Use the hardware-based full disk encryption of your TCG Opal SSD with msed

(This post has been updated since initial publication, see last section for details.)

Introduction

My blog post on usable hardware-based SSD encryption has seen a great deal of activity. Although that post dealt primarily with the ATA security based type of hardware-based full drive encryption, readers from all over joined the discussion in the comments to talk about an increasing number of new self-encrypting drives supporting the TCG Opal standard.

msed_pba_bootup.jpg

Up until recently, configuring these TCG Opal drives was only possible under Windows, or under Linux with a commercial solution that was not available to mere end-users. Fortunately, a programmer named r0m30 stepped up to the challenge and has developed an open source utility called msed and an accompanying pre-boot authorization (PBA) image with which the super fast encryption function on these drives can be fully configured and used also in pure Linux systems.

This post summarises how I built, configured and installed msed and its PBA on my Ubuntu 14.04.1 machine with its Samsung 850 PRO 512G TCG Opal-compliant SSD.

How does TCG Opal drive encryption work?

Many modern SSDs perform transparent AES encryption on all written data in hardware. One advantage of this approach is that the whole drive can be secure erased by simply generating a new set of encryption keys. Another advantage is that users can have all of their data fully encrypted at rest without any performance hit whatsoever. Also, third-party software-based drive encryption negatively affects SSD performance and longevity, for the largest part because this data is basically incompressible when it hits the drive.

TCG Opal is a new standard for communicating with supporting drives concerning their encryption functionality. Furthermore, it includes a really elegant way to have the user supply their authorization credentials.

In its default state, the main disc area is completely locked and inaccessible. However, when the system is booted, the encrypted disc exposes a fake disc from its firmware, called the shadow MBR (master boot record), 128MB in size. Usually this shadow MBR is flashed with the pre-boot authorization (PBA) image, which is in essence a small operating system (including MBR, boot sector, filesystem) that asks the user for their drive password, which it then communicates to the disc via OPAL commands. If the password is valid, the disc unlocks itself, and then the real operating system is loaded up.

This white paper by HP contains an explanation of the provisioning and boot process on page 5. To summarise: Once correctly configured, a system with such an OPAL-compliant disc will request the drive password at boot. The drive will only unlock and decrypt if the correct password is supplied.

Building msed and its PBA image from source

r0m30 programmed a suitable PBA image based on the syslinux open source, and a utility called msed for the provisioning (setting password, writing PBA image) of OPAL drives.

Because this software performs a security critical function, I reviewed as much as possible of the source code in syslinux/com32/msedpba (the Opal-specific part of the PBA) and of the whole msed utility, including the script that builds the PBA image. (I also spent some hours disassembling the binary PBA image.)

After this mini review, it was of course preferable to build and use my own binaries.

To build both the PBA image and msed from source, I did the following:

# I retrieved these sources on Tuesday 2015-02-10
git clone https://github.com/r0m30/msed.git
git clone https://github.com/r0m30/syslinux
cd syslinux
# make clean is going to fail trying to get the EFI submodule. ignore.
make clean
make bios
cd ../msed/image
sudo ./buildbiospba
# remember the location of the resultant .img file!
gunzip biospba-0.20beta.img.gz
# now let's build msed itself
cd ..
# I'm on x86_64, adapt to your own architecture!
make CONF=Release_x86_64
# copy the image to the same location as the msed binary
cp image/biospba-020beta.img .

Stripping the msed binary at top-level, I found an md5sum-identical binary to the 0.20.0 one that I downloaded from r0m30’s site:

cpbotha@meepz97:~/build/msed/msed/dist/Release_x86_64$ md5sum msed 
3a22c344ecbfa15b43ae7764341060ab  msed

Installing the msed PBA

This is very important: I’ve configured my BIOS to boot in legacy mode, i.e. NOT UEFI. The msed documentation also states that this is necessary. It also makes sense, because the PBA image is a legacy boot image!

msed needs libata.allow_tpm to be configured for the running kernel. I edited /etc/default/grub so it looked like this:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash libata.allow_tpm=1"

… after which I did update-grub and then rebooted. After reboot, msed --scan gave me sensible output.

It was now time to configure the drive for encryption. I found this quite stressful; I’ve had near-bricking experiences with expensive Intel 520 SSDs during some of my previous ATA security experiments with flakey BIOS implementations (Insyde H20, what a mess). In any case, I followed this procedure:

# set the drive password: mine is long, but no spaces, no special chars
./msed --initialsetup mylongpassword /dev/sda
# write the PBA into the shadow MBR
./msed --loadPBAimage mylongpassword biospba-0.20.img /dev/sda
# activate the shadow MBR
./msed --setMBREnable on mylongpassword /dev/sda
# activate drive locking
./msed --enableLockingRange 0 mylongpassword /dev/sda

After this, I switched the machine off, and on again. Lo and behold! I was prompted for my OPAL password at bootup, and could let myself in.

To test, I booted up the machine with a Linux Live USB. In place of the encrypted disk I could only see the shadow MBR.

Conclusion

TCG Opal is a great way of using your SSD’s hardware-based full disc encryption. I am very grateful to r0m30 for creating msed and its PBA image: These are crucially important open source tools for working with Opal discs.

Updates to this post

June 9, 2016

Fixed missing “of” in title. Thanks adutoit!

After adding a 500G Samsung 850 EVO to the 850 PRO already in my desktop machine, the BIOSPBA was not able to unlock both drives. However, after a quick upgrade to the LinuxPBA using the same procedure as documented in this post, both drives unlock after correct password entry. As an added bonus, with the BIOS on this machine set to Legacy+UEFI, I legacy boot into the PBA, enter my password, have both drives unlock, and then automatically UEFI boot to any of the operating systems on the GPT partitions of the unlocked drives.

95 thoughts on “Use the hardware-based full disk encryption of your TCG Opal SSD with msed”

  1. Hi,

    Thanks for trying msed and writing this post on it.

    A few things you might want to consider changing.

    “In its default state, the main disc area is completely locked…..”
    This is only true AFTER encryption is enabled, in it’s fresh from the factory state the drive is never locked and acts just like an unencrypted “normal” drive.

    git clone https://github.com/r0m30/syslinux
    should be:
    git clone https://github.com/r0m30/syslinux.git

    Possibly add a step that verifies you are on the msedpba branch before building the PBA.

    You must have missed my latest push by a few hours. The 0.21beta release of msed has added the ability to return the drive to it’s non-opal factory default state without erasing the drive. Hopefully this will help people feel more comfortable trying OPAL encryption.

    Finally you might want to mention the restriction that msed does not support S3 sleep to ram, only hibernation. This restriction is currently necessary because the PBA is not called during a resume from S3.

    “It was now time to configure the drive for encryption. I found this quite stressful….” I did too my first time and I wrote the software 🙂 Worst case with OPAL encryption should be that you need to do a PSID revert, you WILL lose all of your data but the drive should not be unusable.

    1. Hi there r0m30, thanks for stopping by!

      I’ll update the post with your recommended changes, thanks.

      I do have one burning question though: To PSID revert the drive, I need the PSID. When I did “msed –initialsetup”, did msed not change both the admin1 and the SID password? Does “SID password” refer to “PSID”? If so, I could still get in trouble if something goes wrong with the password I supply (strange characters and whatnot)

  2. Thanks r0m30 for that great piece of software, and cpbotha for the comprehensive guide and testing!

    I now wish I had waited a couple of months before purchasing my 840 pro…

  3. @cpbotha
    Yes,Yes,No 😉
    I tried to explain some of the TCG terminology here:
    http://www.r0m30.com/msed/documentation/terminology

    Yes you need the PSID to do a PSID revert, Yes the initialsetup command changes both the SID and Admin1 passwords (the SID is an ADMIN SP authority and Admin1 is a LOCKING SP authority) No the SID is not the PSID, they are different authorities and the firmware is supposed to protect the PSID password from being changed or accessed by a host program. The PSID is a TCG concept for verifying an entity requesting a function has physical access to the device, and usually all an entity with that authority can do is reset the device to a known state while obliterating all customization and user data on the device. I believe it’s purpose is to prevent an error (software/hardware/user) from bricking the device, like a lost ATA password would do.

    @kayne

    Why? The 840/840pro are both good drives and support OPAL 1 & Opal 2. Other than not having the latest and greatest what is your issue with the 840 pro?

    1. Well as far as I know, the 840 pro is not OPAL compliant, it’s only a SED with ATA Security…

      http://www.samsung.com/global/business/semiconductor/minisite/SSD/us/html/whitepaper/whitepaper06.html

      While they do feature SED technology, the 840 and 840 Pro Series SSDs do not support the OPAL storage specification management interface.

      I think only the 850 and maybe the 840 EVO does. Unless it’s possible to make the 840 pro OPAL compliant with a firmware upgrade?

  4. Wow, I just assumed that when Samsung delivered OPAL for the 840 EVO they did for the 840 PRO too. That really bites, what were they thinking? I guess the MDX controller isn’t going to get OPAL support.

    Now I understand why you wish you had waited.

  5. Suggestion “stealth mode”.

    Hello r0m30. May I suggest a feature for your project msed?

    The current start screen of pre-boot authentication reveals that encryption and password protection is present. Normally this is fine and what many encryption software does. However, sometimes it is even more advisable to not reveal existence of encryption at all.

    It is easier to not be asked for a password than to say “no”, not to reveal it.

    I have made the same suggestion more than a decade ago in the usenet “scramdisk” discussion group and this feature was implemented into both DCPP (Drive Crypt Plus Pack) and Truecrypt. They let the user choose to not display a message or logo for entering the pw at all, but either a fake “hdd failure message” or just a “_” cursor without any reaction after entering something from the keyboard – however the keystrokes are recorded and the pw can be entered as usual.

    May consider, if to implement it for msed, too. Optional for experienced users, etc.

    1. I remember that option being available in Truecrypt, but I also seem to remember that the Truecrypt authors said that it was an ineffective ploy. (truecrypt.org is no longer active and excluded from wayback so no link)

      To me this is security by obscurity.

      I’ll ignore incompetent adversaries as they really don’t pose a serious threat.

      The MBR shadow is world readable and the drive will readily tell an unauthenticated user it’s encryption status, locking state and ATA IDENTIFY information. This means that a competent adversary will not be deterred as it will only take them minutes to determine how the drive is encrypted and what management software is being used.

      Once they determine that msed is used to manage the encryption they know what hash function is being used, the number of iterations and the salt, from there until/unless a firmware exploit is discovered the standard attacks apply. Brute force and dictionary attacks should be slowed by the need to recycle the power after the vendor unique tries limit.

  6. It’s good to have another option where there are so few to begin with.
    I’ve been looking for a way to encrypt both my boot and data drives, and I can’t really find anything to consider other than a Cipherchain module from addonics that seems to suit my requirements for idiot-proof encryption. It’s not exactly cheap, but I’m just too old to be suffering the cold-sweats I usually get with fiddly technical stuff like this that I barely understand anyway..

  7. @rocher

    I understand that you would be uneasy, like I said before the first time I did it I was uneasy. You can test the code forever but until it meets the real world you don’t really know how well it will work outside the bubble of your test environment.

    Charl outlines the quick plunge, on the msed site there are smaller steps you can take using a USB thumbdrive to verify that the PBA is able to scan your system and recognize your OPAL drives as well as instructions for creating and testing the small rescue image that I provide. Adding those optional steps may increase your confidence in msed and help reduce those cold sweats.

    That’s the first I’d heard of ChyperChain, interesting product.

  8. With software based FDE like Diskcryptor you could put boot loader together with key on USB Stick which in turn boots encrypted partition. The idea is no password typing necessary, all you need is to plug USB Stick in order to boot SED SSD. Has anyone succeed that with msed ?
    Thanks.

    1. Without some kind of security on the USB stick your encryption keys are exposed.

      But…..

      If you are willing to be responsible for the security of the USB key you could do something like that. Put the rescue system on a USB stick (http://www.r0m30.com/msed/documentation/managing/testrescue) and then setup the root profile to issue the msed commands to unlock your drive(s) and reboot the machine. Not very elegant but it should work.

  9. @r0m30

    The encryption keys are exposed only to me – USB Stick goes out right after unlocking. Kind of like physical key 🙂
    I can eventually protect it with extra password. In any case. it is much better solution then typing ATA Password every time,not to mention that I can choose much longer and better encryption key that way.

    Do you think it would be possible to initialize SSD bootloader right after unlocking, without reboot ?

  10. So you install Linux on an Opal 2.0 SSD before setting up the PBA and stuff? I’m thinking about getting Crucial MX200 which states Opal 2.0 compliance.

    1. You need either Linux or Windows to run the management software, but I supply a bootable Linux image that can be put on a usb stick to run the management software before you have installed an OS on the machine..

      I think you might have a misunderstanding of where the PBA resides. The PBA is loaded into a special “table” in the drive that is not part of the “normal” drive. It doesn’t take any space away from the usable disk area and is not visible or accessible when the drive is unlocked and unshadowed.

      The easiest way to think of it is as two views of the drive.
      One is a “shadow MBR” this is the table that the PBA lives in and it is what is readable from the drive when the drive is first powered up (if the shadow MBR is enabled with the management software).
      The other is the “real drive” and it is only readable after the drive is unlocked and unshadowed.

      I provide a PBA for bios machines that you write to the “shadow MBR” with the management software, The PBA boots and asks you for the password that you setup to manage the drives OPAL encryption, then it chain loads the OS from the unlocked “real drive” view.

      I hope the helped or at least didn’t make you more confused.

  11. r0m30…let me start out by thanking you for your dedication to this project…it’s just what I need as my two motherboard manufacturers don’t allow ATA passwords in their BIOS implementation (and yes I have traditional BIOS in both computers). I followed your lucid directions exactly and was up and running with MSED in a short time. Everything seemed fine…on boot the Linux command line appeared asking me for my password to unlock my Samsung 850 EVO and presto I was in my OS (Windows 7 Home Premium) in no time. But when I put my computer in sleep mode the problems began. When restarting my computer (from sleep mode) Windows powered up just fine but the Windows Users Account page would “hang” and not proceed to my former desktop. Then about 2 minutes later my screen would go black for about 15 seconds and then the dreaded “blue scree of death” would appear and my computer would attempt to reboot. But then I received an error stating that a bootable disc could not be found and I powered off my computer and then went into my BIOS settings. Lo and behold my Samsung 850 was NO LONGER showing up as the first boot device (I repeated this process a number of time with the same result).When I disabled both the LOCKINGRANGE0 and the PBA image everything returned to normal and I could sleep and unsleep my system perfectly. So I ended up completely uninstalling TCG OPAL from my Samsung 850 SSD (which by the way worked just perfectly per your instructions).

    In conclusion I’m future iterations of your program will solve my computer sleep issue so indeed I can lock my drive again. And yes hibernation mode worked without issues but I’m trying to minimize write calls to my SSD to prolong its useful life and therefore I don’t use this mode.

    Again thank you so much for your work on this project, I will keep following your progress.

    Sincerely,

    DS

  12. r0m30…let me start out by thanking you for your dedication to this project…it’s just what I need as my two motherboard manufacturers don’t allow ATA passwords in their BIOS implementation (and yes I have traditional BIOS in both computers). I followed your lucid directions exactly and was up and running with MSED in a short time. Everything seemed fine…on boot the Linux command line appeared asking me for my password to unlock my Samsung 850 EVO and presto I was in my OS (Windows 7 Home Premium) in no time. But when I put my computer in sleep mode the problems began. When restarting my computer (from sleep mode) Windows powered up just fine but the Windows Users Account page would “hang” and not proceed to my former desktop. Then about 2 minutes later my screen would go black for about 15 seconds and then the dreaded “blue screen of death” would appear and my computer would attempt to reboot. But then I received an error stating that a bootable disc could not be found and I powered off my computer and then went into my BIOS settings. Lo and behold my Samsung 850 was NO LONGER showing up as the first boot device (I repeated this process a number of time with the same result).When I disabled both the LOCKINGRANGE0 and the PBA image everything returned to normal and I could sleep and unsleep my system perfectly. So I ended up completely uninstalling TCG OPAL from my Samsung 850 SSD (which by the way worked just perfectly per your instructions).

    In conclusion I’m hoping future iterations of your program will solve my computer sleep issue so indeed I can lock my drive again. And yes hibernation mode worked without issues but I’m trying to minimize write calls to my SSD to prolong its useful life and therefore I don’t use this mode.

    Again thank you so much for your work on this project, I will keep following your progress.

    Sincerely,

    DS

  13. DS

    Thanks for giving msed a try, sorry it doesn’t meet you needs.

    Sleep is not supported. I have documented that in several places. The issue with sleep is that it jumps directly to a preassigned address, there is no bios interaction. The code to resume from sleep in Windows would have to be a driver, I haven’t even researched it far enough to determine which type of driver would be required. Windows requires that all drivers be signed and I do not have a code signing cert.

    Linux should be simpler, but I’m not sure that I want to support an out of tree kernel module.

    As to the issue of SSD longevity, you might want to take a look at this:
    http://techreport.com/review/27909/the-ssd-endurance-experiment-theyre-all-dead/4
    Current SSD technology is pretty robust.

  14. Thank you very much r0m30 for your work and cpbotha for this nice write up. I have been googling quite a bit the last few days about SED and I must say, this page was one of the highlights. Thanks a lot!

    I just got a Samsung 840 EVO for my laptop as a warranty replacement and ordered an 850 EVO for my new fanless computer. With my laptop, I could use the HDD password in the BIOS, but for my desktop the BIOS does not support the HDD password. Therefore I was really happy to discover the msed project and this article. This would allow me to use the encryption in both computers.

    I haven’t tried it yet, but I will definitely give it a shot. But allready now, I have one question or feature request. My fanless computer will act as a server and will be on most of the time. Before, I have been using dm-crypt and LUKS in Linux to encrypt my hard drives. There one has the possibility to have a ssh server in the initramfs to be able to enter the LUKS password remotely over ssh at boot. For the server this is a very nice feature to have it up and running again without having physical access to it. So my question is, would it be possible to include such functionality in the PBA with msed as well? If yes, would you consider implementing this?

    Thanks a lot,

    Hell-G

    1. @Hell-G,

      The pieces to setup a headless system are almost all there, what you want could be based on the rescue system

      The rescue system is a TinyCore Linux system that is remastered adding msed. By adding the ssh server, an authorized_keys file and a script that unlocks the drive(s) to that image you would create the PBA needed.

      It would be an “advanced” setup because the user would have to create a custom PBA with there own authorized_keys file.

      If you want to pursue this I think it might be better to use the issue tracking on github so it would be publicly documented (maybe even add a wiki page after it’s working.

  15. I was going to get a 128GB Samsung 850 Evo to put in an old Acer Travelmate 5720 laptop I’ve been given but someone told me I won’t be able to use the encryption without a TPM chip in the laptop, which they don’t reckon mine will have, even with msed. Is this the case?

    If I can’t use the encryption, I might as well get a 256GB Sandisk X110 Enterprise instead, as that’s only £65 compared to £49.99 for the Samsung.

    1. Hi there David,

      As far as I can see on my Samsung Pro 850 + msed setup, TPM is not required. Also, from TCG documentation we see the following:

      “Q. Would Opal Trusted Drives require a TPM? Are they required to be used in
      systems with TPMs?
      A. A Trusted drive itself does not require a TPM, but for optimal data security and
      protection, pairing these drives with clients that have TPMs is recommended. ”

      (see http://www.trustedcomputinggroup.org/files/static_page_files/B1105605-1D09-3519-AD6FD7F6056B2309/Opal_SSC_FAQ_final_Jan_27_4_.pdf )

      Do keep in mind that while msed does support suspend to disc (hibernation), it does NOT support suspend to ram.

    2. @David

      As cpbotha said there is no requirement to have a TPM on the computer.

      MSED doesn’t use the TPM even is it is present and is developed on a legacy bios machine that doesn’t even have a TPM.

  16. Hi, I have bought myself some Evo 850 SSD drives and I am trying to get the encryption up an running. Currently I have a a windows 8.1 (standard) UEFI installation, am I correct in saying I need to switch to legacy in BIOS and then do a complete re-install before I could use MSED?

    1. @Jamam

      Yes, msed only works in bios mode. I don’t have a testbed that supports a reasonable version of UEFI.
      Windows 8.1 is supposed to have eDrive on all versions, you may want to look into that to encrypt your drive.

  17. @cpbotha and @r0m30

    Thanks for the information, that’s great as I really didn’t want to have to use an unencrypted drive in my laptop. I’ll probably get the Samsung 850 Evo 120GB for £52 then but before I do, could I ask whether the OCZ Arc 100 would work with msed, as if so I could get the 256GB version for only £68?

    I suspect not, as it says here that whilst it supports 256-bit AES hardware encryption, it doesn’t support IEEE and TCG Opal but as I’m not certain if that rules out using msed, I wanted to check before deciding which drive to buy:
    http://techreport.com/review/26905/ocz-arc-100-solid-state-drive-reviewed

    I could get the 256GB 850 Evo for £80 but I’m trying to avoid spending too much on upgrading this laptop.

    Thanks for the warning about msed not supporting suspend to ram/standby cpbotha. That would be an issue for me on a desktop, as I use standby a lot and disable hibernation to save time and space but on a laptop it makes more sense to use hibernation to reduce the drain on the battery and avoid the risk of it losing data if the battery runs out, so I’m happy to use hibernation instead of standby on my laptop.

    1. @David

      If the drive doesn’t support OPAL 2.0 then msed will not work on it. OPAL 1.0 should work according to the parts of the spec I have read but the only thing tested is the PSIDRevet.

      I’ve found that with a SSD as the system drive hibernation isn’t too bad although I have 6 frives hooked up to accomplish my testing so speed booting hasn’t ever been an option for me.

  18. @r0m30

    No problem, I didn’t really think it likely it would work without Opal support. I was only really considering getting a 256GB just to be safe as, unlike with a desktop, with a laptop you can’t just add another SSD if you find the first one is too small.

    The 120GB Samsung will probably be sufficient for me though, as I’m planning to use Steam’s In-Home Streaming to stream games from my desktop, rather than installing them on the laptop and I’ll probably use Remote Desktop for general purpose stuff like word processing as I’m mostly at home anyway and I’ll just be using the laptop so that I can sit in my comfy armchair and not at my desk. It’ll still be useful to have Windows and the essential programs installed on the laptop in case I need to take it travelling and I might find some use for it as an extra machine/display for my flight sims and I’ll probably install one or two games on it so that my friend’s can use it for some LAN gaming when they come over.

    I’ve been meaning to get another 256GB SSD for my desktop as one is not really enough and I prefer to have my dual-boot OS’ split over two drives, in case one dies. If prices were lower for 512GB SSDs, it would make sense to get one of those for my desktop and put my current 256GB 840 Evo in the laptop but they’re still around £150, so I think I’ll just get the 120GB Samsung for the laptop for now and wait for prices to drop before I get another 256GB for my desktop.

    I can imagine that hibernation is a lot better with a SSD rather than HDD. On my desktop I still prefer not to give up 16GB for the hibernation file though, as I’m trying to fit as many games as possible on it as well as the OS (I’ve already given up 10% for overprovisioning on my 256GB Samsung) and I’m quite happy with standby.

    1. @r0m30

      I was looking for something like this for my new Crucial MX200 Opal 2.0 Drive
      I should say rather …almost…

      It looks like it will work perfectly for a drive, from which you will boot the computer / hardware.

      I am referring to this part:
      >I think you might have a misunderstanding of where the PBA resides. The PBA is loaded into a special “table” in the drive that is not part of the “normal” drive. It doesn’t take any space away from the usable disk area and is not visible or accessible when the drive is unlocked and unshadowed.

      I would like to have the MX200 drive as my secondary, data drive. My OS will stay on the unencrypted drive, but i would like to encrypt the second disk and store confidential data there. I assume the PBA works the way, that to use it you need boot the machine from the encrypted disk ?

      I think i can translate it into question:
      How to unlock / unshadow the encrypted disk from already started OS and mount it (OS=Linux in my situation) ?

  19. Hi.

    How does one force biospba-0.23beta.img to use hd 1 or whatever number the drive has in the boot order? Noticed that the boot wont work if the computer has several drives and the msed drive is not hd 0. Sometimes I even run a laptop with dual internal drives and choose boot device manually.

  20. @r0m30

    I was looking for something like this for my new Crucial MX200 Opal 2.0 Drive
    I should say rather …almost…

    It looks like it will work perfectly for a drive, from which you will boot the computer / hardware.

    I am referring to this part:
    >I think you might have a misunderstanding of where the PBA resides. The PBA is loaded into a special “table” in the drive that is not part of the “normal” drive. It doesn’t take any space away from the usable disk area and is not visible or accessible when the drive is unlocked and unshadowed.

    I would like to have the MX200 drive as my secondary, data drive. My OS will stay on the unencrypted drive, but i would like to encrypt the second disk and store confidential data there. I assume the PBA works the way, that to use it you need boot the machine from the encrypted disk ?

    I think i can translate it into question:
    How to unlock / unshadow the encrypted disk from already started OS and mount it (OS=Linux in my situation) ?

  21. @Veni

    You need modify the syslinux.cfg on the PBA to change the drive that is chain loaded.
    If you are a Linux user you can mount the PBA img file on a loopback device and then edit it. Have a look in the /images directory to see how the scripts do the build. If you are a Windows user you can do it from a Linux live CD if you are comfortable with Linux.

    You need to change the “append NOTRACE” line to “append NOTRCE hdx,y” where x is the bios drive number and y is the partition number

  22. @hellrat

    You have a few options.
    Load the PBA onto the drive and modify the syslinux.cfg to chain load the unencrypted drive.

    Don’t use the PBA at all. You can use the msed program to unlock the drive before you mount it. I’d create a script that either asked for the password or had it as a parameter.
    –setlockingrange 0 RW /dev/sd?
    –sync
    –mount /dev/sd?n /mountpoint

    If you use the second option there is no need to enable or use MBR shadowing but if you do you would also need to set the mbrdone flag before the sync & mount.

    On a side note the MX200 has been a troublesome drive it doesn’t seem to unlock using the bios PBA and it fails randomly when writing the PBA so I would recommend option two for that drive.

  23. Hello,
    I read a bit of HP’s white paper but I still don’t understand about a drive being in provisioned state.
    I came here researching about OPAL after Windows 8 automatically converted my Crucial drives into Opal drives without asking or even warning me.
    I checked the drives with msed and if I understood it right the drives are just in provisioned state.
    Does that mean the data is not encrypted yet?
    Or is it encrypted already by a password that I don’t know?
    Can someone explain or give me some hints on how this automatic OPAL provisioning happens and how it affects my data?

  24. @TH

    It’s been a while since I read the HP paper and I don’t remember what drive state they were referring to as “provisioned” so I’ll just give you an overview and you can decide if it is “provisioned”.

    Yes, windows will enable OPAL mode without any notice and/or asking permission. It’s a “feature”.

    The information that you need to determine the state of your drive from a msed –query command is in the Locking function portion of the output:

    (from my windows 7 boot drive, a Crucial M500)

    Locking function (0x0002)
    Locked = Y, LockingEnabled = Y, LockingSupported = Y, MBRDone = Y, MBREnabled = Y, MediaEncrypt = Y

    Locked (Y or N) – are any enabled locking ranges “locked” (not RW). My drive is usually locked because I have multiple locking ranges defined where the MBR and partition table are in a separate locking range that defaults to RO so that malware can’t alter it.

    LockingEnabled (Y or N) – Is the “Locking SP” active. If this is Y then someone (windows in your case) has put the drive in OPAL mode and if the flag that determines the power on state (don’t remember it’s name off the top of my head) is set to locked, it’s default state, then any locking range on the drive that has read or write locking enabled will be locked after a power cycle.

    —–

    Your data is ALWAYS encrypted on an OPAL drive, the only thing that you have control over is what state the drive is in after a power cycle. When it is shipped from the factory the Locking SP is not active so the entire drive will automatically be set to RW mode and transparently encrypted/decrypted as it is accessed. After the Locking SP is activated the drive will decrypt and/or allow access to portions of the drive as defined by the Locking Range Table.

    If LockingEnabled=Y then access to your data is controlled by one or more passwords (OPAL has several users and they can have different passwords with different access/rights to the locking ranges in the drive). The password you use is not the encryption key used for the data it is the authentication mechanism used to determine your authority to access/change the state of the OPAL subsystem and data on the drive.

    As I said earlier the automatic enabling of OPAL when you do a clean install of Windows 8.1 is a “feature” it is called eDrive by microsoft.

    When it works your drive is managed by Windows and your data will be protected “at rest”. This is a good thing if your computer is stolen because the thief will not be able to move the drive in your computer to another machine and extract any information, such as financial/tax data. The MS doc is unclear on how/if it uses multiple ranges to protect the MBR/Partition table and/or the system reserved partition.

    When it fails, not so good….. your machine becomes unstable and the only way to return the drive to a usable state is the do a PSID Revert which crypto erases the drive. You did have a backup didn’t you????

    I’m not sure if I answered your “how it affects my data” question in the way you wanted.

    If you want to prevent windows from activating OPAL on your drive have a look at this thread on the Crucial forum http://forum.crucial.com/t5/Crucial-SSDs/M500-Issues-with-locking-up-A-TCG-Command-has-returned-an-error/td-p/149506 near the end of the thread one of the contributors did some testing on different ways to prevent eDrive from being activated when you install windows. This would require that you crypto erase your drive (PSID Revert) and reinstall using one of the methods described.

  25. Thanks a lot for the insights, I think I understand it better.
    Indeed, the output of msed –query shows LockingEnabled = Y.
    So if I got that right when Windows activated Opal during setup, it did more or less the same as msed –initialsetup command, only that they chose the SIDpassword and/or Admin1 password for the without sharing it with the drive owner (that’s really nice of them…).
    I assum the passwords Windows used are just some random chosen string and they are not kept in the installed system (or /paranoiamode=on transmitted over the internet to some Microsoft server… 😉
    And that’s the reason I cant change the SID or Admin password with msed (or do the initialsetup with msed), or use the –revertnoerase command to disable the Locking SP with erasing the drive.
    So if I want to disable Opal or keeping it but using my own SID and Admin password my only option would be doing the PSIDrevert ?
    Is that all correct?
    About the data, I was specifically worried about what would happen with the drive if for instance the motherboard dies and I have to move the drive to a different computer retrieve the data, will I be able the access the data? Not even if the computer is also running Windows 8 or another Opal-supported OS?
    Thanks a lot again, its really helpful understanding how this new technology works…

  26. That’s the basics of it, some of the doc suggests that MS use a different user and disable the SID completely so that the only way to turn off OPAL is with a PSID revert but since Windows is closed source it’s hard to know exactly what they do.

    With msed you have the password so you can unlock the drive and access your data from any machine that can run msed and has the facilities to access the drive in it’s unencrypted form (attachment and filesystem support etc) For windows you can google “bitlocker recovery key” I don’t see how that is possible unless MS has your key on a MS server somewhere.

  27. @jp It’s complicated, the spec has provisions for re-keying bur none of the OPAL 2.0 drives that I have support it. The only way to change the key is to do a revert so you would have to do an initialsetup then a revert then another initialserup to change the key. That means that you would lose any existing data on the drive, which isn’t bad if you do it with a new drive but if you already have something installed it will be crypto erased,

  28. cpbotha, Thanks for the writeup.
    r0m30, Thanks for the development effort.

    I’ve tested this and it works as expected.

    One observation: after entering the password in the PBA, the device remains unlocked until the machine is shut down cold. That is, the SSD’s data remains accessible after a soft reboot.

    It makes sense to me why this would be the case, but this might be worth mentioning somewhere.

  29. @cpbotha

    Out of interest, after following the steps posted in the blog and rebooting, the PBA did not detect my SSD after boot up. It turns out the PBA image ‘biospba-0.23beta.img’ does not work for my system (Dell Latitude E6330 with Samsung SSD 850 PRO 256GB).

    r0m30 suggested I try LINUXPBARelease-0.23beta.img which I tested and it does work.

    The LinuxPBARelease PBA does boot much longer than biospba but this is not a big concern.

    This issue was discussed here:
    https://github.com/r0m30/msed/issues/32

    Thanks for the blog!

  30. Hi all, I have the following situation:

    Win 7 running on SSD with AES encryption activated via TCG OPAL (Software Embassy Security Center from Wave Systems). It is a 1 Tb SSD.

    Now I would like to split the partition of the SSD to install Linux/ Ubuntu in parallel (500 GB each). I assume I can use a partition manager without a problem. I further assume that I can install the Linux/ Ubuntu as on any other drive once the SSD has been unlocked.

    To do so I would cold-boot the System once, enter the pw to unlock the SSD – then warm-reboot to not proceed with Win 7 boot up procedure, instead insert a bootable DVD with Linux/ Ubuntu on it and install it on the free partition on the SSD.

    If System now reboots warm and after removing the DVD, it should show boot Manager to select between Linux and Windows, as usual. However, if booted cold, the SSD should ask for pw again to unlock the drive, thus including Linux/ Ubuntu under the AES-protection that was initially set up by the TCG OPAL Software running on Win 7.

    In any case I would need to cancel or modify the TCG OPAL pw protection, I could boot into my Win 7 and do it there.

    Do you think this will work or do I need to set up something in Linux/ Ubuntu?

  31. I don’t have any experience with Wave (or any other SED software for that matter). I did hear from one other user of a third party product trying to do what you want, see here https://github.com/r0m30/msed/issues/5. Maybe you can try and contact him?

    It really depends on how ESC works, and I have no information that would help us figure out how to make it work.

  32. Hi all, reporting back: It worked.

    However, I changed the plan and installed the Ubuntu/ Linux completely over the Win 7 partition/ disk, thus deleting it. I made a clone of it onto another HDD, though, for rare cases of backup use (and encrypted this HDD with True Crypt).

    The important thing, the TCG OPAL on the SSD remained active.

    -> This means one can install a Windows (7) on an SSD. Activate the pre-boot authentication for TCG OPAL with ECS (software see above), then install a Linux over it, thus deleting the original Windows (7) installation (or install it as dual boot, as you like).

    The TCG OPAL remains active, so that you end up with an active AES encryption and password unlocking on OS pre-boot, regardless what OS you later have, e.g. Linux.

    To r0m30, I appreciate your work, but had this ECS alread
    ay anyway, so thought to try this way. Of course, anybody not having it, may try with msed first, however, if it does not work or is too complicated, this is another option.

    Cheers!

  33. One more thing:

    In addition to the SSD AES encryption I ticked LUKS full disk encryption for the Ubuntu installation. This means I have both now, SSD hardware encryption and software full disk encryption.

    Why? Does it make sense? The following reasons:

    1. SSD AES encryption is vulnerable to warm-reboot attacks or hot trans-plugging of the drive. This is because the SSD is unlocked after the PW was entered at boot until it gets power off to lock again. A warm reboot could allow somebody to insert a CD/ DVD or USB stick to boot up the system with forensics software and have full access to the SSD, because the drive continues to decrypt all requests.

    As computers often are run many hours or days, the likelihood to be caught with trousers down (i.e. the system running) is high.

    SSD AES encryption only protects shut off machines against device loss or theft, but does not protect running machines.

    As SEDs are becoming more and more popular, assume this not to be a hypothetical threat, but to become standard procedure of the agencies.

    2. Now comes the software full disk encryption into play, this cannot be warm rebooted or circumvented by trans-plugging of the device, because the software would need to be run on the analyzing system to decrypt the data, but it runs on the locked system (e.g. behind a screensaver), so not accessible for the forensics. They just can overcome the SED to find out another layer of encryption behind (would like to see the faces when feeling pissed off…well better not).

    3. So why SSD AES encryption at all, if software full disk encryption is recommended anyway? -> It does not cost much more and is already there, because the device is capable of it. The only inconvenience is the additional pw request, however this depends on how often one does cold reboots. For my case (running a once booted machine several days) this is acceptable.

    Still SEDs provide an additional layer of security, especially with LUKS encryption on Linux, there is a small unencrypted portion of the drive for the bootloader. This is where somebody could place a root kit to log PW keystrokes, etc. However, if the SSD is locked, this cannot happen.

    4. So double security is not a bad idea, how about performance? We know there is no performance drop for the SED either activated or not. The software encryption has some performance loss, but independently from SED active or not. In fact, there are tests to show that with Linux the performance just drops 20% (for WIndows 50% – can google this). So at least with Linux the 20% performance drop of software encryption may be worth the game…

  34. The hot plug attack is being addressed by some vendors in the firmware. OPAL is a data at rest solution and only a piece of a total security solution. I think most users can use it to protect themselves from their data being compromised when their PC is lost or stolen. Usually a laptop will be in sleep/hibernation mode and if someone carries off a desktop they are going to unplug it. Either of these situations will lock the SED.

    Does ESC properly unlock your system when it resumes from S3 sleep?

    If you want to use software encryption on a SED a more interesting solution may be to use the SED to protect the MBR/partition area and boot partition using OPAL locking ranges only requiring a password when you need to update those areas.

    If you set up your locking ranges something like this:
    Global Locking Range – write locking disabled and read locking disabled
    LR1 – blocks 0-2047 with write lock enabled and read lock disabled (MBR and FAT partition area)
    LR2 – blocks 2048-end of boot partition with write lock enabled and read lock disabled (where your bootloader lives)

    Your MBR/partition table and boot partition would be read-only after the first power cycle and only updatable after you manually unlocked them. This would protect you from the insertion of any malicious code in the boot partition while removing the need to enter an additional password for normal use. You would only have to set the MBR and boot partition to read/write during maintenance and then reboot to lock it again.

    Are your performance figures for software encryption current? I was under the impression that on a newer machines with AES-NI instructions the performance hit was in the mid single digit range.

  35. Nobie (not even Newbie) question: How secure are either ATA or Opal passwords? How long does it take to brute-force (depending on charset/length allowed by BIOS or 3rd party software), and which has the edge – on average? Unlimited tries with power cycles after 5 attempts in either case, correct?

    Apparently it’s ridiculously easy to break ATA passwords with the right tools, see
    https://wikis.utexas.edu/display/ISO/Breaking+ATA+password+security

    Speaking as someone who regularly does power down her computer, and having only ever used TrueCrypt full disc encryption on a laptop (and containers on my desktop), maybe I’m seeing the cons rather than the pros. Running the risk to brick your drive for questionable security gains… I’d rather keep really important data locked away securely (I hope) via TrueCrypt in manageable slices than handing over the keys to my whole setup.
    In the event of full encryption, I’d probably prefer Opal authentication via OS independent software like msed, which is why I’ve carefully read this page… and the all the comments were very useful, thanks a lot!

  36. Thank you r0m30, interesting feature. However, as my system is set up, I will not touch it anymore, but for some new Installations it would be worth, if I would be smart enough to understand how to implement 😉

    Some interesting observation that I did:

    My configuration ist

    1 Tb Samsung 850 Evo with Linux/ ubuntu 15.04 Software encrypted with LUKS-ext4 + Hardware encrypted by SSD set up with ECS (Embassy Serurity Center as run on formerly Windows 7 on that same drive, then OS deleted and Linux installed all over it)

    500 GB Samsung 850 Pro with Windows 7 Ultimate, encrypted by Software with EFS (Bitlocker not work for System drive on Windows 7, Truecrypt not work on UEFI System :-(, Hardware encryption with SED AES, set up with ECS

    Observation: As I set up the TCG OPAL on both drives separately with to that times only one of the drives plugged on, but using for both the SAME pathword, BOTH SSDs unlock if booting either system from either drive. It means I have access to the other SSD content, if booting from the other drive, but entering the same password. I changed the pw on the Windows 7 SSD and this does not work anymore, unlocking only the SSD on the Linux drive.

    This is strange and I did not expect that. I assume it is a software issue or feature of the ECS Software cross talking to other SSDs from which it not necessarily was started from. It can be a feature to access several SSDs simultaneously.

  37. Correction; I only have access to the encrypted content, though cannot read the EFS encrypted files on the Windows drive while running Linux and vice versa do not have immediate access to the Linux-LUKS Partition (if not using LibreCrypt to mount Linux-LUKS volumes in Windows by then entering the pw). But this is optional, if I were not using software encryption in addition, I had full access to both SSDs while booting just one, but using the same pws for both, this is the point.

  38. Hello. What is the difference between msed and EMBASSY Security Center? The first being free and open source? Can I use EMBASSY on MX200 to encrypt the data and not worry about compatibility? Does it support UEFI and sleep mode?

  39. did not work for me, when i use msed -initialsetup i get “NOT_AUTHORIZED” error.
    i used laptop with BIOS (not UEFI) and samsung 850 EVO, msed -scan detected drive, and msed query reported it was not locked. Ubuntu 14.04. In inital setup do I have to use password printed on drive?

  40. @ bpp

    I have never used ESS so I can’t comment on the differences As far as I know none of the SED solutions are compatible with each other. Msed will soon support UEFI as msed becomes part of the Drive Trust Alliance. Msed does not support sleep.

  41. @joebing

    NOT_AUTHORIZED during the initial setup means that the SID password does not match the MSID password, so something has changed the factory default password. If you don’t know the password for the SID and ADMIN1 users then you have to use the other software to remove/reset the drive or do a PSID revert which will erase all of your data.

    Has the drive been used with another SED management program or Windows eDrive/Bitlocker?

    Does the output from a –query say lockingEnabled=N?

    1. Hello r0m30

      msed –query outputs:
      Locking function (0x0002)
      Locked = N, LockingEnabled = N, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y

      It is brand new 850 EVO, before Ubuntu I did not install any other OS on it, neither managed it with SED program.
      However I had HDD password turned on in Bios for that drive when I first tried msed –initialsetup.

      I do have 840 EVO in other bay, with separate HDD bios password and it has Windows 7 with Bitlocker.

      I also noticed one Opal vendor requires BIOS not to be older than 3 years, mine is older than that.

      What it is MSID? You meant PSID?

  42. @joebing

    OPAL encryption and ATA passwords can not be active at the same time. If you want to use OPAL encryption you will have to remove the ATA password from the drive.

    1. Hi there r0m30,

      Nope, I would not do that. 🙂

      You made a typo in your email address, so the auto-accept your comment should have gotten did not happen. Your comment was stuck in the pending queue due to this, and I somehow missed the notification (probably because I’m used to your comments going through instantly).

      I have now put it through.

  43. @joebing I missed your question re: MSID…..

    MSID is the initial factory default password that the drive manufacture uses. It is stored in an OPAL table and msed reads that password to use when it does the takeownership and changes the SID and ADMIN1 passwords. It is not the same as the PSID that is printed on the drive label.

    1. @r0m30

      I first ran msed –initalsetup with BIOS HDD password enabled. Did not work, there was different message but cant recall it. So I disabled BIOS HDD password.
      Could enabling/disabling BIOS HDD password change MSID?

  44. @joebing It shouldn’t. I did test adding and removing an ATA password with hdparm on one of my drives ( I think it was the a Crucial M550 but it was a while ago) and it worked for me before and after I set the ATA password.

    1. thank you r0m30.
      Probably bios is my laptop is too old to handle TCG Opal.
      I did try to boot pba image from usb stick and it hangs on “Found devices” message, and other pba, larger one causes laptop to reboot.

  45. The larger one is supposed to reboot the computer. Did it say that it found your drive and that it was OPAL? If it did then it should work. If it goes by to fast use the one with the debug suffix and it will stop and wait for an key before rebooting.

    My bios is about 7 years old (pre Windows 8) so I don’t think an old bios should be an issue.

  46. tried debug. On top it says:

    MSED LINUX Pre Boot Authorization
    Please enter pass-phrase to unlock OPAL drives:

    I entered anything as pass-phrase per this:
    http://www.r0m30.com/msed/documentation/managing/testpba-1
    Then got message:

    Scanning….
    Unlocking /dev/sda Failed

    in log .txt I see this:
    ERR : mehod status code INVALID_PARAMETER
    ERR : Session started failed
    ERR : One or more header fields have 0 length
    ERR : EndSession Failed
    ERR : Unlock failed – unable to set LockingRange 0 RW
    ERR : Identify failed Invalid argument

    and again msed -query when run under Ubuntu reports drive is not locked.
    Locked = N, LockingEnabled = N, LockingSupported = Y

  47. @joebing
    Until you get initialsetup to run the PBA is useless. You need to set a password and enable locking before the PBA can unlock it.

    1. @r0m30
      you were right, i will try to replace that SSD although I cant figure why it came brand new and with SID already set.

      r0m30 would you know if console=/dev/null in kernel parameters would boot LinuxPBARelease silently?
      I mean is there any way to have silent quiet boot with no screen output and with prompt for password without asterisks?

  48. @joebing

    I would try a PSID revert before trying to replace the drive. One thing that might be causing your problem is that you have bitlocker active on your windows system. It is possible that when bitlocker sees an OPAL drive it takes ownership. If you do try a PSID revert then make sure to try the initialsetup BEFORE you boot into windows again.

  49. I know its been 8 months since you wrote this and r0m30 has since joints with Drive Trust Alliance but I have a few questions maybe some here can answer.

    One r0m30 mentions he built his last betas to deal with some bios that had features that needed more support. Specifically mentioning Lenovos I assume thinkpads. I am using a T440P with the Samsung MZ-7LN256 OPAL SED. Thus I am using these

    Issue is I will be running a Xen base OS. Based on the security model I will only be able to run the MSED from ext source such as usb flash. No issue at its core though give the rescue image.

    I just want to confirm the steps and order I need to work.

    As while we are stuck having to trust the hardware I will only trust it as far as I must. Thus for me its mandatory to reset the key so PSIDrevert wiping the HD. This puts me back to factory default with a new encrypt key.

    As I cannot load the MSED from inside the OS I as a effect of that even with the USB msed ( Rescue disk) can not set lockenabled prior to the OS install. My reasoning is there would be no straight forward (easy) way to boot from a install iso usb flash and then still get access to the primary SED drive space. If locked I would only be able to access shadow mbr. You have to boot from the shadow to get to the locked SED access of the primary hd space thru the chainload, again this is if its already locked. The OS setup would not be able to see the primacy SED hd space only the shadow if locked.

    To me the solution is to:

    1: image the Rescue-0.23beta.img to usb flash drive
    2: boot to usb MSED rescue and do a PSIDrevert (key reset)
    3: boot to bootable usb OS ISO image and do full install
    4: boot to usb msed rescue and lock and flash the LINUXPBARelease-0.23beta.img to the SED shadow partition (Lenovo T440P laptop) Is the LinuxPBA Release image part of the rescue.+

    At this point upon reboot (will take a bit longer given the larger kernel PBA instead of bios img needs to be used) I will get the OPAL Shadow drive password prompt. Upon correct entry confirmation, I will get chain-loaded to the OS boot login of the primary drive.

    The main “possible” security hole I see with OPAL 2.0 implementation but have not found any data or info on at all to know its feasibility is the keylogger Trojan loaded into clear boot sector. In this case it would be that separate shadow mem space. Again I have not been able to find the spec or much of any info on it and how it functions etc. All I ever see is that the same is to be considered secure. Gee how nice I guess we are just suppose to take that as some sort of guarantee?!? call be stupid but……… The type of hack I am talking about is similar to what has been coined the Evil Maid attack made publicly famous by Joanna Rutkowska as a way to circumvent any software FDE but specifically in this case true-crypt. Fact is there must be a memory space that the bios can read to get the MBR info. It has to be this way. Given that we can load a PBA image to it means it has read write access. My worry is a bug allowing someone to load a Trojan to some of that space without have to provide password.

    My hope is that no write access can be made to the shadow memory space without either the SID password or the PSIDrevert command. Further that after the PBA_image is loaded the rest of that memory space (128mg IIRC) is filled with random data to leave zero room for any upload should a way be found without doing a PSIDrevert. Point being there should be no way to touch the shadow memory space without the password after locking other than doing a PSIDrevert command wipe/reset

    If I had to make a recommendation for MSED program would be a way to integrate the secure erase function ( PSIDrevert command) linked into the password function. Thus a user for setup would first get the PSID code off the drive. Then setup the first password for the encryption then setup a secure erase password using the PSID code and the PSIDrevert command. This way a person if forced to give up a password or needed to quickly wipe the data they could enter or give this password. You enter the password it reboots a and you are into the main drive space but nothing is there. Yes I know if you were dealing with top level people they should have looked at the shadow memory and analyzed the code to know what a script was doing. The other would be a PSIDrevert script once n_number of wrong password entered. I would be willing to donate a considerable amount for a single user to help fund offset some costs of implementations of these additional functions.

  50. I went ahead with the plan but I ran into a config issue with the PSIDrevert command. Most so the result from running it.

    I guess you are required to lock the drive i.e setup a password etc before the PSIDrevert command works. I tool the drive as it came in my new lenovo laptop before setting up the factory OS etc and booted to the MSED recovery image did the test to confirm everything could be seen. Then I issued the PSIDrevert command which gave the output of a successful psidrevert. Yet on reboot and going to format part of the OS install is showed all partition and data to still be there intact.

    While rom30 upon re-reading does state on the PSIDrevert page that it will erase all data if your drive is locked enabled there is nothing explicit stating it must be locked.

    More an FYI for people that may like the idea of using this as a way to wipe a drive quickly such as if they decide to sell the PC or drive. Even if it was unlocked they may think they can use this command as a way to wipe it.

    Frankly I think it really should work but honestly reading the PCG guidelines is quite a challenge as its more design parameters etc as opposed to clear function explanations.

    So unless I am missing something it looks like the drive MUST be locked before the revert cmd will reset the key.thus secure wipe does not function unless you lock and password. Kind of weird though given that regardless of locked or not there is always a key (default password) and data is always encrypted. Given that I would think a revert cmd which is suppose to be restore to factory default condition i,e, the state it left the factory in would at least do just that. When this drive left the factory it had no data partitions MBR etc. The cmd does nothing to it in its default state.

    Time to lock it and try again.

  51. @TIm
    You can setup the locking before an OS install. You can reboot as many times as you like as long as you do not power off the machine.
    You would do an initialsetup to activate the locking, load the PBA and then to make sure that the “real” drive is accessable you would issue a setLockingRange 0 RW and a setMBRDone on so that the install would have full access to the drive. As long as you just reboot, no power off, the drive will not lock and the OS install can proceed normally, if you do power off then you would just unlock the drive using the PBA and proceed.

    Re: your solution.
    Step two won’t work because the locking SP hasn’t be activated yet.
    No the PBAs are not on the rescue image, it isn’t designed to be an install tool, it’s designed to allow you to manupulate the OPAL settings on the drive if you find yourself in a situation where you cannot boot your normal OS.

    It’s not a reboot that locks the drive, it’s a power cycle.

    The “evil maid” attack should be mitigated because the shadow table cannot be altered without the drive password. If you try and alter a shadow MBR it may look like it worked because the OS will buffer the changes in it’s cache but after a power cycle you will see that the changes were not made.

    I think your issues when thinking about OPAL encryption are:

    The locking SP must be active (part of the initialsetup) before a PSIDRevert will have any effect on the drive. Once the locking SP is active the PSID revert will work whether the drive is locked or not.

    The drive only locks when the system is power cycled, once the drive is unlocked it will remain unlocked for however many reboots you would like to perform.

    If I missed something let me know.

  52. First thank you very much for replying so quickly on a thread that is so many months old. Not even on your own site for that matter. That stays a lot about you to me in terms of the software you produce.

    * Thank you for explaining the security of the shadow drive. After I posted I keep searching and reading the various info on OPAL 2.0 programs which seems to be scattered all over the net. Bits in forums here and there the TCG manuals etc on some of the tech manuals for other opal software. What I found seemed to indicate what you stated but you have made it clear. Thank you.

    As long as there are no side-channels to open write access to this it looks like it is secure.

    * Yes you are correct the locked enabled vs actually being locked was one of the things I misunderstood.

    * I was also not clear on was exactly how the rescue worked. You answered that.

    I can use the rescue image to configure opal options. My issue is I am not sure the Xen/linux based OS Qubes (not sure if you know of it) which has a very locked down bare metal OS/domain will allow MSED to load or run properly It would be a PITA to load.

    Ironically because of some specific work that was dropped on me I am going to still need to use LUKs so I am getting doubled up on encryption. Figures

    If I configure opal with the Rescue image i.e. set flags and password:

    * Can I load the pba image to a flash drive? Would it still chain load properly or would I have to alter the syslinux.cfg file on the image?

    * I would think the rescue image also able to do the log in chainload? If so what would the command be?

    In the above cases I would want to set the shadow MBR table option to “off”

    Worst case if there is issues with Qubes and MSED I can boot to a flash loaded live linux distro run MSED and push the PBA image to the shadow partition from it.

    I saw your comments about the Lenovo issues with bios img. Am I correct that its best in my case to use your beta PBA image that gives the full kernel features?

    ——————————————–
    My steps to generate a new key and wipe with a new drive from rescue.img:

    msed –initialsetup
    msed –enableLockingRange 0
    msed –PSIDrevert

    Power cycle

    * Option:1
    Load OS ISO from flash drive
    run MSED from OS

    * Option 2:
    Live Linux run MSED

    * Option 3: (Stop gap measure)
    Rescue image config opal
    PBA.img or rescue loaded onto usbflash boot until I I have time to do choice 2 or figure out how to make 1 work

    ———————————————————

    First let me qualify this next part with: I AM NOT A PROGRAMMER. I am a network and admin engineer. Thus I am ignorant to how hard, easy or anywhere in-between this would be. It would be a great advantage if the rescue tool could also do installs:

    I think it would fit perfectly with the entire idea TCG had with OPAL 2.0 . One of its goals for this standard was to be OS independent. The one area and happens to be the one that effects end users and the like the most is the software to interface/config OPAL standardized firmware configs in the SEDs. That all happens to be very OS specific. Yours of course gives by far the most options in that regard and in a nice small package. If you were to create a install function to the rescue tool you would for all practical matters have just that. A 100% OS independent Opal configuration tool. In that case if its FOSS I would not be surprised if it was packaged or linked to it in a large number of the SED manf packages. For people that do not trust MS Bitlocker solution as well. One thought maybe if there a way as part of the flash drive image to create a small partition that would allow the end user read write access where they could upload whatever pba image. Of course there is always including the versions pba/bios images in the tools image itself.

    Again like I said I am not programmer and this could be a stupid amount of work or maybe not worth it in your eye. Just thought I would bring it up.

  53. Ultimately we have to put some faith in the implementation of the drive firmware. How much is an argument I’m not going to have.

    Yes, you can load the PBA to the drive from the rescue disk, it is a fully functional version of the software, I just don’t pre-load it with the PBA images. That would increase the download size by quite a lot.

    I’ve never run Xen so I can’t really help there, perhaps you could ask on one of the forums if Xen supports guest passthru of trusted send and trusted receive. Those are the SATA commands used to talk to the drive.

    It’s probably best to use the Linux PBA on a Lenovo machine. You can always test the bios pba on a flash drive to see if it works with your hardware configuration.

    The PBA can be loaded to a flash drive and then booted, but the chainloading probably wouldn’t work without changing the syslinux.cfg.

    The rescue image can unlock the drive, you would issue a setLockingRange 0 RW and setMBRDone on to unlock the drive. There is no chainload command that I know of in Linux so you would have to issue a reboot command after the drive is unlocked.

    You can use a live CD image to download MSED and the PBA then setup the drive, but the rescue image is pretty much the same thing. So unless you have a hardware support issue it is a much smaller image than a live CD because it’s sole purpose it to allow you to run MSED.

    Why power cycle after you do the PSIDrevert to change the encryption key? You can just run initialsetup again and then load the PBA using the already running rescue system (you’ll have to have the PBA somewhere you can access it). Also you could just do a reverttper using the password you set in the initialsetup instead of the PSIDrevert so you don’t have to key in the unique 32 byte PSID for the drive.

    A basic installer/config tool wouldn’t be that difficult, covering all the permeations is where the dificulty lies.

  54. All your points are good and well taken. I agree.

    Again these issues seems to be from my ignorance of how everything works together. The TCG papers really are not very straight forward on how it all works from a process standpoint.

    I assumed the PSIDrevert command was the ONLY way to get a new key generated. Now looking over the TCG I can see it states it as the command not specific only to PSID. Learning more and more.

    It might not be a bad idea to make a notation of what commands will generate a new crypto key. For all us security freaks that is a important key function. Maybe add a notation “this will generate a new encryption key” to both revert commands

    So when I run these commands such as psidrevert or revertyper. These actual changes do not take effect immediately and wait for a powercycle?. Such as I could run either of the revert commands from the OS on the actual drive and still afterwords do another initial setup and push pba.img? They are just qued in order to take place in the firmware upon power cycle.

    If the above is correct then I now understand why you were so confused by me constantly mentioning power cycling between each series of commands. I thought you had to apply a change (power cycle) before you could make another subsequent change.

    I used Gparted live to increase the size of the rescue image part on the flash drive. On my other laptop windows I used Ext2Fsd to mnt the rescue flash drive with read write access. I now I room to load as many of the pba and bois images to the rescue image as needed.

    *** Where would be the best place to load the PBA images in the rescue file system on the flash drive? How do I go about making its path available to the root@box ssh as its a loopback. I am not sure how its sees the flash drive as host or guest and I was not able to get to it thru a normal path or I got it wrong. Sorry my linux fu is weak. I am just now getting back into linux after a decade in a Microsoft shop

    Thus I could do the following all from one session in the msed whether rescue or inside the OS:

    msed –intialsetup
    msed –lockenable 0
    msed –revertyper
    msed –intialsetup
    msed –loadPBAimage biospba/pba.img
    msed –setMBREnable off

    If I powercycle with lockingenable and MBRenables off it should boot right on thru to the primary disk space?

    Then I can plug in the flashdrive with the OS install image and install OS

    reboot into MSED rescue:

    msed –setMBREnable on
    msed –lockenable 0

    Then powercycle

    It will then boot to the PBA where I will get a password window and then after entering correctly will chain-load into the primary MBR of the installed OS.

    Again I am learning a lot about the opal function use with your program with your help. Thank you its greatly appreciated.

  55. Yeah, the TCG docs are written as standards docs, not user manuals so they are very thick. There are still times when the only way I can figure out what they mean is to experiment.

    NO, all commands take effect immediately, so when you issue the PSIDrevert or the revertTper the drive starts using the new key immediately, in effect crypto erasing the drive. If you run them on the active OS drive the OS will crash soon after.

    After you expand the rescue partition you should be able to put the PBA images anywhere on the drive, to access them you would need to mount the flash drive (busybox syntax).

    Again no you can’t run those commands on the active OS drive, the revert will change the key and the OS will crash. You can run them from a flash drive you booted the rescue system from on ANOTHER drive you want to install a new OS. You can activate the locking SP and turn on locking from the active OS if you don’t run the revert because the key will not change.

    Yes, if you disable the locking ranges and set MBREnable off the drive will not be locked or shadowed so it would present the “real” disk even after a power cycle.

  56. Awesome. Thank you so much for taking the time to get me thru all of that. I have the PBA images at root of the rescue flash drive image. I will look up the busybox mount syntax tonight and give it a try. Worst case I can load a linux OS with the drive unlocked and mbr off and then load the pba from there then install the new OS once the PBA is loaded.

    Next thing on the list to play with on the the next drive will be user accounts and drive ranges.

  57. OK I got the partion size increased using gpart live and was able to load the pba files. I mounted the USB drive and I was able to use a basic test password to setup and push the pba image up. Sure takes a while to push that image file. 10 mins or so.

    I did run into one issue. I think its password related as I did not have the issue when I set an all lowercase letter only password of 9 characters during my test run.

    When I went and tried my real password which is which is around 21-25 characters using letters, upper and lower case, numbers, and special characters such as ” ‘ – ! @ for example. The initializesetup goes fine but as soon as I try the next command where I need a password I get the first error string of : NOT_AUTHORIZED followed by the typcial errors after that about session start and end. I did a PSIDrevert so no big deal.

    I repeated the setup and still got the same issue.

    What is the maximum length and what characters can be used?

    Something else ?

  58. Not sure what the issue was. I think maybe password length or possibly one of the symbols. I made a change and shortening it by a couple characters and now it seems to be working.

    If I can I will make a image of the full setup with all the PBA BIOS images on it. With that than all anyone will have to do is make a mount directory and mount the usb drive to it. I will list the cmds for it so even windows users not use to unix/linux cmds will be able to do this easily. It will make a all in one complete solution.

    Again thank you R0M30 for all your help and guidance.

  59. Thanks R0m30 for msed. I’m having trouble understanding the shadow MBR in a UEFI world. The 128 MB region should hold a FAT32 filesystem and a pba.efi app, right? Does the msed v1.1 build all that, or provide a way to mount shadowMBR directly?
    Like Tim, I’m interested in a QubesOS system with a protected boot path. Thanks again for your work supporting OPAL.

  60. How did you verify that the Shadow Boot record in the Samsung was 128 megs? From previous tests I was informed that it was only 64 megs. I know the standard says 128 meg+, but tests showed it was 64 meg. Was your post above based on the standard stating it was 128, or a test?

    Thanks.

  61. I’m struggling with special characters (like -_@)in the password. Does it depend on the keyboard layout used in the PBA image? If so, which one has been used?
    Plus, what’s the maximum length allowed (32 chars or what)?

  62. @Derek – Not necessarily, in the UEFI world if your not in CSM mode the shadow would need to be GPT. The latest versions of sedutil contains a GPT PBA that can be used on 64bit UEFI systems.

    @Eric – I relied on the standard, I haven’t tested anything other than the images created for msed/sedutil and they are all under 10M

    @ marco – Yes the keyboard layout can be an issue. The default linux keyboard is used, so I believe it is US English.

    I hash the password using PBKDF2 so you can use a password up to 250 characters.

    1. I already tried with the US English keyboard layout as well as with few others, but I get always the same error message (NOT_AUTHORIZED).
      If I use passwords without any special char everything works fine.

  63. This thread (and cpbotha’s other one on “usable HW FDE”) is really the most informative resources about this topic on the whole web!! So thanks a lot to r0m30 and all other contributors! After reading I have some remaining questions regarding the different PBA variants.

    1) In the setutil wiki (https://github.com/Drive-Trust-Alliance/sedutil/wiki/Building-sedutil) it says that there is a “Syslinux based PBA” and a “Linux based PBA”. What has to be considered making the choice here?

    2) https://github.com/Drive-Trust-Alliance/sedutil/wiki/Encrypting-your-drive links directly to precompiled PBA versions (“BIOS” or “64bit UEFI”). Are those based on Syslinux or Linux?

    3) The sedutil wiki says that the UEFI PBA is not compatible with Secure Boot. Just out of curisosity: what would be necessary for it to be? Does it mean that Secure Boot in fact also protects the shadow MBR, in which the PBA resides?

    4.1) Is it recommendable against bootkit attacks to setup an extra read-only OPAL locking range for the bootloader (not to be confused with the PBA residing in the always unencrypted shadow MBR) with another PW than the PW for the remaining disk (global locking range)? When I start the computer, the PBA would ask me for the PW to unlock the global locking range. However, the bootloader remains read-only until I manually unlock it with the sedutil/msed commands using my different PW in the rare case of modifying the bootloader.

    4.2) Is “readonlyLockingRange ” just short for “setLockingRange ro ” followed by “enableLockingRange “?

    4.3) How do I determine the bootloader’s LBA blocks for the “setupLockingRange” command (for BIOS+MBR or UEFI+GPT)?

    Even partial answers to some of those questions or hints where to look would be greatly appreciated.

    PS: As there is a UEFI PBA now, the sedutil readme should be updated which it still says “on bios machines”.

    1. With hdparm, you can configure the ATA password of your hard disk. This is the same password you can setup with your BIOS.

      However, you never really know if your BIOS does actually use the plaintext password you are entering or some hash of it. So if you set the password with a tool like hdparm, you might not be able to unlock the drive with the startup password promt of your bios. Or reversely, if you setup the password with your bios, you might not be able to unlock the drive with hdparm or on another computer with a different bios.

      Furthermore, setting the ATA password does not necessarily encrypt your disk at all. It might merely be a “lock flag” that is set somewhere in your drive. That is why ATA password locking works just the same on unencrypted non-SSD drives as it does on SSDs. If a motivated thief mounts an invasive attack on your disk, he might just circumvent the lock and access the unencrypted data directly. Theoretically, it might be possible that an SSD vendor also uses the ATA password to generate the AES key that is used for all data on your drive (see below). At least Samsung claims something remotely sounding like that on their website. (http://www.samsung.com/global/business/semiconductor/minisite/SSD/M2M/html/support/faqs_03.html) But you don’t really know.

      And finally, it’s totally possible to brick your drive by setting and forgetting an ATA password (or setting it and then losing the PC with the BIOS that has really set an unknown hash of your password). This is why each drive vendor has a “secret” (i.e. not really secret) master ATA password to reset your user ATA password without erasing the data. But it is just a matter of time until these master passwords are eventually leaked and available online. So if somebody steals your user ATA password locked disk and gets hold of the vendor’s master password, they can access your data.

      For SSD drives, you might be a little bit more in luck if you forgot your ATA password. Because Samung claims that you are still able to perform a “Secure Erase” with their “Samsung Magician” Software:
      http://www.samsung.com/global/business/semiconductor/minisite/SSD/M2M/html/support/faqs_03.html

      The Samsung Magician refers to the setting of an ATA password as “Class 0” (maybe because the level of security provided is close to zero…). 🙂

      Further information about ATA passwords is found here:
      http://www.admin-magazine.com/Archive/2014/19/Using-the-ATA-security-features-of-modern-hard-disks-and-SSDs

      Now to the OPAL full disk encryption.

      First you have to know that all the data on your SSD is automatically AES encrypted and decrypted all the time. I guess the main reason for that is that you should have a way to securely erase your disk. To do this for old non-SSD disks, we had to use tools like wipedisk which write several times over each sector of the disk to completely remove magnetic residue of the old data. As the lifetime of an SSD highly depends on the amount of writes on it, you don’t want to do the same here. Hence, all data is all the time AES encrypted with a key stored in a static but rewritable memory on your disk. To “erase” all data, you simply erase this key and the data can thus never be retrieved. This is how it works when your disk is not locked.

      If you lock your disk with OPAL, the key needed to encrypt or decrypt your data is not actually stored in the abovementioned static memory. Instead, the value stored in it must be combined with your password to create the actual AES key, which is only stored in volatile memory. So once your SSD is powered off, the actual AES key is gone again and your data cannot be read without it.

      OPAL encryption does not have the limitations of the ATA password:

      Instead of the BIOS, the password is set by your own OPAL software (e.g. sedutil) that also provides the startup password prompt in form of a boot loader. So if you know the password you can really lock or unlock your disk on any system running the appropriate software.

      If you forget your password, you can still do a PSID revert losing all your data, but at least your disk is not bricked. And there is no “secret” master password that would allow somebody to unset your password.

      That said, we have of course to note that you must trust your SSD vendor to a certain degree. Everything I wrote about how the actual AES key can only be generated by combining the stored value and your password, might be wishful thinking. Because, we do not really know how Samsung has implemented the OPAL functionality on their SSDs. For all we know, they could also simply store your set OPAL password in plaintext in the disk’s static memory and then merely unset a “lock flag”, whenever your entered password matches the stored one. That would of course not be secure, because it would be just like the old ATA password for non-SSD drives. Furthermore, your SSD might have all kinds of intentional or unintenional back doors to circumvent the OPAL lock. We just don’t know as long as the vendors are not providing more verifiable details on their implementations that would actually allow for some independent audits.

      So if you want to be “NSA secure”, you should still rely on open source software based FDE. If on the other hand, you just want to be secure against the radom miserable guy stealing your computer, OPAL is in my opinion the best choice!

  64. I just got a new laptop and my company requires that I use FDE. Without this post, I would have never realized I could do it without luks/dm-crypt.

    Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *