What does HackerNews think of sedutil?

DTA sedutil Self encrypting drive software

Language: C++

The article is saying that people don't unlock their devices before recycling them.

This could be true, but as I mentioned in another comment, as soon as it's removed from the original users iCloud account that lock will be removed.

> how can you trust that the "erase everything" works?

You can't remove it, but as long as nobody else can use the device to recover data then it's fine.

FWIW it's actually pretty easy with SATA SSD's to set a device key, which then encrypts everything on the drive at full speed: https://github.com/Drive-Trust-Alliance/sedutil

The drives are actually already doing this, it's just that the key is set to 0's.

I can imagine that, given the drive is accessed via T2, that Apples NANDS are being accessed the same way, in which case scrambling the key is enough to make it unrecoverable permanently.

It depends on how paranoid you are. It's nearly impossible to recover data from a drive that's in pieces. If you don't want to destroy hardware:

1. Write random data to hard drives.

2. For SSDs, many support TCG OPAL. If so, rekey the drive. I've used this software[0] and this command[1]. If your drive doesn't support OPAL, you're on your own. Due to reallocation and over-provisioning, it's impossible to tell if your data is still on the drive even if you've completely overwritten it.

[0] https://github.com/Drive-Trust-Alliance/sedutil

[1] https://github.com/Drive-Trust-Alliance/sedutil/wiki/PSID-Re...

None of the scenarios detailed in your 1st reference are an inherent vulnerability of SEDs it is describing vulnerabilities in the software that drives the SEDs or physical designs of the computers they are installed in. Also, reset attacks apply to software encryption as well as SED's.

Check out the sedutil project on Github it's an opensource implementation of software to manage SED's

https://github.com/Drive-Trust-Alliance/sedutil

https://github.com/Drive-Trust-Alliance/sedutil

That's if you trust TCG and OPAL, and have an OPAL drive. Windows will use OPAL automatically if available for at least Pro and Enterprise and Server products, I'm not sure about Home. Apple and Linux have software implementations (typically with AES hardware support by the CPU).

Edit: Looks like it's been forked. https://github.com/sedutil/sedutil

The TCG and OPAL folks should have commissioned this work for a UEFI application, and open sourced it.

Make sure you get a laptop with a self-encrypting SSD that supports TCG OPal. This will give you maximum speed sector-level encryption. Read this post on my nerd-blog: https://vxlabs.com/2015/02/11/use-the-hardware-based-full-di... (no ads, no referrals, really just info) which explains at a high level how SSD-based encryption works.

The open-source msed tool has now been renamed to sedutil see https://github.com/Drive-Trust-Alliance/sedutil but it still works the same way.

It would still be possible for a sufficiently advanced thief to secure erase the drive (they need to know how to use TCG Opal to do that), but they will never see your data.