Harddisk unlocked by BIOS

I have learned that Balena does not support a “secure boot + disk encryption” solution (see
Intel NUC and TPM), which is a large frustration for me at the moment.

I wonder if I could get some disk data protection by a so called harddisk lock. I believe harddisk locks are quite common when it comes to laptops, not involving any encryption but simply using a builtin disk feature that makes the disk unusable without the proper password.

  1. Does anyone know of any Intel NUCs solutions where I can lock the disk from the BIOS, so the BIOS unlocks the harddisk at boot without any human intervention?
  2. If such a solution exists, can I assume the Balena platform will work just fine with it?

As I understand it all the NUCs support hard drive passwords. (https://www.intel.com/content/www/us/en/support/articles/000007965/intel-nuc.html#:~:text=) However, the password needs to be entered at each boot to unlock the drive and continue booting, so unfortunately that is not “without any human intervention.” Another potential issue is that once unlocked, the drive is again vulnerable to unauthorized access. Once unlocked though it should be no problem to run balenaOS on such a device, but I would encourage you to test that first on the particular model you’re considering before any deployment.

I was hoping that there were solutions where the password would be handled by the bios, so I could lock the hard disk with the password and then lock the bios from unauthorized access. But if the password needs to be entered at each boot then it’s no solution at all.