btatap.blogg.se - How to unlock wd my passport on linux

Easier to setup (compared to software-based encryption).

Crucially, because the existing data encryption key is not regenerated, setting a passphrase allows for the drive to be locked while preserving existing encrypted data on the disk, avoiding the need for the drive to be re-encrypted.

The user will then be prompted for their passphrase when decrypting the data encryption key in the future. If a user wishes to "enable" encryption at a later stage, they are able to configure an authentication key (such as a passphrase) which encrypts the existing data encryption key. These self-encrypting drives can be thought of as having a zero-length password by default that always transparently encrypts the data (similar to how passwordless SSH keys can provide somewhat secure access without user intervention). Manufacturers do this to make it easier for users who do not wish to enable the security features of the self-encrypting drive. In fact, in drives featuring full-disk encryption, data is always encrypted with the data encryption key when stored to disk, even if there is no password set (e.g. This approach allows the user to change or revoke these keys as required without needing to re-encrypt the data, as the master 2nd-level encryption key is unchanged (itself being re-encrypted by the new passphrase). Using LUKS, the user can have multiple different keys (passphrases or keyfiles) to decrypt the master-key, which in turn decrypts the underlying data. Facilitates near-instant and cryptographically secure full disk erasure.įor those who are familiar, this concept is similar to the LUKS key management layer often used in a dm-crypt deployment.This improves security, as it is fast and easy to respond to security threats and revoke a compromised passphrase.Allows the user to change the passphrase without losing the existing encrypted data on the disk.The authentication key is the user-facing 1st-level passphrase which decrypts the data encryption key (which in turn decrypts the data). The data encryption key is the key against which data on the drive is actually encrypted. Self-encrypting drives adhering to the TCG OPAL 2.0 standard specification (almost all modern self-encrypting drives) implement key management via an authentication key, and a 2nd-level data encryption key. SID, MSID, locking SP, admin SP) in this section, because they are intrinsic to the key-management defined per standard. It would be useful to name the important acronyms (e.g. The sedutil refers to them in the FAQ and command syntax. Reason: The Opal standards are full of acronyms.