sed-key
sed-key is a Rust command-line tool for locking, unlocking, and querying the lock state of NVMe Self-Encrypting Drives (SED) using the TCG OPAL protocol under Linux. Its scope is intentionally limited and is intended for use in places like early stage boot environments. sed-key is designed to accept a key as a CLI argument.
It wraps the Linux ioctls for OPAL discovery and lock/unlock, providing:
- Discovery: Check whether a drive supports OPAL/SED and parse the locking feature descriptor.
- Locking/Unlocking: Send the
OPAL_LOCK_UNLOCKcommand with your Admin1 password. - CLI: A
sed-keybinary to view lock status or unlock drives interactively.
⚠️ Safety Warning
This software talks directly to your block devices using raw IOCTLs.
Mistakes can lock you out of your drive, or even crash a running kernel.
You run this at your own risk.
Installation
With Cargo:
CLI Usage
Check lock status of a device
This prints the parsed OPAL locking feature flags and whether the device is locked.
Unlock a device
Pass the device path and optionally a password argument:
Lock a device again
Similarly, to lock the device:
Noninteractive / scripting
All commands exit with nonzero on error so you can use them in shell scripts:
# Example: unlock with key from a file if the drive reports locked
if | ; then
fi
# Or perhaps:
# Use sed-key directly; password piped on stdin
if ! | ; then
rc=
fi
Testing
When running under Miri or in CI, hardware IOCTLs are replaced by a fabricated discovery page. Example:
MIRI_SED_LOCKED=1
This lets the parser and property-based tests run without touching real drives.
Building From Source
Using Cargo (standard build)
If you have Rust installed, you can build and run directly:
Using Nix (reproducible build)
If you have Nix installed with flakes enabled:
This Nix build performs a fully offline, reproducible release build of sed-key.
License
Licensed under MIT.