I have been reading about Self-encrypting drives but I can’t understand a few things.
https://wiki.archlinux.org/title/Self-encrypting_drives
Does it help buying drives that supports AES 256 bits encryption ? I mean, would make things faster or more secure ?
EnOS calamares installation provides an option for LUKS, right? How that would work with sedutil mentioned in the link above?
Would the encryption capabilities of the drive be used automatically in case I install using LUKS ?
I had no idea about it before, but my first questions would be those:
It’s clearly not safest option to rely on some proprietary code (firmware) provided by hardware devs to encrypt data.
These have been around for years now.
It is fully hardware-based encryption. You don’t need luks or anything else. You just need some way to unlock it.
As far as I know, they are unrelated. Luks is software encryption and the drive has it’s own hardware-based encryption.
No.
hm, so, when I’m out of office, sleep mode wouldn’t be an option otherwise someone could plug an extension cable to it and get access to the drive.
About the firmware of the drive being compromised, that would indeed be a problem, thanks for the advice.
Oh, thanks Dalto, I’m about to buy a drive, and found this one MX500 from Crucial which has the AES 256 bits encryption mentioned.
I’ll try all these options in the following days to see what best fits my needs.
Thanks!! 
Yeah that would be my main problem since all those firmware stuff is proprietary i wouldn’t be slightly surprised if your super-mega-hardware-encrypted drive in hands of feds would be unlocked in matter of milliseconds 
Exactly, if it is proprietary, assume it has a back door. Anything else is being irresponsible.
I found out that Samsung and Crucial have flaws that were successfully exploited by using a JTAG cable…
Samsung is recommending users to update their SSD firmware and also to use a software based encryption.
Edit:
This is where I got this info from, which corroborates the info I read in another sites.
hm, Crucial is also recommending the use of software based encryption…
I’m surprised all those corporations are…honest about it.
Pleasantly surprised!
This came to haunt me:
To bypass this, I had to remove my m.2 drive in which Windows is installed.
Encrypt the drive using PBA boot and sedutil tool.
Install EnOS.
Then reinstall my m.2 drive.
This was a struggle, had to remove my GPU, ruined my M.2 thermal pad… 
But its finally working.
Most of these SED or self encrypted drives are designed again around Windows and bitlocker.
Indeed, but you can use it with Arch and/or other Linux distros.
It’s totally transparent to the OS.
It has advantages and disavantages, but once you set it up, it should be fast, won’t use CPU resources, no changes to fstab and etc…
I’m still testing it to confirm if it will fit my needs, but so far, so good…
In case someone tries this route with an Asus motherboard and a Crucial SSD:
Pre requisites: Two drives, one for Windows/Other OS and the other for EnOS.
Download RESCUE64.img.gz (Small Linux system to recover from issues with sedutil on 64bit UEFI systems) from the link at the bottom of this post.
Before issuing the below commands, make sure your drive is /dev/sda.
# sedutil-cli --initialsetup debug /dev/sda
# sedutil-cli --enablelockingrange 0 debug /dev/sda
# sedutil-cli --setlockingrange 0 lk debug /dev/sda
# sedutil-cli --setmbrdone off debug /dev/sda
$ gunzip /usr/sedutil/UEFI64-n.nn.img.gz <-- Replace n.nn with the release number.
# sedutil-cli --loadpbaimage debug /usr/sedutil/UEFI64-n.nn.img /dev/sda
# sedutil-cli --setsidpassword debug yourrealpassword /dev/sda
# sedutil-cli --setadmin1pwd debug yourrealpassword /dev/sda
Boot EndeavourOS LiveUSB and if your drive is a SATA drive, press ‘e’ to change Kernel cmdline and add libata.allow_tpm=1 to it.
$ yay -S sedutil
# sedutil-cli --setlockingrange 0 rw yourrealpassword /dev/sda
# sedutil-cli --setmbrdone on yourrealpassword /dev/sda
# partprobe /dev/sda
Install EnOS normally (generate a new GPT table).
Boot to the new drive and unlock the drive. <---------- IMPORTANT, as only one UEFI partition should be available otherwise a Windows entry will be wrongly added as mentioned in my post above.
Reconnect all the drives to the PC and change BIOS boot order as your preference.
In case you can’t unlock your drive for some reason, you can use Crucial software in Windows to restore the drive, note that your data will be loss during this process.
Tested and working with:
Crucial SATA SSD MX500: firmware: M3CR046
Latest EnOS ISO Endeavouros_Cassini_Nova-03-2023_R1.iso
Latest RESCUE64.img 1.20.0
ASUS B550-F Gaming BIOS 3002
Links used:
https://wiki.archlinux.org/title/Self-encrypting_drives
https://github.com/Drive-Trust-Alliance/sedutil/wiki/Encrypting-your-drive
Download Rescue Image UEFI 64:
https://github.com/Drive-Trust-Alliance/sedutil/wiki/Executable-Distributions
I just updated systemd, but I’m not sure if its updating it correctly since Linux Boot loader is not being used anymore.
Can someone post the output of the command below sudo dmesg | grep 253 to compare with mine?
$ sudo dmesg | grep 253
[ 3.566328] systemd[1]: systemd 253.3-1-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified)
[ 4.997679] systemd[1]: systemd 253.3-3-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified
I’m using grub. Will that still work?
Edit: Mine shows a lot of info and i have multiple drives.
I’m not sure… I’m concerned that the systemd 253.3-1 is “fixed” in my EFI partition from DBA tools mentioned above…
$ efibootmgr
BootCurrent: 0001
Timeout: 1 seconds
BootOrder: 0000,0001
Boot0000* Windows Boot Manager HD(1,GPT,9165ee15-82da-44fe-a33c-40e5f7164cda,0x800,0x32000)/File(\EFI\MICROSOFT\BOOT\BOOTMGFW.EFI)57494e444f5753000100000088000000780000004200430044004f0042004a004500430054003d007b00390064006500610038003600320063002d0035006300640064002d0034006500370030002d0061006300630031002d006600330032006200330034003400640034003700390035007d00000030000100000010000000040000007fff0400
Boot0001* UEFI OS HD(1,GPT,9206c29f-b038-a444-8c68-94d1f448b28b,0x1000,0x1f4000)/File(\EFI\BOOT\BOOTX64.EFI)0000424f
As you can see above, UEFI OS is now my EFI partition for EnOS, in which it unlocks the rest of the drive, then Linux Boot Loader is loaded and I can choose which kernel to boot from the systemd-boot menu
UEFI will add entries and name them UEFI OS sometimes and then later it picks up EOS and adds the entry in UEFI with naming. Not sure on systemd-boot. 
I don’t have a lot of experience with systemd-boot and also what you are doing with the self encrypted drives.
This is what I’m suspecting of, that the SED partition which decrypts the drive, has a fixed “Linux boot loader” stuck in previous version..
Mine looks like this but there is more information with that command. This is just the systemd info at the bottom.
[ 2.031357] systemd[1]: systemd 253.3-3-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified)
[ 3.549210] systemd[1]: systemd 253.3-3-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified)
Edit: Does that help?
Edit2 : I see both are 253.3-3 -arch
Edit3: Maybe you need to run the dracut command?
sudo reinstall-kernels