A new proposal to have optional support for native hardware encryption (TCG OPAL2 standard)
Some SATA and NVMe devices support hardware encryption (TCG OPAL2 standard) and with the latest cryptsetup LUKS devices can be configured to use hardware encryption to encrypt the data either by itself or together with the existing dm-crypt software encryption. Support for this feature was added in the latest cryptsetup upstream release and we’d like to provide an option for users to use this feature when installing Fedora with disk encryption.
As this is an expert option, it will be available only through the kickstart interface. […] There will be two new options to select either hardware encryption only or hardware encryption in combination with software encryption (analogous to the
--hw-opal-only
and--hw-opal
options used when configuring hardware encryption withcryptsetup
).How do we know that the hardware encrypts the data correctly? Can we observe ciphertext?
I wouldn’t trust any drive that offers the feature. We already know that those that have that thing to delete files or wtv it is called doesn’t work well, I would not touch with a foot long stick anything related to crypto on the hardware level.
For a drive with throwaway data where performance might be a concern but data protect is a nice-to-have it’s fine. Think games or a cache disk for art workstations