Linux FAQ

SDLinux Frequently Asked Questions

SecureDoc for Linux · Technical Reference

This document compiles answers to the most frequently asked questions about SDLinux — WinMagic's full disk encryption solution for Linux endpoints and cloud virtual machines. Questions are grouped by topic for quick reference.

Platform & Compatibility

Q1

SDLinux currently supports three major Linux distributions:

• Ubuntu

• Red Hat Enterprise Linux (RHEL)

• SUSE Linux

A full list of supported versions is maintained on the WinMagic website. Navigate to System Requirements and look under the SecureDoc for Linux section.

Q2

All currently supported kernel versions are listed at the link below. This list is updated whenever WinMagic builds drivers for a new kernel.

https://securedoc-linux.s3.amazonaws.com/kernel-list/index.html

If a kernel version is not listed — which can happen with OEM-provided Linux images — contact WinMagic Support to request that it be added to the pool.

Q3

The SDLinux installer detects the OS at install time. If it identifies an unsupported OS, it stops and rolls back installation cleanly without making changes to the system.

For Ubuntu, SDLinux supports installation on minor version releases (e.g., 18.04.2, 18.04.3) as long as the major version (e.g., 18.04) and the kernel version are both supported. Installing on an entirely unsupported major release — such as Ubuntu 19.04 — is blocked.

Q4

WinMagic maintains a kernel pool that syncs automatically with the main Ubuntu and Red Hat upstream repositories. When a new kernel is published upstream, WinMagic pulls it to the pool and builds the corresponding kernel drivers.

If a kernel does not appear in the supported list — common for kernels found on OEM system images — contact WinMagic Support and request that the specific kernel be added.

Q5

SDLinux supports both fast (data-only) encryption and thorough (sector-by-sector) encryption on the following filesystems:

• EXT4 — standard partitions and LVM

• XFS — standard partitions and LVM

Both EXT4 and XFS can coexist on the same Linux system. For all other filesystems (for example, BTRFS), only thorough encryption is supported — fast encryption is not available.

Q6

Hardware RAID is fully supported. RAID management operates outside SDLinux, so no additional configuration is required. If a RAID disk is replaced and SDspace was on the missing volume, follow the SDspace recovery procedure in the SDLinux Deployment Guide. The disk serial number reported in SES inventory may become stale after a disk replacement but will update automatically when the service restarts.

Software RAID is possible but has outstanding known issues. It is not recommended for production deployments at this time.

Q7

SDLinux uses AES-CBC-ESSIV with SHA-256 for full disk encryption. To confirm the cipher on a running system, execute the following command — replacing the volume name as appropriate:

cryptsetup status /dev/mapper/<encr_sdx>

The output will list the cipher, key size, and device details for the encrypted volume.

Installation & Uninstallation

Q8

SDLinux supports installation on top of an existing LUKS-encrypted volume. It takes over key management from LUKS and migrates control to SES without re-encrypting data.

Any other form of custom dm-crypt encryption is not supported. If the installer detects an unrecognised encryption configuration, it will fail and roll back without making changes.

Q9

When Secure Boot is active on a Linux system, the kernel enforces a requirement that all kernel modules be signed with a trusted key. SDLinux kernel drivers are third-party modules that are not signed by either Red Hat or Ubuntu — neither distribution offers a third-party kernel module signing process as of this writing.

Technically, Machine Owner Keys (MOK) could be enrolled to allow the SDLinux driver, but this requires additional manual steps that would make installation significantly less straightforward.

The recommended approach is to disable Secure Boot temporarily before installation. Once encryption is complete, Secure Boot can be re-enabled.

Q10

Run the following command to uninstall:

/usr/local/WinMagic/secdoc.py uninstall -s

Q11

Yes. In-place upgrades are supported from version 8.3 onwards. Clients running versions below 8.3 cannot be upgraded in-place and require a fresh install.

The upgrade process compares major, minor, and patch version digits only. It does not distinguish between builds of the same release, so upgrading between two builds of an identical release is not supported.

The following upgrade paths are examples of what is supported:

• R8.3 to R8.3 SR1

• R8.3 SR1 to R8.3 SR2

• R8.3 SR1 to any Hot Fix for R8.3 SR1

Q12

SDLinux creates and modifies the following locations on the Linux system:

• /usr/local/WinMagic — main SDLinux installation folder

• /etc/fstab

• GRUB boot configuration files (location varies by distribution)

• systemd service file: /lib/systemd/system/winmagic.service

• Housekeeping script: /etc/profile.d/housekeeping.sh

• WinMagic udev security rule: /etc/udev/rules.d/92-dm-secdoc.rules

• sdservice dbus profile: /etc/dbus-1/system.d/org.winmagic.secdoc.conf

• secdoc-cli: /usr/sbin

• sdpasswd: /usr/bin

• initrd generation scripts (varies by distro; on RHEL typically under /lib/dracut/modules.d/99wmagic)

• Conversion driver: <current kernel>/kernel/drivers/SDLinuxDrv.ko

Disk & Volume Management

Q13

Yes. After initial encryption, administrators can encrypt additional disks and newly extended volumes. Newly added disks are not encrypted automatically — some manual steps are required. Refer to the Encrypting Additional Disks section of the SecureDoc for Linux Deployment Guide for the full procedure.

Q14

SWAP space is always encrypted using thorough (sector-by-sector) mode, regardless of whether a fast encryption profile is configured for other volumes. This is because SDLinux cannot parse the SWAP filesystem structure to identify used sectors, so sector-by-sector encryption is the only option.

Thorough encryption of swap is also preferable from a security standpoint — swap content changes constantly and is harder to predict or reconstruct from an encrypted image.

Q15

When no free disk space is available during deployment, SDLinux checks for usable SWAP space to create the SDspace partition. SWAP can only be used for SDspace in the following configurations:

• SWAP as a standalone standard partition

• SWAP in a dedicated LVM volume group that contains no other volumes

If SWAP shares an LVM volume group with other partitions (such as root, home, or data volumes), SDLinux cannot use it for SDspace. The deployment will fail in this scenario.

The part.log file inside the winmagic installation folder will indicate whether SDspace was successfully allocated from SWAP during the deployment.

Authentication & User Management

Q16

Password sync is not supported by SDLinux.

SSO is supported on RHEL as of version 9.2SR1. Support for Ubuntu is under active development and not yet available.

Q17

Yes. Active Directory logins are supported provided the client machine is joined to Active Directory and the user has a home directory created on the system for that account.

Q18

Before starting, ensure the following options are enabled in SES under Tools > Options > Key File Options:

• When Key File is created for the device, automatically send it to the device

• Automatically update Key File on device when user/device/group keys are modified

• Automatically generate Key File when user is added to device

• Enable password propagation

On the Client (Ubuntu)

1. Log in with a different administrator account — not the primary owner of the device.

2. Open a terminal and run:

sudo usermod -l <new_username> <old_username>

3. On Ubuntu Desktop, also go to Settings > Details > Users, unlock the panel, select the primary owner's account, and update the display name. Log out and confirm the change on the OS login screen.

On SES

1. Open the Users tab and double-click the account to be updated.

2. Change the User ID field and click Save.

Syncing the Key File — Choose One Method

Method 1 — Manual communication:

1. Log in to the updated owner account and open a terminal.

2. Run:

sudo /usr/local/WinMagic/secdoc-cli.py -c

3. On SES, right-click the device and select Show Command to confirm the new Key File was sent.

Method 2 — Trigger via preboot authentication (requires Enable machine to communicate with SDConnex at preboot to be active in the profile):

1. Reboot the client machine.

2. At preboot, wait for the green network icon and confirmed SES connection.

3. Enter the new username in the Key File field with the correct password and press Enter.

4. Authentication proceeds via PBConnex. Confirm on SES via Show Command if needed.

Features & Capabilities

Q19

No. SDLinux does not support removable media encryption.

Q20

No. SDLinux has no graphical interface. All interaction is performed through the command line. There is no equivalent to SecureDoc Control Center.

Q21

CloudVM and Endpoint use different license SKUs and differ in one feature — WiFi support, which is available in Endpoint only. All other features are identical across both packages:

Q22

Native LUKS provides basic disk encryption but lacks centralized management, compliance reporting, and enterprise authentication features. The table below compares the two solutions:

Full discussion of this comparison is also available at: https://www.winmagic.com/blog/linux-servers-and-encryption/

Q23

Yes. The table below summarises support across functions and encryption states:

Hibernate and Suspend-Hybrid after encryption require an additional GRUB parameter. Add the appropriate line to /etc/default/grub and run update-grub afterward:

Ubuntu 18.04 and earlier:

GRUB_CMDLINE_LINUX="resume=swap_uuid"

Ubuntu 20.04 and later:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash resume=UUID=<YOUR_SWAP_UUID>"

sudo update-grub

Q24

The table below lists OS versions and the level of hibernate/resume support available, along with the minimum SDLinux version required:

Q25

Select the default option: keep the local version currently installed.

SDLinux modifies /etc/default/grub and files under /etc/grub.d/ during installation to support preboot authentication. If these customisations are overwritten by the Ubuntu upgrade, preboot will not function correctly. Always preserve the locally installed GRUB configuration.

Q26

SDLinux supports deployment on Linux clients with FIPS mode enabled. The encryption implementation uses cryptsetup libraries and SHA-2 key derivation, both of which are FIPS-compliant algorithms.

Supported OS configurations for FIPS deployment are listed on the WinMagic System Requirements page under the SecureDoc for Linux section.

Security

Q27

WinMagic's AWS S3 storage is configured with read-only public access. Access is further restricted to individual driver files — a requester must know the exact download URL to access any file, and directory listing is not enabled.

In addition, the SDLinux client installer performs two verification checks on every downloaded driver before use:

• Validates the WinMagic digital signature on the driver

• Verifies the MD5 checksum that accompanies the driver file

If either check fails, the driver is rejected and installation is halted.

Support & Logging

Q28

If the issue occurred during installation (SDLinux not yet installed):

4. Navigate to the SDLinux installation package and open the winmagic folder (wmsd for versions prior to 8.3).

5. Locate the log_collect.sh script.

6. Run the script as root:

sudo ./log_collect.sh

If SDLinux is already installed on the system:

3. Navigate to the installation directory:

cd /usr/local/WinMagic

4. Run the log collection script:

sudo ./log_collect.sh

The generated archive follows this naming format:

<ComputerName>_SDLinuxlog_<date/time_stamp>.tar.gz

Q29

WinMagic's current commitment is:

WinMagic Technical Solutions · Internal Reference SD-SDLINUX-FAQ