[SOLVED] Can I turn hardware encryption for my OPAL-compatible boot SSD? (Done in Intel NUC BIOS)

G

gctwnl

Member
Aug 24, 2022
63
4
8
I have been trying to get my NUC running proxmox to use the built-in encryption of my SDD boot disk. Using the BIOS, I have so far failed. So, I wondered if I could do it using sedutil. But I am bit overwhelmed by sedutil's options.

Is there anyone who can tell me how to get proxmox working with a full encrypted disk using the hardware encryption?
 
Disclaimer:
  • I've have used archlinux not proxmox
  • for a boot device you need pre-boot-authentication (pba), only the BIOS can do this
With that out of the way, I have used sedutil to encrypt an non boot NVMe-SSD.
The documentation on the web was next to non existent. Before you do anything else take a picture of your NVMe and note the PSID. You need that. And as usual make a backup of everything.

Code: 
# wipe the drive
sedutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <devicePSID>
# set a password
sedutil-cli --initialsetup <password> /dev/nvme0

# unlock
sedutil-cli --setlockingrange 0 rw <password> /dev/nvme0n1
sedutil-cli --setmbrdone on <password> /dev/nvme0n1

# partprobe is necessary for the OS to rescan the drive
partprobe /dev/nvme0n1
# now you can mount it
mount /dev/nvme0n1p1 /nvme/

Edit: Also have a look at the intstuctions at sedutil.com
 
Last edited:
OK, I was able to do this without sedutil.

I first updated the BIOS to the latest version for my NUC (0058).

Then instead of trying to use the mouse pointer in the BIOS interface (I used to click on menu elements), I used arrow-up/arrow-down until I got the User Password entry of the HDD menu for this drive. When I entered return, I was able to set a password on the drive and this is now asked during boot.

The text in the BIOS says that if "Set User Password" is greyed out, you need to reboot to make it visible. But it seems that "greyed out" also is what you see when it is the currently selected element... A bit confusing. I do not know if the BIOS update was really necessary as it might have been simple BIOS UI confusion in the previous version anyway.

So, I can confirm: My Intel NUC now has a fully encrypted M.2 NVMe boot disk. And I did not need sedutil.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back