Didn't work for me. xdg-mime did. I guess it depends which system you use.

I imagine, if you store the private key with your protected secrets, you effectively reduce the protection to the strength of the symmetric key. Why bother with asymmetric cryptography at all? Except that you can insert without a passphrase... Perhaps that is a good enough reason provided the symmetric part is sound.

Actually why not make picom an answer?

Thanks @EmmanuelLepageVallee, I've looked at it and will try it out. I picked Unagi earlier because of the really tiny footprint, probably also judging by the number of dependencies. It is a pity, I looked at the Unagi code and to a non C developer point of view, it doesn't actually look scary :D

It worked for me with -n 2 -l 10 as well. This created a degraded mirror array.

Here's another argument to support this answer - blackhat.com/docs/eu-15/materials/… Manufacturers in general do not protect the drive against cable tampering. Since the decryption state is completely internal to SED, all these attacks are possible.

:o) I gather, your answer is essentially: "Don't". That is an answer I would accept given the elaborate argument and evidence you presented. We'll give a chance to other participants and more digging as well for another while.

I'll take care to find some trusted SED manufacturer, likely not from US? ;o)

Hi, bioses have funny quirks like limiting you pwd length or remembering the pwd for sleep or implementing the feature incorrectly or not at all. That's why the shadow MBR looks so appealing to me. You have a point with the same pwd on two drives, perhaps it could be dealt with having the pwd variants generated per drive using separate key files hashed with the single pwd. The keyfiles could be on a removable device adding a level of security. I have already a system running with cryptsetup luks on raid 1 and it works great as outline above, but I'd really like to exploit the SED feature :o)