How to encrypt your Linux machine & session, with a self encrypting disk
This is tested by me and I am typing this from a machine that now has a password-encrypted SSD where also the swap area holding the hibernated state of the machine, is encrypted automatically.
Update: Do note that setting a disk password in BIOS may be enough for some drives. That method is a lot easier than what is described below, however you may not know exactly what the BIOS did which may affect both recoverability and security.
Update II: I had to switch to a different suspend and hibernate manager eventually. Read more at the bottom of this post.
There is a standard for hardware encryption for hard disks, called Opal (Wikipedia). The Samsung EVO 850 SSD, and I guess most other current SSDs supports the standard. These drives actually usually are encrypted by default, it's just that the area where the encryption key is stored is by default usable without decrypting it. What we are doing below is protecting access to the key with a password.
There is a project: Drive-Trust-Alliance/sedutil: DTA sedutil Self encrypting drive software that allows you to install a loader on Ubuntu Linux (and Windows, and other Linuxes) that prompts for a password to unlock the Opal encrypted hard disk, and then chain-loads your operating system. It is available both for UEFI and Bios booting. However for UEFI, secure boot must be turned off for it to work.
The password prompt will also happen after hibernate which from the computer's perspective is an upstart. In this way you can have your computer fully encrypted but still have the state of your desktop session immediately come up on waking from hibernate. Do note that you cannot prepare your drive with sedutil if it runs on USB.
Steps
Enable hibernate
First, you need to get hibernate working on your machine. For Ubuntu this guide worked for me: How do I hibernate my computer?
If the pm-hibernate command does not work, try restarting the machine and then retry, it may have been that you were in the middle of a kernel update. My machine was.
Enable sedutil to work by enabling allow_tpm
you need to enable TPM:
libata.allow_tpm=1...must be added to your Grub's parameters
in /etc/default/grub that means that there should be a line that says something like this:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash libata.allow_tpm=1"
Then update grub and reboot.
Get an Opal hard disk, or check that your current one supports Opal, and encrypt
Secondly, you need a hard disk that supports Opal. The command line program in sedutil will tell you. Follow the instructions on this page: Encrypting your drive · Drive-Trust-Alliance/sedutil Wiki
I had problems copying and pasting the commands from there, it is better to re-type them. You have to do sudo or be root.
How good is the encryption in practice?
I don't know. I guess the algorithms (I believe in the evo 850 case 256 bit AES) are good, but I do not know how many attempts to break the password you can do per second, for example, for brute-forcing the password that protects the key. It may also be that the encryption hardware is backdoored, and then it would be the question if the thief knows about those backdoors.
Further reading
ArchWiki has a good page on self-encrypting hard drives. In fact Archwiki has a lot of good information on Linux, even if you do not run the Arch Linux distribution specifically.
Self-Encrypting Drives - ArchWiki
See also:
- Use the hardware-based full disk encryption of your TCG Opal SSD with msed – vxlabs
- Introduction to Self-Encrypting Drives (SED) - Puget Custom Computers
- password management - Samsung SSD 850 EVO. Best way to protect personal data against thiefs - Information Security Stack Exchange
- SSD White Paper | Samsung SSD
According to the last link above, a simple BIOS password should also work with the Samsung SSD drives, in which case you do need to do the sedutil dance, just set a password in BIOS. However some people on the web express fears that different BIOSes do this differently. But if you do not need recoverbility to another machine (that is, the disk floats and sinks with your machine), then BIOS password seems like a lot easier.
Disclaimer: It is quite easy to mess things up by mistake, so be careful to have everything backed up. In triplicate.
Switching suspend and hibernate programs
Not sure if this is related to turning on encryption, or more likely to some chaneg in graphics drivers, but here is how I got sleep (suspend) and hibernate working again: Using a different sleep (suspend) and hibernate on Ubuntu 16.04