3

A lot of SSDs now implement OPAL-compliant AES hardware encryption, which seems to be the only option to get full-disk encryption on modern PCs without buying the (very expensive) Windows 10 Pro edition.

I enabled this encryption with a HDD password in the UEFI, but from what I've read, BIOS- or UEFI-based HDD password can be unreliable (and you have no way to know whether your model implements it correctly until you get hacked).

I searched on how to enable OPAL encryption, but this information seems to be inexistent. Every webpage talking about OPAL says that it's activated by a software, but no one seems to know which software.

I tried the vendor's SSD managing software (Samsung Magician), but it only says that I need "specialized software". It seems that Microsoft BitLocker can use this, but as I said, this is only in Windows Pro and the price is incredibly high.

Is there any Windows software capable of activating OPAL hardware encryption ?

ᄂ ᄀ
  • 148
  • 9
Hey
  • 1,905
  • 1
  • 16
  • 23
  • 1
    This thread may help http://arstechnica.com/civis/viewtopic.php?f=11&t=1282525 – Neil Smithline Jun 05 '16 at 16:54
  • Unfortunately, this thread only suggests using BitLocker or software encryption like VeraCrypt (which, even if I wanted to, I couldn't use because it doesn't support UEFI). – Hey Jun 05 '16 at 17:57

1 Answers1

3

You ought to be able to find something useful here (binaries and source included by r0m30 on github also).

Up until recently, configuring these TCG Opal drives was only possible under Windows, or under Linux with a commercial solution that was not available to mere end-users. Fortunately, a programmer named r0m30 stepped up to the challenge and has developed an open source utility called msed and an accompanying pre-boot authorization (PBA) image with which the super fast encryption function on these drives can be fully configured and used also in pure Linux systems.

The "pure Linux" system shouldn't be a problem - the PBA is OS agnostic, it should simply boot whatever is in the active partition once it is unlocked. The OS and the drive will "see" an unencrypted drive without even be aware that the hardware is actually doing decryption on the fly, unless they issue the appropriate API status calls.

Keep in mind that very likely you'll need to reformat the SSD altogether, since this solution is for booting off an encrypted device and requiring it to boot from a small non-encrypted shadow "partition" for password acquisition purposes.

So you probably will need to:

  • backup your data
  • disable OPAL in the UEFI
  • format disk and install the shadow MBR with OPAL encryption
  • enable OPAL from shadow MBR and insert a new password
  • restore your data (the disk might be slightly smaller).

I'm not sure on the "slightly smaller" thing but it seems safest to use some backup strategy that does not rely on the disk exact geometry (i.e., no dd-imaging), just in case.

LSerni
  • 22,521
  • 4
  • 51
  • 60
  • Would this work with external drives as well? – TJJ Oct 01 '19 at 14:04
  • Don't see why not, provided the computer has support for booting off an external drive. Of course I'm also assuming that the OPAL drive "shadow" partition has, also, external drive (USB) support. Try looking into the available documentation... – LSerni Oct 01 '19 at 14:10
  • I meant like a storage drive, not system drive. – TJJ Oct 02 '19 at 00:26
  • You can use it fine with external drives, however, (unless you want to boot off of them) in this case you will want to unlock them via the appropriate sedutil-cli commands rather than the PBA (there are windows and Linux versions of sedutil-cli). Running Windows of a SED encrypted drive unlocked via the PBA works fine, however, be aware that your system will not be able to resume from sleep. – ternaryOperator May 30 '20 at 18:57