Skip to main content

Editing locking ranges

Locking range parameters

Locking ranges and their parameters are described here. In addition to the start and the length of the locking range, SEDManager also display the end of the locking range. The end LBA itself is not included in the range. You can freely change either the start, the length, or the end, the three values are kept consistent. Sometimes you will notice that SEDManager adjusts the values you type in. This is because some drives require alignment of the locking ranges and SEDManager adheres to that.

info

You can convert LBAs to bytes using the logical block size displayed on the device's main page under Geometry features. You can also see the alignment requirements there.

Erasing ranges

You can cryptographically erase a locking range by clicking the erase button on the range's row. This deletes the current media encryption key (MEK) and replaces it with a new one, permanently erasing all data associated with the locking range. The data cannot be recovered in any way, ever, so be careful with this function.

tip

When you first configure the drive, erase the global range once. Manufacturers sometimes use predictable algorithms to generate the default key in the factory, but the device should generate secure completely random keys, reducing the chance of someone guessing the encryption key to your data.

Potential errors

Overlapping ranges

Locking ranges (except for the global range) are not allowed to overlap. If you try to set overlapping ranges, the device will give you an invalid parameter error. In case you're changing multiple ranges at once, a helpful trick is to first set the length of all ranges to zero, as zero-length ranges will never overlap.

Erasing ranges when encryption is not supported

On some TCG Pyrite drives, encryption is not supported. In this case, erasing any range will fail, as the encryption key that would be replaced doesn't exist in the first place.

How should I configure locking ranges?

  • You're the only one using the drive: Enable both read and write locking for the global locking range.
  • You share the drive with others: Assign a locking range to each user. Additionally, you can set up shared locking ranges.