-
Notifications
You must be signed in to change notification settings - Fork 8
Encrypting your drive
See the Remove OPAL page for instructions on returning the drive to a non-OPAL managed state. If you just want to turn off the locking and PBA see the steps at the end of this page.
Currently you have to build this version of sedutil on Linux. See building sedutil.
In the sedutil/dist directory you will find the host management program sedutil-cli.
In the sedutil/dist/images directory you will find bootable disk images for pre-boot authentication (PBA) and a Rescue image:
-
The Release PBA image is designed to be uploaded to your boot drive's shadow MBR (but can be also flashed to a USB stick for testing). It will ask for an unlocking password at boot time, then unlocks each OPAL disk for which the password matches, then initiates a reboot to the regular operating system.
-
The Debug PBA image can be flashed to a USB stick for testing. It works similarly to the Release image, but displays some progress information and waits until the RETURN key is pressed (several times). Finally, it will offer a root login (no password required).
-
The Rescue image can be flashed to a USB stick for testing and recovery. After booting, it drops into a root shell where
sedutil-clias well as PBA images are available.
To use sedutil-cli, the Linux kernel must be configured to pass ATA trusted commands to the device. On Ubuntu 16.04 LTS:
- Add
libata.allow_tpm=1toGRUB_CMDLINE_LINUX_DEFAULTin/etc/default/grub - Run update-grub
- Reboot.
-
The PBA UEFI images require that secure boot be turned off.
-
The Rescue image boots via BIOS (not UEFI), so make sure the Compatibility Support Module (CSM) is enabled in BIOS settings.
Prepare and test the rescue image
Determine the drive device file:
You can often scan and detect the drives using sedutil-cli --scan.
- on Windows is \.\PhysicalDrive?, such as \.\PhysicalDrive1, but the number may differ depending on how many storage devices you have on your system.
- on Linux and on the sedutil Rescue image it is something like /dev/sd? or /dev/nvme? - often /dev/sda or /dev/nvme0n1, but this may differ as well just like on Windows.
Set up the Drive:
Make sure to reuse this password for the subsequent steps and try to remember it, you will need it later to unlock your data.
sedutil-cli --initialsetup <password> <drive>
If the drive is a boot drive you need to set up PBA on it to be able to boot your OS:
sedutil-cli --loadPBAimage <password> <pbafilename> <drive>
sedutil-cli --setMBREnable on <password> <drive>
Enable locking:
sedutil-cli --enableLockingRange 0 <password> <drive>
The drive will be unlocked until the next reboot, you can power off the computer to lock the drive. Power the computer back on.
UEFI boot configuration (needed for UEFI systems)
On UEFI systems the boot configuration may need to be updated in order to correctly load the PBA. The symptom is that the PBA fails to boot and lands the user into a bootloader menu instead of asking for the drive password like it did when it was tested.
In order to fix this, you need to add a new UEFI boot option while the drive is locked, which can be done from the system setup menu (most people may still call this BIOS). This also must be the first UEFI boot option, and you should also keep the existing UEFI boot option which would load the OS from the drive once it's unlocked.
If everything is set up correctly, the PBA should ask for your password, unlock the drive, reboot the computer and UEFI should load the OS installed on the drive using the second boot option since the PBA will no longer be available on the unlocked drive and its UEFI option will silently fail through.
If you ever want to turn off Locking and the PBA:
sedutil-cli --disableLockingRange 0 <password> <drive>
sedutil-cli --setMBREnable off <password> <drive>
You can still re-enable locking and the PBA later using this command sequence:
sedutil-cli --enableLockingRange 0 <password> <drive>
sedutil-cli --setMBRDone on <password> <drive>
sedutil-cli –-setMBREnable on <password> <drive>