How do I setup a self-encrypting Opal 2.0 SSD?

I have a fresh install of Ubuntu 18.04.1 on a Lenovo ThinkPad L480 with an Opal 2.0 compatible NVMe SSD inside. As far as I understand, the drive is always encrypted, but I need to set a password so that the encrytion key itself is also protected.

Questions:

  1. Is my assumption about the encryption correct?
  2. If so, how can I set that password?

Solution 1:

The Lenovo ThinkPad L480 with an Opal supported SSD uses a Samsung "MZ-V6E500BW SSD 960 EVO NVMe M.2 500GB", 256GB, or an Intel "180GB Solid State Drive SATA3.2" OPAL2.0 M.2 drive depending on chosen options. Apparently the Intel SSDs have some management capabilities related to vPro that the non-Intel drives don't, such as remote wiping and the ability to enable/disable certain encryption modes.

It also seems that sometimes other drives, such as the Seagate 1200 Pro SSD, are used; so it's important when using Windows to know which drive is being used so you can visit the manufacturer's website.

Once you install a custom operating system you need to use the tools available for that OS. The two main ones for Linux are hdparm and sedutil, see my answer on UNIX and Linux Stack Exchange.

Additional information:

Samsung SSDs have software available to setup their operation, this only works for certain SSDs and operating systems, otherwise the default is no password and encryption is enabled.

For "Ubuntu 12.04 LTS and later" (source: user manual, DC Toolkit .PDF, page 10) the Samsung SSD DC Toolkit is designed to work with Samsung SSD products including PM863, PM863a, SM863, SM863a, PM963 non-customized, 860 DCT, 883 DCT, 983 DCT, 983 DCT M.2, and 983 ZET.

This software is not compatible with other manufacturers' SSDs, nor is it certain to work with other Samsung SSDs. It also has limited support for Windows Server 2012 R2, Widows Server 2016 RS1 (Version 10.0.14393), RHEL 5.7 up to 6.4 (6.4 and later has full support), and CentOS.

For Windows and Samsung SSDs the software used is called: "Samsung SSD Magician DC 2.0". Using a bootable USB drive with Windows and Samsung's Windows software is another, albeit inconvenient, option for setting up your SSD for use with another operating system.

The user manual for the Enterprise edition of the Magician software claims to only support Samsung SSD SM863 and PM863. The consumer version claims the Magician SSD management utility is designed to work with all Samsung SSD products including 470 Series, 750 Series, 830 Series, 840 Series, 850 Series, 860 Series, 950 Series, 960 Series and 970 Series.

In your circumstances you are probably best off using hdparm or getting sedutil setup.

Don't forget to set your screensaver to a short time and hibernation should also be brief if you want the encrypted drive to remain secure, see my other answer linked to above, a powered on encrypted drive is unlocked once it's successfully booted

A helpful article for Arch Linux explains ATA BIOS Passwords and sedutil with drives supporting Opal under Linux, it explains the need to set libata.allow_tpm. See also the Stack Overflow Q&A: "ATA Trusted commands - How to set libata allow_tpm" and especially Dell's article: "Encrypting Your Ubuntu Operating System Using a SED Hard Drive" where they explain a lengthy procedure (last modified: 01/02/2019 01:05 PM).

Solution 2:

Opal 2-compliant Self-Encrypting Disk Drives (SED)

The OP's initial understanding is correct:

  • An Opal 2 drive's contents are always encrypted via a factory-set media encryption key (MEK, also known as DEK).
  • Initially, the media encryption key is unprotected (otherwise you could not access the drive).
  • A password must be set to protect the drive. (The password actually encrypts the MEK.)

To correct and/or amend other postings on this topic:

  • There is no protection at all until an Opal 2 drive has been set up and a password has been set.
  • Opal 2 drives do not work with ATA passwords. They use their own pre-boot system (PBA) for unlocking (see below).
  • Vulnerabilities were found in some early SSD models (e.g. Crucial MX100/MX200/MX300, Samsung EVO 840/850, Samsung T3/T5), so these models should not be used with Opal 2 hardware encryption.

Low-Level Requirements for Setting up an Opal 2 Drive on Linux

Before using an Opal 2 SSD for secure full-disk encryption, it has to be set up:

  • A new media encryption key (MEK) should be assigned to be safe. (The factory-set MEK might be vulnerable, such as being dependent on the serial number.)
  • A password must be assigned.
  • Encryption ranges must be specified.
  • Special boot code, a PBA (a pre-boot authentication system), must be provided to unlock the drive.

On Linux distributions, a low-level utility (sedutil-cli) is available to provision and administrate Opal 2 drives. However, it is rather difficult to use directly. The PBA's provided along with sedutil-cli do not support international keyboard layouts or Secure Boot.

How To Set Up Opal 2 Drives on Ubuntu (and other Linux systems)

Relax and Recover (ReaR), a disaster recovery tool included in the repositories of many distributions, can create a bootable USB stick for setting up Opal 2 drives. It supports international keyboards, Secure Boot, booting via BIOS and UEFI, and a graphical screen for password entry on Ubuntu.

ReaR can be installed from the package repository (apt install rear) or in a user directory by downloading it from GitHub. (The GitHub version is more current.) The ReaR User Guide contains a section "Quick Start: Setting up Self-Encrypting Disks" explaining the process in 5 steps.