#3074 Issue closed: Storing and reading Self Encrypted Disk (SED) password from TPM¶

Labels: enhancement, support / question, fixed / solved / done

Strykar opened issue at 2023-11-11 06:57:¶

I have a Self Encrypted Disk (SED). I'd like to use sedutil to lock the disk, but I want the password to be sealed in the TPM module on board the system, instead of in ATA BIOS.

Essentially I want the Pre-Boot Authentication (PBA) image to pick up the password from the TPM automatically upon boot.

Is this even possible?

schlomo commented at 2023-11-12 18:58:¶

If you manage to do this with your regular Linux system then ReaR should also be able to do it, can you please share the CLI commands to do so?

jsmeix commented at 2023-11-13 08:06:¶

@Strykar
I am not a PBA (OpalPBA) user
so I cannot actually help with PBA issues.

We at ReaR upstream got
https://github.com/rear/rear/pull/2956
that mentiones "TPM2-assisted encryption".

If this is what you mean, then you need
our current ReaR GitHub master code, cf.
"Testing current ReaR upstream GitHub master code" on
https://en.opensuse.org/SDB:Disaster_Recovery

Strykar commented at 2023-11-27 12:04:¶

@jsmeix I didn't mean to be obtuse, this was really a is this even possible type of question based off

• https://github.com/systemd/systemd/issues/16089
• https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/461

Mostly since sedutil appears to have little traction or interaction on Github

• https://github.com/ChubbyAnt/sedutil/issues

jsmeix commented at 2023-11-28 09:34:¶

@Strykar
I never used 'sedutil'
so I really cannot answer such questions.
I only liked to point to something that I found
but I don't know if that matches what you are looking for.

---

[Export of Github issue for rear/rear.]