Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

ThinkPad NotebooksThinkPad: X Series Laptops
All Forum Topics
Options

42 Posts

03-23-2018

United Kingdom of Great Britain and Northern Ireland

96 Signins

517 Page Views

  • Posts: 42
  • Registered: ‎03-23-2018
  • Location: United Kingdom of Great Britain and Northern Ireland
  • Views: 517
  • Message 21 of 47

Re: Am I understanding OPAL SED correctly?

2018-09-24, 12:31 PM

What about using SED Utils from https://github.com/Drive-Trust-Alliance/sedutil to do a PSID Revert to reset the DEK? 

Reply
Options

218 Posts

04-24-2018

United Kingdom of Great Britain and Northern Ireland

258 Signins

2087 Page Views

  • Posts: 218
  • Registered: ‎04-24-2018
  • Location: United Kingdom of Great Britain and Northern Ireland
  • Views: 2087
  • Message 22 of 47

Re: Am I understanding OPAL SED correctly?

2018-09-24, 12:39 PM

 wrote:

If you don't know the HDD password, the disk is trash.  There is no recovery.  You can access BIOS or boot from another device after you remove the drive.


not strictly true, with proper equipment one can read the encrypted data out and crack it using bruteforce etc. :)

Lenovo ThinkPad X1 Carbon (6th Gen), ASUS PG27UQ Quantum Dot UHD 4K HDR 144 Hz Monitor
Reply
Options

7119 Posts

10-29-2009

United States of America

17878 Signins

167650 Page Views

  • Posts: 7119
  • Registered: ‎10-29-2009
  • Location: United States of America
  • Views: 167650
  • Message 23 of 47

Re: Am I understanding OPAL SED correctly?

2018-09-24, 13:22 PM

 wrote:

What about using SED Utils from https://github.com/Drive-Trust-Alliance/sedutil to do a PSID Revert to reset the DEK? 


PSID revert uses OPAL security to reset the drive.  when you set a HDD password, OPAL security is disabled and ATA security is enabled.  There is no way to disable the ATA security until you remove the HDD password, which requires knowing what the HDD password is.

 

So you can't PSID-revert a drive that has an unknown HDD password.

Reply
Options

42 Posts

03-23-2018

United Kingdom of Great Britain and Northern Ireland

96 Signins

517 Page Views

  • Posts: 42
  • Registered: ‎03-23-2018
  • Location: United Kingdom of Great Britain and Northern Ireland
  • Views: 517
  • Message 24 of 47

Re: Am I understanding OPAL SED correctly?

2018-09-24, 13:26 PM

I thought setting an HDD password in a ThinkPad BIOS is what locked the OPAL DEK behind the ATA password? 

 

So how does one set an OPAL password and not an HDD password?

Reply
Options

7119 Posts

10-29-2009

United States of America

17878 Signins

167650 Page Views

  • Posts: 7119
  • Registered: ‎10-29-2009
  • Location: United States of America
  • Views: 167650
  • Message 25 of 47

Re: Am I understanding OPAL SED correctly?

2018-09-24, 13:39 PM

It is the DEK, but it's the same DEK whether you use OPAL or ATA.  The only difference is how the DEK is protected.  ATA and OPAL are mutually exclusive, so you can only use 1 of these security mechanisms at a time.  If you want to use OPAL, it requires management software such as WinMagic SecureDoc or open-source such as sedutil.

Reply
Options

7 Posts

09-22-2018

United States of America

17 Signins

161 Page Views

  • Posts: 7
  • Registered: ‎09-22-2018
  • Location: United States of America
  • Views: 161
  • Message 26 of 47

Re: Am I understanding OPAL SED correctly?

2018-09-27, 10:40 AM

You can use sedutill. When you enable OPAL encryption using sedutill, it enables the shadow MBR (Pre-boot authentication). On startup from full poweroff state, the drive is locked and only the shadow MBR is visible. the machine boots the Pre-boot authentication which prompts you for the password. Pre-boot authentication job is just to unlock the drive and reboots your machine. When the machine reboot,  the drive is unlocked and the real partitions appear, the machine boots your OS normally. The drive locks again when it loses power as when full shutdown happens.

 

Note: sedutill only support OPAL 2 as stated on their wiki

 

https://github.com/Drive-Trust-Alliance/sedutil/wiki/Encrypting-your-drive

Reply
Options

92 Posts

07-30-2015

United States of America

131 Signins

907 Page Views

  • Posts: 92
  • Registered: ‎07-30-2015
  • Location: United States of America
  • Views: 907
  • Message 27 of 47

Re: Am I understanding OPAL SED correctly?

2018-09-27, 22:29 PM

Some good info in this thread

 

Will the Opal disk on a Yoga X1 G3 lock after sleep? Hibernate? Currently I have systems configured with Bitlocker and advise folks to use Hibernate instead of sleep so their disk is locked and they are prompted for a PIN upon power on.

 

Also, how will I pick Opal versus ATA? Is the option evident in the BIOS? Is one better than the other?

 

Thanks!

Reply
Options

7 Posts

09-22-2018

United States of America

17 Signins

161 Page Views

  • Posts: 7
  • Registered: ‎09-22-2018
  • Location: United States of America
  • Views: 161
  • Message 28 of 47

Re: Am I understanding OPAL SED correctly?

2018-09-27, 22:43 PM

OPAL drive locks itself when you cut the power. Sleep, Hibernate, and Power off all will cause the drive to lock. Restart, on the other hand, doesn't cause drive lock because the machine doesn't cut the power from the drive.

 

The problem with ATA is, when you lose the password, there's no way to use the drive again ever. OPAL is different, when you lose the password, you can factory reset the drive using the 32 characters PSID which is printed on the drive label. The reset will wipe all data and generate a new encryption key.

 

Sleep is not supported when you use sedutill as the drive will relock itself, and the machine won't be able to resume.

 

Thanks,,

Reply
Options

42 Posts

03-23-2018

United Kingdom of Great Britain and Northern Ireland

96 Signins

517 Page Views

  • Posts: 42
  • Registered: ‎03-23-2018
  • Location: United Kingdom of Great Britain and Northern Ireland
  • Views: 517
  • Message 29 of 47

Re: Am I understanding OPAL SED correctly?

2018-09-27, 22:45 PM

Just to clarify asahaf's comment. There are two kinds of "sleep". S3 and S0i3. S3 will indeed cause an OPAL drive to lock as the drive is shut down however S0i3 aka Modern Standby on Windows 10 will not lock the drive. 

Reply
Options

7 Posts

09-22-2018

United States of America

17 Signins

161 Page Views

  • Posts: 7
  • Registered: ‎09-22-2018
  • Location: United States of America
  • Views: 161
  • Message 30 of 47

Re: Am I understanding OPAL SED correctly?

2018-09-27, 22:49 PM

Interesting. Is it possible to do moden standby, S0i3, on linux? I'm a linux user

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms

Most Liked Authors

(Last 7 days)

View All