I am about to receive A Lenovo ThinkPad T450s which will contain a self encrypting SSD (OPAL2.0). My question is will there be much of a performance loss if I were to use both the SSD's encryption and full disk software based encryption at the same time. I wish to do so as I'm not so happy with trusting all my data with a closed source firmware, not that I am wanted by GCHQ/NSA, and that if there is a malicious vulnerability I doubt they will burn it on me. But I like the ability to have the hardware encryption prevent cloning of the disk and being brute forced. (afaik the hardware chip would process the attempts)
Not sure what FDE you're considering, assume it's Bitlocker? Given that, I'm not clear how you'd actually encrypt both in hardware/firmware and in software. In any case, you'd be dealing with a potentially confusing key management scenario. Other than increased latency, I'm not sure how the hardware encryption would be a big hit - after all, it's aimed at offloading that processing from the CPU anyway. Processing latency, given AES-NI and equivalent, is likely small, and in any case, much smaller than the ssd memory latency. My feeling is that the TLAs would find it far easier to own your data from the comfort and safety of their own desks by hacking your systems remotely (which FDE does nothing to prevent) - if you're that concerned, and if they show up physically, then they likely have a wrench. I don't think there's an easy answer to the evil choices between trusting your firmware or trusting the software, because there are pros and cons. I dream of an intelligent secure storage system (maybe mediated by a RPi or something), which included real read-only elements, plus optional demands for physical presence with a two-factor button press (e.g. on file open).
Well, you could keep everything online in a Tahoe-LAFS grid, on a dozen or so inexpensive VPS, which are reachable as Tor hidden services. Then all you need is a Tails DVD or USB. Plus some working notes, with Bitcoin credentials, VPS account info, server hostnames, passwords and so on. That you could encrypt with GnuPG, and keep copies online in a few places. There's still some information that you must remember, but not all that much.
