Enterprise Linux

Enterprise Linux on Power

Enterprise Linux on Power delivers the foundation for your open source hybrid cloud infrastructure with industry-leading cloud-native deployment options.

 View Only

Self-Encrypting Drives (SEDs): Native security for NVMe SSDs on Power Linux

By Naresh Bannoth posted 15 days ago

  

Authors: Naresh Bannoth and Manvanthara Puttashankar, IBM Infrastructure Test 
 
As data security continues to be a top concern in enterprise computing, Self-Encrypting Drives (SEDs) offer a high-performance and transparent solution. With encryption built into the hardware, SEDs eliminate the need for software-based data protection, ensuring minimal performance impact while providing robust security.  
 
What Are Self-Encrypting Drives? 
Self-Encrypting Drives are storage devices that perform automatic, full-disk encryption using dedicated hardware. This means all data written to and read from the drive is encrypted and decrypted transparently, without requiring OS-level intervention or third-party software. 

  •  Encryption Engine: Integrated into the drive controller
  •  Encryption Standard: AES-128 or AES-256 (Advanced Encryption Standard) 
  •  Key Storage: Authentication keys are kept in a secure location, either temporarily in memory or persistently in a secure store 

And the best part, If you’re using Power Linux with NVMe SSDs, locking and unlocking mechanism are integrated to the nvme-cli open-source utility. 

Why Hardware-Based Encryption? 
 Unlike software-based solutions that rely on CPU cycles and can be bypassed if not properly configured, SEDs:

  • Encrypt everything by default 
  • Cannot be disabled by malware or misconfiguration 
  • Offer zero performance overhead 
  • Enable instant crypto-erase by destroying the encryption key 

How SEDs Work on Power Linux 
All NVMe SSDs used in Power servers support SED features. The locking and unlocking of these drives are fully integrated into the open-source tool: nvme-cli. 

  • SED authentication keys are stored in the Platform Key Store (PKS)—a secure, non-volatile storage location. 
  • The kernel reads the key from PKS at boot and loads it into a SED-specific kernel key-ring. 
  • Drives can then be locked or unlocked using the nvme-cli command-line utility without exposing sensitive keys to userspace. 

Why SEDs? 
Software-based encryption solutions are good until they Consume CPU cycles and you’d rather reserve for your workloads, introduce complexity and attack surface and are prone to human error in configuration and lifecycle management.

SEDs flip the script by offloading all encryption to hardware. Every single byte on the drive is encrypted on write and decrypted on read—automatically, with zero overhead. There’s no need for dm-crypt, no userland passphrases, and no kernel-level I/O wrappers slowing you down.

Managing SEDs via nvme-cli 

 On Power Linux, all SED operations are handled via a plugin inside nvme-cli. This CLI is your primary user interface for provisioning, status, lock/unlock, and password (authentication key) management. These SED primitives are implemented as a nvme plugin named “SED”. 

NVMe SED commands  

# nvme sed 

nvme-2.7.1 

usage: nvme sed <command> [<device>] [<args>] 

The '<device>' must be a nvme block device 

   (ex: /dev/nvme0n1)  

  

SED Opal Command Set 

 The following are all implemented sub-commands: 

    discover        Discover SED Opal Locking Features 

    initialize        Initialize a SED Opal Device for locking 

    revert            Revert a SED Opal Device from locking 

    lock               Lock a SED Opal Device 

    unlock           Unlock a SED Opal Device 

    password      Change the SED Opal Device password 

    version          Shows the program version 

    help               Display this help 

See 'nvme sed help <command>' for more information on a specific command 

1.   Discovering a drive 

The discover sub-command displays both drive capabilities and drive status. In order for SED locking to function, the drive must report both

"Locking supported” and “Locking Feature Enabled” as “Yes”. The “Locked” entry indicates if the drive is locked or unlocked. 
 

         # nvme sed discover /dev/nvme0n1 

            Locking Features:

            Locking Supported:              Yes

            Locking Feature Enabled:    No

            Locked:                                No 

  

2.   Initializing or enabling a drive for Locking 

          To set the password on a SED drive and enable it for SED locking:

# nvme sed initialize /dev/nvme0n1 

          Password: 

 

      # nvme sed discover /dev/nvme0n1 

        Locking Features:

          Locking Supported:              Yes

          Locking Feature Enabled:    Yes

          Locked:                                 No

  

3.   Locking a drive 

         To lock a drive using the password saved in the kernel SED keyring: 

         # nvme sed lock /dev/nvme0n1 

  

        # nvme sed discover /dev/nvme0n1 

       Locking Features:

       Locking Supported:             Yes

       Locking Feature Enabled:   Yes

       Locked:                               Yes

  

        # dd count=1 if=/dev/nvme0n1 of=/tmp/data 

            dd: error reading '/dev/nvme0n1': Input/output error 

  

       To lock a drive by manually entering the password: 
       # nvme sed lock –k /dev/nvme0n1 
       Password: 

4.   Unlocking a drive 

       Unlock a drive using saved password in SED keyring 

  

         #  nvme sed unlock /dev/nvme0n1

         # dd count=1 if=/dev/nvme0n1 of=/tmp/data

            1+0 records in

            1+0 records out

            512 bytes copied, 0.000253378 s, 2.0 MB/s 

  

       To unlock a drive by manually entering the password: 

        # nvme sed unlock -k  /dev/nvme0n1 

        Password:

  

5.   Changing a drive authentication key or Password 

       # nvme sed password   /dev/nvme0n1 

      Password: 

      New Password: 

      Re-enter New Password: 

  

 The command will ask for the old (current) password and then prompt for the new password. The new password must be entered twice without any differences. 

  

6.   Reverting a drive (non-destructively removing locking) 
      # nvme sed revert /dev/nvme0n1

     Password:

      # nvme sed discover /dev/nvme0n1 

      Locking Features:

       Locking Supported:              Yes

       Locking Feature Enabled:    No

       Locked:                                No

  

7.   Reverting a drive by erasing 

      # nvme sed revert -e /dev/nvme0n1

     Destructive revert erases drive data. Continue (y/n)? y

  Are you sure (y/n)? y

  Password:

  

Workflow Sample 

 
        # nvme sed discover /dev/nvme0n1 

       Locking Features: 

       Locking Supported:              Yes 

       Locking Feature Enabled:    No 

       Locked:                                No 

  

     # nvme sed initialize /dev/nvme0n1 

      Password: 

      # nvme sed discover /dev/nvme0n1 

     Locking Features: 

      Locking Supported:              Yes 

      Locking Feature Enabled:    Yes 

      Locked:                                 No 

  

     # nvme sed password   /dev/nvme0n1 

    Password: 

    New Password: 

     Re-enter New Password: 

  

    # nvme sed lock /dev/nvme0n1 

  

    # nvme sed discover /dev/nvme0n1 

    Locking Features: 

    Locking Supported:             Yes 

    Locking Feature Enabled:   Yes 

    Locked:                               Yes 

  

   # nvme sed unlock -k  /dev/nvme0n1 

  Password: 

   # nvme sed discover /dev/nvme0n1 

  Locking Features: 

  Locking Supported:             Yes 

  Locking Feature Enabled:   Yes 

  Locked:                               No 

 

   # nvme sed lock –k /dev/nvme0n1 

  Password:

  

   # nvme sed unlock –k /dev/nvme0n1 

  Password:

Final thoughts: 
With SEDs, encryption isn’t an afterthought; it’s a built-in, always-on defense layer, silently protecting your data from boot to shutdown. Paired with Power Linux and nvme-cli, you get a robust, programmable security solution that’s faster, safer, and easier than ever before. 

0 comments
9 views

Permalink

https://community.ibm.com/community/user/blogs/naresh-bannoth/2025/06/27/self-encrypting-drives