Stack Exchange network consists of 183 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
I imagine, if you store the private key with your protected secrets, you effectively reduce the protection to the strength of the symmetric key. Why bother with asymmetric cryptography at all? Except that you can insert without a passphrase... Perhaps that is a good enough reason provided the symmetric part is sound.
Thanks @EmmanuelLepageVallee, I've looked at it and will try it out. I picked Unagi earlier because of the really tiny footprint, probably also judging by the number of dependencies. It is a pity, I looked at the Unagi code and to a non C developer point of view, it doesn't actually look scary :D
Here's another argument to support this answer - blackhat.com/docs/eu-15/materials/… Manufacturers in general do not protect the drive against cable tampering. Since the decryption state is completely internal to SED, all these attacks are possible.
:o) I gather, your answer is essentially: "Don't". That is an answer I would accept given the elaborate argument and evidence you presented. We'll give a chance to other participants and more digging as well for another while.
Hi, bioses have funny quirks like limiting you pwd length or remembering the pwd for sleep or implementing the feature incorrectly or not at all. That's why the shadow MBR looks so appealing to me. You have a point with the same pwd on two drives, perhaps it could be dealt with having the pwd variants generated per drive using separate key files hashed with the single pwd. The keyfiles could be on a removable device adding a level of security. I have already a system running with cryptsetup luks on raid 1 and it works great as outline above, but I'd really like to exploit the SED feature :o)
Thanks @Xen2050, but wouldn't I have to type the password for each drive then? I have some sophisticated password which takes time to type :o) Also consider higher raid configurations, type 3x, 6x...