So modern solid-state drives often support OPAL standard for full-disk encryption. If I understand correctly, it uses a user password to encrypt a key which is then in turn used to encrypt content of the drive. But my question is how is this encryption key generated? Many attacks are possible if a random source for this key generation is not truly random. Looking at Linux utility sedutil I can see only commands to change a password. But when is the key generated? Or how do I force key regeneration? Can I supply my own key so that I can be sure it was properly generated?
Asked
Active
Viewed 473 times
2
Mitar
- 171
- 2
-
1I found a similar question here: https://security.stackexchange.com/questions/153053/how-do-sed-drives-generate-the-dek – Mitar Nov 05 '17 at 06:23
1 Answers
1
Key generation in TCG Opal is performed by the GenKey method. The GenKey method is a TCG command that triggers a new key generation. The quality of the key (entropy) is not discussed in the TCG Opal spec, which does not pose security requirements on keys. These requirements are left external to the scope of TCG Opal, and are mainly addressed by drive-vendors, in security evaluation required for certification (such as CPP-FDE or FIPS).
alonco
- 21
- 3