How to use SSD hardware encryption? Dual-boot Linux/Win

So I'm about to pull the trigger on a notebook (Latitude 5470). It will feature two SSDs: one M.2 (model unknown) and one 2.5" SSD (Samsung 850 EVO). Both SSDs support hardware encryption (self-encrypting drives; conforming to TCG Opal).

I intend to dual boot. Ubuntu on the M.2, Win 7 Pro (or Win 10 Pro) on the 2.5" drive. I assume I'll install Windows first, then Ubuntu, putting GRUB on the M.2. The thing is, I have no clue how to provision the self-encrypting drives.

Does anybody have experience with such a scenario? Or can you provide any pointers? Thanks.

 

Make sure the BIOS supports HDD passwords. That's where you set disk level encryption.

 

You also need to check that your motherboard also supports it as well. Very few of the consumer line actually support this or have a flaky implementation.

I don't know the easy way of 100% verify it beside taking the drive out and plug it into another system to see if the content is unreadable.


Also, you need to disable hibernation and sleep support unless you got a management system in place.

Reason for that :
Hibernate will sometimes fail to boot up.

Sleep will keep the key alive rendering the drive readable to anyone. The drive is no longer encrypted once the key is loaded and active.

 

ALLurGroceries, Falco152,

Thanks for your input!

I thought I would have to do this at the OS level (LUKS on Ubuntu and Bitlocker on Windows). If I can set a HDD password in the BIOS for both drives, that would be considerably less tricky than I thought

 

That's the perk of hardware encryption ... it doesn't care what OS you are using (The only exception is Bitlocker with hardware encryption support (Only offered in W8.1/10 and only if you want to use Bitlocker)).
Just set the key in the bios.

The drawback is the hardware requirement to get it fully working

 

Having to type a password everytime you boot instead of just sliding a finger is so depressing...

 

I have one more follow-up question...

Let's assume I use an UEFI/BIOS password. And assume I have the hardware which supports HDD/SSD encryption via this password.

Will this give rise to drive encryption which is hardware-specific? So if, say, the mobo fails, will it be impossible to decrypt the data?

Note that I will be doing this on a Dell E5470 which uses Intel vPro. It is conceivable the UEFI/BIOS password will be stored with help from the TPM. And, of course, the keys in the TPM differ for each mobo. What I know for sure is that when encrypting via Bitlocker, you lose your encrypted data when the mobo (and hence the TPM) dies. Business users are typically aware of this risk and willing to accept it.

 

As long you know the key, the data can be recovered. Same goes for Bitlocker.
The TPM is a tool to assist in securely store and retrieve your key.

With the Hardware Encrypted drives, the key is stored within the disk itself and it is not dependent on the TPM by default.
The only caveat is how your model decides how to write that key to the disk.

If your model implements it differently from everyone else.
For example, if Model 1 takes the first 4 characters, salt and pepper mod, then write it to disk.
Model 2 will store the key as is written on screen to disk.
Configure disk on Model 1, then transfer disk to Model 2.
Only that line of Model 1 can read the disk,
and Model 2 will see garbage as the key entered on Model 2 will not match the key on disk.

(There are paid solution that migrate this, plus they support alternative combinations to login ie AD, Biometrics, tokens, cards, key etc).

 

Falco,

Thanks again!

 

Disk encryption is working on the level above any OS installed.
So you'll need to set the disk encryption in your BIOS or UEFI settings.

Theoretically, you can do it after installing both Windows and Linux but I personally prefer to enable the encryption first and install all software next.

Be sure to store the password anywhere because you usually can't just reset it.
So if you forget you password then you can't boot your PC and most likely will need to reset and lost all the data.
Not a good scenario even if you have all the backups.