How do I tell a SED to regenerate the encryption key?

Question

I recently purchased a Crucial MX300 to use as a boot drive, and I want to take advantage of its self encrypting functionality. I've been reading up on SEDs and I understand they use a Data Encryption Key or DEK (sometimes called a Media Encryption Key) and an Authorization Key which encrypts the DEK.

From the TCG Opal FAQ on SEDs (emphasis added):

A: The encryption key is generated on board the drive and NEVER LEAVES THE DRIVE. The manufacturer does NOT retain or even have access to the key. Moreover, you do not have to trust it. When putting an SED into service it is considered good practice to start by directing the SED to regenerate its encryption key. Doing this before loading any software on the drive eliminates the possibility of the drive manufacturer ,or anyone else who might have had a chance to access the drive before the current owner, acquiring any secret, like the encryption key, that could be later used to break into the user data.

My question is, how do I direct the SED to regenerate its encryption key? The only free tool I know about for working with SEDs is sedutil. I have been all over the documentation for that tool and I can't find anything about regenerating the DEK.

Does anyone know how to instruct the SED to regenerate the encryption key?

Answer 1

Note: I don't have SED drive nor have I tried the below. Please use at your own risk

From:

• https://wiki.archlinux.org/index.php/Self-Encrypting_Drives

in section Secure disk erasure:

Simply passing a cryptographic disk erasure (or crypto erase) command (after providing the correct authentication credentials) will have the drive self-generate a new random encryption key (DEK) internally. This will permanently discard the old key, thus rendering the encrypted data irrevocably un-decryptable.

From this:

• https://library.netapp.com/ecmdocs/ECMP1636022/html/GUID-68D4D72F-8884-4AAE-B8C6-CCF0A8D6129B.html

Using the PSID to perform a factory reset causes all disk parameters to be reset to factory original settings, including the following:

• The encryption key used to encrypt and decrypt the data on the media is changed to an unknown value.

From this:

• https://github.com/Drive-Trust-Alliance/sedutil/blob/master/linux/PSIDRevert_LINUX.txt (Linux)
• https://github.com/Drive-Trust-Alliance/sedutil/wiki/PSID-Revert (Windows)

you have this:

Warning: This function will erase all of your data ...

Linux:

setutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSIDALLCAPSNODASHES> /dev/sd?

Windows:

sedutil-cli -–yesIreallywanttoERASEALLmydatausingthePSID <YOURPSID> \\.\PhysicalDrive?

You should see INFO: revertTper completed successfully.

If you get a message that says NOT_AUTHORIZED you entered the PSID wrong.

Hope this helps.