ndctl
utility and the following sub-commands:ndctl setup-passphrase
is used to setup and enable a security passphrase for one or more NVDIMMs.ndctl update-passphrase
command updates the security passphrase for one or more NVDIMMs that have previously been setup using the ndctl setup-passphrase
command. Prerequisites for this command to succeed:setup-passphrase
has successfully been executed on the NVDIMM(s) and the NVDIMM is unlockedndctl remove-passphrase
command prevents a DIMM from locking at power-loss and requiring a passphrase to access media.ndctl remove-passphrase
. The kernel issues a WBINVD instruction before and after the operation to ensure no data corruption from a stale CPU cache. Use the ndctl sanitize-dimm
command with the --crypto-erase
option to perform this operation.ndctl sanitize-dimm
command performs cryptographic destruction of the contents on the given NVDIMM(s). It scrambles the data, and any metadata or info-blocks, but it doesn’t modify namespace labels. Therefore, any namespaces on regions associated with the given NVDIMM will be retained, but they will end up in the raw mode.crypto-erase
, but additionally, an overwrite option is available which overwrites not only the data area, but also the label area, thus losing record of any namespaces the given NVDIMM participates in.ndctl sanitize-dimm [--crypto-erase][--overwrite]
. The command supports two different methods of performing the cryptographic erase. The default is crypto-erase
, but additionally, an overwrite
option is available which overwrites not only the data area, but also the label area, thus losing record of any namespaces the given NVDIMM participates in.ndctl wait-overwrite
command to wait for the NVDIMMs that are performing overwrite. Upon successful completion of an overwrite, the WBINVD instruction is issued by the kernel. If both –crypto-erase
and –overwrite
options are supplied, then crypto-erase is performed before overwrite.ndctl freeze-security
command does not require a passphrase. This will cause any security command other than a status query to be locked out until the next boot. This is used in scenarios where the administrator has taken all expected security actions for the current boot and wants the NVDIMMs to enforce/lock the current state until system reboot.ndctl load-keys
is executed before the libnvdimm module is loaded by modprobe. See the 'Loading Keys' section. This command will inject the kek and the encrypted passphrases into the kernel’s user keyring. During the probe of the libnvdimm driver, it will:load-keys
command loads the master key (kek) and the encrypted passphrases for all NVDIMMs into the user keyring maintained by the kernel. The command is expected to be called during initialization and before the libnvdimm kernel module is loaded, typically from an initrd. This is typically set up using a modprobe config that calls the command before module load.setup-passphrase
and update-passphrase
support the -m
flag to differentiate between user and master passphrase operations. The master passphrase has no relation to the master key (kek) which is used for encryption of either passphrase. More information about the master key can be found in the kernel documentation at https://www.kernel.org/doc/html/latest/security/keys/trusted-encrypted.html.