Using a (non bootable) SED (security encryption disk)

I need to simple store the key to open a (non bootable) SED (security encryption disk) conected to my PCIe Jetson TX2 port.
How can I do it WHITOUT complicate thinks like security boot or fuses?
Obs.: The boot partition and L4T is on TX2 eMMC without encryption, SED SSD contains only data (and I need to keep this data encrypted)

You could not boot directly to such a device, but you could easily mount it somewhere after boot. If you wish to boot to such a device (which boot stages do not support), then you’d need to make a custom initial ramdisk (initrd) to work as an “adapter”. There would be a significant learning curve to do so.

Thanks for you awnser @linuxdev.
Yes, I don’t want to boot directly from this device, I just want to store the passphrase (securitly) used to unlock it before I can mount it.
I’m wondering if the command keyctl can help me.

hello alfredosalvarani,

this should be similar topic, Topic 202400.
you may use dislocker on Linux, try to mount such partition to your filesystem for the usage.

Hi Jerry,
On topic 202400 I was asking if the SED SSDs can work with TX2, now I know it’s work. I use sedutil (GitHub - Drive-Trust-Alliance/sedutil: DTA sedutil Self encrypting drive software) to encrypt or decrypt it.
But I need a safe place (outside SSD) to store the passphrase, and that’s what i’m asking about: Where can I store the passphrase used to decrypt SSD data?

Thank you

hello alfredosalvarani,

you may put the keys in the fuse, please see-also Jetson TX2 Series Fuse Specification App Note for reference;
note, the fuse programming is non-reversible, once you’ve the bit writing to 1, you cannot change (revert) the fuse value from 1 to 0.

please see topics which are talking about SecureBoot for reference,
such as… Topic 1066937, Topic 157952, or Topic 166401.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.