Conveniently unlock your Self Encrypting Drive on startup (via HTTPS or SSH) without the need to attach monitor and keyboard.

Use at your own risk! You may lock yourself out of the data on the disk.

This tool, sedunlocksrv-pba, will only work if you have a Self Encrypting Drive (SED) which is compatible with sedutil (TCG OPAL). For example the Samsung EVO 850 SSD.

Fully encrypt your home server or NAS and conveniently unlock it on startup without the need to attach monitor and keyboard. Unlocking can be done from any device on your LAN with a browser. By default a self-signed HTTPS certificate is used (generated during building) to secure the unlocking.

Because the drive is using hardware encryption, you can encrypt your server if the OS doesn't support encryption at all, or only for some disks (e.g. no encryption for the drive on which the OS is installed).

Even for systems which support encrypting all drives, using a SED with sedunlocksrv-pba can be useful because of the remote unlock functionality. Unlock and continue booting from any device on your LAN via HTTPS/SSH. If you're using a password manager you can conveniently auto-fill the unlock password.

• Unlock your SED from a browser (via HTTPS)
• Unlock your SED via SSH
• Change disk password from a browser (via HTTPS)
• Not limited to us_english keyboard mapping
• Reboot button to boot from the unlocked drive
• BIOS and UEFI support
• Configuring specific keymaps on the console

• Encrypt your (boot) drive, even when the OS doesn't (fully) support encryption
• Drive locks when power is lost, protecting data when server is stolen
• Hardware encryption means less CPU usage

• A Self Encrypting Drive compatible with sedutil (TCG OPAL)
• Ubuntu to build the PBA image
• Two USB sticks to flash the PBA image

This allows building the image with Docker, even on Apple Silicon (arm64) using Rosetta for Linux in Docker Desktop v4.25 and up.

(NAME=sedunlocksrv-pba; docker build -t $NAME . && docker run --name $NAME --privileged $NAME && docker cp $NAME:/tmp/sedunlocksrv-pba.img sedunlocksrv-pba.img; docker rm $NAME)

After running the command above you will find sedunlocksrv-pba.img in your current working directory. Continue with Encrypting your drive and flashing the PBA.

• Download and install VirtualBox
• Also install the VirtualBox Extension Pack from the link above
• Download Ubuntu 22.04 from linuxvmimages
• Extract the downloaded archive
• Import the VM by double clicking the extracted .ova file
• Open Settings for the newly created VM and go to Ports->USB to enable the USB 3.0 (xHCI) Controller
• Boot the VM and login with username ubuntu and password ubuntu
• Tip: enable Shared Clipboard from the Devices dropdown menu to copy and paste the commands in the next steps
• Optional: open Terminal and run sudo apt-get -y install nautilus-admin && sudo adduser $USER vboxsf for convenience (access VirtualBox shared folders and browse in Files as admin via right click -> Open as Administrator)
• Insert the Guest Additions CD image from the Devices menu dropdown, update the installation and reboot
• Open Terminal and become root with: sudo su
• Update with: apt-get update && apt-get -y upgrade
• Continue with building in the next steps

• Install build dependencies: apt-get -y install cpio curl dosfstools dropbear fdisk git golang-go grub-efi-amd64-bin grub-efi-ia32-bin grub-pc-bin grub2-common libarchive-tools rsync squashfs-tools udev wget xorriso
• Download or clone this repo and run: ./build.sh
• Connect your USB stick to Ubuntu (if inside VirtualBox, use the Devices dropdown menu)
• Format the stick with a supported filesystem (e.g. FAT32) if this is not already the case
• Copy the sedunlocksrv-pba.img file onto your USB stick (use the GUI file explorer or cp from the Terminal)
• Eject the USB stick and put it aside for now
• Use the other USB stick for the sedutil rescue system (see next step)

qemu-system-x86_64 -drive format=raw,file=sedunlocksrv-pba.img

Note that you can still unlock SED disks using the keyboard with this PBA image. Just key in your password and press Enter when the prompt "Key in SED password and press Enter anytime to unlock" appears. Note that keystrokes won't be echoed on the screen. Repeat for other disks (if all disks have the same password they will be unlocked in one step). After the disks are successfully unlocked, reboot by pressing ESC.

To use specific keymaps, build with the KEYMAP environment variable set. For example: KEYMAP=fr-latin9.

Optionally you can use other sedutil forks of the official Drive-Trust-Alliance one by setting the environment variable SEDUTIL_FORK as follows:

• ChubbyAnt: Fork by ChubbyAnt

Example: sudo SEDUTIL_FORK="ChubbyAnt" ./build.sh

Optionally SED disks can be unlocked via SSH. To enable this feature (in addition to HTTPS unlocking) follow above build steps with small extras:

• install dropbear (it will be used to generate dropbear host keys):apt-get -y install dropbear
• create authorized_keys file in sedunlocksrv-pba/ssh folder. It should contain public keys of all key pairs allowed to connect to unlocking service. Have a look at provided sedunlocksrv-