) command
(after providing the correct authentication credentials) will have the
drive self-generate a new random encryption key (DEK) internally. This
will permanently discard the old key, thus rendering the encrypted
data irrevocably un-decryptable.
From this:
- https://library.netapp.com/ecmdocs/ECMP1636022/html/GUID-68D4D72F-8884-4AAE-B8C6-CCF0A8D6129B.html
Using the PSID to perform a factory reset causes all disk parameters
to be reset to factory original settings, including the following:
- The encryption key used to encrypt and decrypt the data on the media
is changed to an unknown value.
From this:
https://github.com/Drive-Trust-Alliance/sedutil/blob/master/linux/PSIDRevert_LINUX.txt (Linux)
https://github.com/Drive-Trust-Alliance/sedutil/wiki/PSID-Revert (Windows)
you have this:
Warning: This function will erase all of your data
...
Linux:
setutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSIDALLCAPSNODASHES> /dev/sd?
Windows:
sedutil-cli -–yesIreallywanttoERASEALLmydatausingthePSID <YOURPSID> \.PhysicalDrive?
You should see INFO: revertTper completed successfully.
If you get a message that says NOT_AUTHORIZED you entered the PSID wrong.
Hope this helps.
answered Sep 23 '16 at 18:13
levant piedlevant pied
14411
You are a freaking genius! Thanks. I had found the first and last sources, but I was missing the middle one about what a PSID revert actually does.
– Dominic P
Sep 23 '16 at 19:32
@DominicP No problem, glad to help!
– levant pied
Sep 23 '16 at 19:36
add a comment |
Note: I don't have SED drive nor have I tried the below. Please use at your own risk
From:
- https://wiki.archlinux.org/index.php/Self-Encrypting_Drives
in section Secure disk erasure:
Simply passing a cryptographic disk erasure (or crypto erase) command
(after providing the correct authentication credentials) will have the
drive self-generate a new random encryption key (DEK) internally. This
will permanently discard the old key, thus rendering the encrypted
data irrevocably un-decryptable.
From this:
- https://library.netapp.com/ecmdocs/ECMP1636022/html/GUID-68D4D72F-8884-4AAE-B8C6-CCF0A8D6129B.html
Using the PSID to perform a factory reset causes all disk parameters
to be reset to factory original settings, including the following:
- The encryption key used to encrypt and decrypt the data on the media
is changed to an unknown value.
From this:
https://github.com/Drive-Trust-Alliance/sedutil/blob/master/linux/PSIDRevert_LINUX.txt (Linux)
https://github.com/Drive-Trust-Alliance/sedutil/wiki/PSID-Revert (Windows)
you have this:
Warning: This function will erase all of your data
...
Linux:
setutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSIDALLCAPSNODASHES> /dev/sd?
Windows:
sedutil-cli -–yesIreallywanttoERASEALLmydatausingthePSID <YOURPSID> \.PhysicalDrive?
You should see INFO: revertTper completed successfully.
If you get a message that says NOT_AUTHORIZED you entered the PSID wrong.
Hope this helps.
answered Sep 23 '16 at 18:13
levant piedlevant pied
14411
Note: I don't have SED drive nor have I tried the below. Please use at your own risk
From:
- https://wiki.archlinux.org/index.php/Self-Encrypting_Drives
in section Secure disk erasure:
Simply passing a cryptographic disk erasure (or crypto erase) command
(after providing the correct authentication credentials) will have the
drive self-generate a new random encryption key (DEK) internally. This
will permanently discard the old key, thus rendering the encrypted
data irrevocably un-decryptable.
From this:
- https://library.netapp.com/ecmdocs/ECMP1636022/html/GUID-68D4D72F-8884-4AAE-B8C6-CCF0A8D6129B.html
Using the PSID to perform a factory reset causes all disk parameters
to be reset to factory original settings, including the following:
- The encryption key used to encrypt and decrypt the data on the media
is changed to an unknown value.
From this:
https://github.com/Drive-Trust-Alliance/sedutil/blob/master/linux/PSIDRevert_LINUX.txt (Linux)
https://github.com/Drive-Trust-Alliance/sedutil/wiki/PSID-Revert (Windows)
you have this:
Warning: This function will erase all of your data
...
Linux:
setutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSIDALLCAPSNODASHES> /dev/sd?
Windows:
sedutil-cli -–yesIreallywanttoERASEALLmydatausingthePSID <YOURPSID> \.PhysicalDrive?
You should see INFO: revertTper completed successfully.
If you get a message that says NOT_AUTHORIZED you entered the PSID wrong.
Hope this helps.
answered Sep 23 '16 at 18:13
levant piedlevant pied
14411
answered Sep 23 '16 at 18:13
levant piedlevant pied
14411
answered Sep 23 '16 at 18:13
levant piedlevant pied
14411
answered Sep 23 '16 at 18:13
levant piedlevant pied
14411
14411
You are a freaking genius! Thanks. I had found the first and last sources, but I was missing the middle one about what a PSID revert actually does.
– Dominic P
Sep 23 '16 at 19:32
@DominicP No problem, glad to help!
– levant pied
Sep 23 '16 at 19:36
add a comment |
You are a freaking genius! Thanks. I had found the first and last sources, but I was missing the middle one about what a PSID revert actually does.
– Dominic P
Sep 23 '16 at 19:32
@DominicP No problem, glad to help!
– levant pied
Sep 23 '16 at 19:36
You are a freaking genius! Thanks. I had found the first and last sources, but I was missing the middle one about what a PSID revert actually does.
– Dominic P
Sep 23 '16 at 19:32
You are a freaking genius! Thanks. I had found the first and last sources, but I was missing the middle one about what a PSID revert actually does.
– Dominic P
Sep 23 '16 at 19:32
@DominicP No problem, glad to help!
– levant pied
Sep 23 '16 at 19:36
@DominicP No problem, glad to help!
– levant pied
Sep 23 '16 at 19:36
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1127610%2fhow-do-i-tell-a-sed-to-regenerate-the-encryption-key%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
