talos icon indicating copy to clipboard operation
talos copied to clipboard

Published 20 hours ago verified publisher icon siderolabs

Support hardware OPAL disk encryption

Open holmsten opened this issue 1 year ago • 0 comments
trafficstars

Feature Request

Add support for hardware OPAL disk encryption in the existing luks2 provider.

Description

cryptsetup 2.7.0 introduce support for hardware OPAL disk encryption (see release notes) by adding --hw-opal and --hw-opal-only flags to the cryptsetup luksFormat action.

I propose adding support for these options to the existing luks2 provider by adding a new field to the EncryptionConfig.

This feature will also require support for removing OPAL locked ranges during machine reset operation. cryptsetup support this with their luksErase action. The only other way to recover OPAL locked ranges is by performing a full drive factory reset using the PSID key physically printed on the drive, making it hard to automate in a secure manner.

References

https://lore.kernel.org/cryptsetup/[email protected]/T/

holmsten avatar Sep 26 '24 12:09 holmsten