Use the hardware-based full disk encryption of your TCG Opal SSD with msed

(This post has been updated since initial publication, see last section for details.)


My blog post on usable hardware-based SSD encryption has seen a great deal of activity. Although that post dealt primarily with the ATA security based type of hardware-based full drive encryption, readers from all over joined the discussion in the comments to talk about an increasing number of new self-encrypting drives supporting the TCG Opal standard.


Up until recently, configuring these TCG Opal drives was only possible under Windows, or under Linux with a commercial solution that was not available to mere end-users. Fortunately, a programmer named r0m30 stepped up to the challenge and has developed an open source utility called msed and an accompanying pre-boot authorization (PBA) image with which the super fast encryption function on these drives can be fully configured and used also in pure Linux systems.

This post summarises how I built, configured and installed msed and its PBA on my Ubuntu 14.04.1 machine with its Samsung 850 PRO 512G TCG Opal-compliant SSD.

How does TCG Opal drive encryption work?

Many modern SSDs perform transparent AES encryption on all written data in hardware. One advantage of this approach is that the whole drive can be secure erased by simply generating a new set of encryption keys. Another advantage is that users can have all of their data fully encrypted at rest without any performance hit whatsoever. Also, third-party software-based drive encryption negatively affects SSD performance and longevity, for the largest part because this data is basically incompressible when it hits the drive.

TCG Opal is a new standard for communicating with supporting drives concerning their encryption functionality. Furthermore, it includes a really elegant way to have the user supply their authorization credentials.

In its default state, the main disc area is completely locked and inaccessible. However, when the system is booted, the encrypted disc exposes a fake disc from its firmware, called the shadow MBR (master boot record), 128MB in size. Usually this shadow MBR is flashed with the pre-boot authorization (PBA) image, which is in essence a small operating system (including MBR, boot sector, filesystem) that asks the user for their drive password, which it then communicates to the disc via OPAL commands. If the password is valid, the disc unlocks itself, and then the real operating system is loaded up.

This white paper by HP contains an explanation of the provisioning and boot process on page 5. To summarise: Once correctly configured, a system with such an OPAL-compliant disc will request the drive password at boot. The drive will only unlock and decrypt if the correct password is supplied.

Building msed and its PBA image from source

r0m30 programmed a suitable PBA image based on the syslinux open source, and a utility called msed for the provisioning (setting password, writing PBA image) of OPAL drives.

Because this software performs a security critical function, I reviewed as much as possible of the source code in syslinux/com32/msedpba (the Opal-specific part of the PBA) and of the whole msed utility, including the script that builds the PBA image. (I also spent some hours disassembling the binary PBA image.)

After this mini review, it was of course preferable to build and use my own binaries.

To build both the PBA image and msed from source, I did the following:

# I retrieved these sources on Tuesday 2015-02-10
git clone
git clone
cd syslinux
# make clean is going to fail trying to get the EFI submodule. ignore.
make clean
make bios
cd ../msed/image
sudo ./buildbiospba
# remember the location of the resultant .img file!
gunzip biospba-0.20beta.img.gz
# now let's build msed itself
cd ..
# I'm on x86_64, adapt to your own architecture!
make CONF=Release_x86_64
# copy the image to the same location as the msed binary
cp image/biospba-020beta.img .

Stripping the msed binary at top-level, I found an md5sum-identical binary to the 0.20.0 one that I downloaded from r0m30’s site:

cpbotha@meepz97:~/build/msed/msed/dist/Release_x86_64$ md5sum msed 
3a22c344ecbfa15b43ae7764341060ab  msed

Installing the msed PBA

This is very important: I’ve configured my BIOS to boot in legacy mode, i.e. NOT UEFI. The msed documentation also states that this is necessary. It also makes sense, because the PBA image is a legacy boot image!

msed needs libata.allow_tpm to be configured for the running kernel. I edited /etc/default/grub so it looked like this:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash libata.allow_tpm=1"

… after which I did update-grub and then rebooted. After reboot, msed --scan gave me sensible output.

It was now time to configure the drive for encryption. I found this quite stressful; I’ve had near-bricking experiences with expensive Intel 520 SSDs during some of my previous ATA security experiments with flakey BIOS implementations (Insyde H20, what a mess). In any case, I followed this procedure:

# set the drive password: mine is long, but no spaces, no special chars
./msed --initialsetup mylongpassword /dev/sda
# write the PBA into the shadow MBR
./msed --loadPBAimage mylongpassword biospba-0.20.img /dev/sda
# activate the shadow MBR
./msed --setMBREnable on mylongpassword /dev/sda
# activate drive locking
./msed --enableLockingRange 0 mylongpassword /dev/sda

After this, I switched the machine off, and on again. Lo and behold! I was prompted for my OPAL password at bootup, and could let myself in.

To test, I booted up the machine with a Linux Live USB. In place of the encrypted disk I could only see the shadow MBR.


TCG Opal is a great way of using your SSD’s hardware-based full disc encryption. I am very grateful to r0m30 for creating msed and its PBA image: These are crucially important open source tools for working with Opal discs.

Updates to this post

June 9, 2016

Fixed missing “of” in title. Thanks adutoit!

After adding a 500G Samsung 850 EVO to the 850 PRO already in my desktop machine, the BIOSPBA was not able to unlock both drives. However, after a quick upgrade to the LinuxPBA using the same procedure as documented in this post, both drives unlock after correct password entry. As an added bonus, with the BIOS on this machine set to Legacy+UEFI, I legacy boot into the PBA, enter my password, have both drives unlock, and then automatically UEFI boot to any of the operating systems on the GPT partitions of the unlocked drives.

Use ADB to bypass dog-slow MTP transfer of files from Android to Linux

Last night I had to backup 2760 photos and videos, about 6.3G worth, from my Nexus 4 Android phone to my Linux laptop.

The Nexus 4, like many other Android phones, only supports the Media Transfer Protocol, or MTP, for transferring files via USB connection. With Ubuntu 14.04, this is a fortunately a plug and play situation: Connect the phone via USB cable, and start dragging and dropping files to and fro using the built-in file manager on the Linux side.

Unfortunately, this turned out to be dog slow. Stabilising at about 1Mbyte/s, this was going to take more time than I had at my disposal. This looks like it could be a Linux-only problem, but I’d like to see that confirmed. Whatever the case may be, I had to find alternatives.

Accessing the AirDroid web-interface on my Android telephone.

My next stop was the ssh server app on the android side. I confirmed that I could ssh in to my unrooted phone (pretty cool that!), and then I confirmed, using the built in ssh:// filesystem support in the Linux file manager, that file transfer throughput was still dog slow (also about 1Mbit/s). After some minutes, it looked like the whole transfer stalled completely.

btsync was of no help in this case, because I have 1.4 on my phone, and use 1.3 on all my other devices (1.4 was completely useless in its beta phase, so I decided to stick with 1.3 until convinced otherwise).

AirDroid is an extremely well done app that enables one to remote control one’s android phone via a super attractive web interface, over its wifi interface. One of its many functions is file transfer, up and down. Selecting to download a whole directory of files results in a huge ZIP file being streamed. This came down at between 2 and 3 Mbyte/s, staying close to 3 for most of the time.

I was still curious whether we could do better via the USB cable, instead of over wifi, so I fired up the Android Debug Bridge, or ADB. This only works if developer mode has been activated on the android phone, and USB debugging mode has been activated. In other words, this is probably not for novice users.

By using adb pull on the whole directory of files, it started downloading all 6.3G worth of photos and videos. At the end of this, the average throughput was 4.2Mbyte/s, the best of all methods I had tested.


If you need to transfer many files from your MTP-only Android telephone to a Linux host, either use AirDroid if you want this to be as easy (and as pretty!) as possible, or use ADB if you want the maximum throughput and don’t mind getting your hands dirty.

Huawei E3331 3G USB dongle works on Ubuntu 14.04 Linux

In the store today, I wanted to check that the Huawei E3331 3G USB dongle I was about to buy would work with my Ubuntu Linux laptops. Because I couldn’t find any posts confirming this, I’m writing this one.

Summary: I can confirm that the Huawei E3331 3G USB dongle works, completely out of the box and without any problems, on Ubuntu 14.04.

After inserting the card into a USB slot, I was greeted by this notification:

As per the instructions, I could immediately open the HiLink Web UI at with my browser, where, after configuring my APN like this:

The home screen showed that I was successfully connected to the 3G network:

No drivers were required. Linux (in my case Ubuntu 14.04 on x86_64) is able to connect to the device using its built-in LAN-over-USB support. This is what the relevant part of the system log looks like when the device is inserted:

[378719.431633] usb 3-3: new high-speed USB device number 73 using xhci_hcd
[378719.450078] usb 3-3: New USB device found, idVendor=12d1, idProduct=14db
[378719.450085] usb 3-3: New USB device strings: Mfr=2, Product=1, SerialNumber=0
[378719.450089] usb 3-3: Product: HUAWEI Mobile
[378719.450092] usb 3-3: Manufacturer: HUAWEI
[378719.461252] cdc_ether 3-3:1.0 eth1: register 'cdc_ether' at usb-0000:00:14.0-3, CDC Ethernet Device, 58:2c:80:13:92:63

Here you have the prerequisite speedtest:


(This dongle is a connectivity backup. It’s an added bonus that the upstream is 3x that of my ADSL at home.)

Samson C01U USB condenser microphone on Ubuntu Linux 12.04

I recently acquired the Samson C01U USB condenser microphone for better quality voice-overs on the sleep-inducing screencasts I sometimes make. It took some fiddling to get it setup correctly on Ubuntu 12.04 with the default ALSA drivers and PulseAudio sound system, so I’ve documented the steps here on the chance that it might help some other Ubuntu / Linux user.

The microphone looks like this:

Samson C01U condenser USB microphone
Samson C01U condenser USB microphone

It comes with a USB cable, pouch and usable tripod stand. One can accessorize with the Samson PS01 pop-filter (have it), and even with a spider shockmount (don’t have it yet, I like people to hear me typing when I make screencasts). Importantly, the quality of the recorded audio is miles better than any headset, if you can get the levels setup correctly.

It turns out that the microphone has a stereo amplifier chip. Both channels are exposed to the computer it’s connected to, as left and right. However, the two amplifiers have been cascaded for more gain. The right channel is the intermediate audio, i.e. after the first amplifier, and should not be used. The left channel is the final output that should be used. Furthermore, both the gains can be separately adjusted, and this is the reason my recordings were initially far too soft.

To adjust the gains of the built-in amplifiers, you have to use the alsamixer application, which you can start up from a terminal window. Right after startup, it will probably look something like this:

alsamixer right after startup. Where's my microphone?
alsamixer right after startup. Where’s my microphone?

It will probably show the channels available on your default sound card. Press F6, then select your Samson, then press F4 to select the capture channels. You should now see this:

I'm a little Samson microphone, and I'm all alone!
I’m a little Samson microphone, and I’m all alone!

Here you can adjust the gains of the right (pre-amplifier) and left (main amplifier) separately. This is completely separate from the gain that you can set in the Ubuntu / Gnome sound settings:

Ubuntu / Gnome sound settings: Microphone set to unampfilied.
Ubuntu / Gnome sound settings: Microphone set to unampfilied.

I’ve found that by setting the gain of both of the built-in microphone amplifiers to about 19 dB with alsamixer, I can keep the (probably software) gain in Ubuntu / Gnome sound settings at “Unamplified”. Note also that I’ve selected the “Analog Mono Input” mode. I’ve tried with different gain settings for left and right, as some permutations should in theory have less noise than others for the same total gain, but have not yet found anything that resulted in a difference I could hear.

So that’s it kids. Let me know in the comments if you have any questions, if this howto might have helped you or you have other ideas about the perfect left/right gain settings!

Update on 2013-05-17

Recently, Google Hangout users started reporting that the volume of my voice was too low. This was strange, because the recordings I made with Sound Recorder were perfect. After some frustrating minutes, I discovered that the Pulse per-application volume for Google Chrome (which I use for Hangouts) had been adjusted. This means that there’s a third configuration that you should check when adjusting the levels of your C01U (or any other microphone), and that’s on the “recording” tab of the Pulse Audio Volume Control (pavucontrol). See this screencast (and check my description) for more details:

Review of Ubuntu Linux 12.04 on the Samsung NP300V3A Core i5 NVIDIA Optimus laptop

An important warning: During installation, do NOT activate home folder encryption. Due to bugs 957843 and 509180, you will most probably suffer data loss, and you won’t even know about it until it’s too late. This happened on two of my laptops during normal use, both of which I have since completely reinstalled with LUKS whole disk encryption. It’s a shame that this bug has been known for years, but that Ubuntu still ships with this as its default home folder encryption configuration.

The Review

With the release of Ubuntu 12.04 Precise Pangolin on April 26, 2012, I decided that it was finally time to test this on my almost-a-year-old Samsung NP300V3A laptop. I had been procrastinating up to now, due to all the horror stories about the lack of Linux support for the NVIDIA Optimus graphics, a hardware-software combination that auto-switches in this case between the discrete NVIDIA GeForce GT520m and the CPU-integrated Intel HD3000.

I was quite pleasantly surprised. Read on if you’re curious as to why.

The obligatory Ubuntu 12.04 Unity desktop screenshot. My gnome-terminal is using the lovely Solarized colours. Extra indicators include Dropbox, and indicator-multiload for showing the CPU, network, load and disk activity gaphs.


With the Linux Startup Disk Utility (actually called the usb-creator-gtk) on my Ubuntu desktop I installed the 12.04 x86_64 image on an old 1GB USB flash drive. A point of criticism is that the final “installing bootloader” part takes some minutes, without much feedback other than a progress bar bouncing horizontally. Booting the live disk went perfectly, and I could test basic functionality. Joining my TP-LINK TL-WR1043ND access point went without a hitch. Even suspend and resume worked out of the box. Resuming is fast, almost MacBook speed! During the installation, I used the partition tool to resize an existing NTFS partition to create space for the Linux installation. It still amazes me how smooth this process has become. From start to final boot, the whole installation took 18 minutes.

NVIDIA Optimus Support

After bootup, the first two issues I ran into were the miserable (estimated) battery life, and the fact that Super-W did not activate Window-Scale, as I was used to on other Ubuntu installations. A “ps uaxw | grep -i unity” revealed that I was running unity-2d, and sniffing through /var/log/Xorg.0.log yielded the tell-tale “(EE) Failed to initialize GLX extension (Compatible NVIDIA X driver not found)” (also that X was getting confused with the seeming presence of both Intel and NVIDIA graphics). It was clear that Ubuntu 12.04 doesn’t support Optimus out of the box.

On AskUbuntu I found this fabulous answer by one of the developers of the new Bumblebee. In short:

sudo add-apt-repository ppa:ubuntu-x-swat/x-updates
sudo add-apt-repository ppa:bumblebee/stable
sudo apt-get update
sudo apt-get install bumblebee bumblebee-nvidia
sudo usermod -a -G bumblebee $USER

After this log out and log back in, and you’re in Optimus heaven! My battery estimate was soon 3.5h+ on 80% charge (it was just under 2h at 80% before installing bumblebee), unity 3D was running, and I could start applications, using the optirun prefix, running on the NVIDIA graphics. With glxspheres, I get 1.9 frames/sec and 1.9 Mpixels/sec without and 115 frames/sec and 113 Mpixels/sec with NVIDIA graphics. Importantly, bumblebee automatically switches off the NVIDIA graphics when nothing is using it, resulting in the much longer battery life. All hail the four main developers of Bumblebee: Thulinma, Lekensteyn, Samsagax and ArchangeGabriel.


Unity, Ubuntu’s unique GUI, has improved muchly since 11.10. I gave Unity on 11.04 a serious go, and also on 11.10, but I gave up in each instance after a week or two due to glaring bugs. The 12.04 Unity has made great progress in fixing a number of small but irritating bugs, I think it might be a keeper. The heads-up display (HUD) is indeed awesome: Press “alt” (the default keybinding) and then type away to search through the menus of the currently foreground application. I’ve come to appreciate the screen space savings due to the global menubar, although it doesn’t work for all apps yet, vim-gnome being an example of note. At this moment, my only wish would be to have a window-overview like you get in the gnome3-shell when you press the super key.

There has been much bitching and moaning about the direction Ubuntu has taken with Unity, some of it valid arguments. Especially the fact that much effort is being diverted from the gnome-shell is concerning. However, although I’ve dirtied many a word using previous versions of Unity, I think it’s good that it’s exploring directions that create a new UI experience that represents a counter-pole to the Windows and OS-X approaches.

Fixing Chrome icon grouping in Unity Launcher

At the time of this update (2012-05-04) I did run into one old annoyance again. If  you start up Chrome (or Chromium) and then one of its application shortcuts, for example GMail, it groups both under the same icon on the Unity Launcher:

Chrome and Chrome Application shortcuts are grouped together under the first launcher icon, whichever that is.

If you start up the application shortcut first, for example GMail, subsequent Chrome windows will be grouped under the GMail icon. Durn.

Fortunately, the devs have been working on this bug, and the fix should soon appear as a stable release update (SRU). Until that time, you can download and install the bamfdaemon, libbamf and libbamf3-0 deb packages from here. Anything with version 0.2.116 and newer has the fix. Note that this only fixes it for the case where you’ve started up Chrome first (scenario 1 above), and not an application shortcut. See my comment on the bug report.

Multi-monitor support

I had low(ish) expectations when I connected my 40″ Sony Bravia TV to the HDMI port of the laptop, so I was more or less speechless for a while when, without me having to touch any part of the interface, Ubuntu simply extended its desktop onto the TV panel. BOOM. Just like that.

What I also like very much, is that Ubuntu by default puts the Launcher and its main menu bar on both displays (this is configurable though) and, even more gratifying, that the Dash appears automatically on the display currently containing the mouse cursor when I press the Super key. In the photo below, you can see the laptop below, on battery, outputting to the Sony TV via HDMI, and glxspheres humming along at just over 90 FPS using the discrete NVIDIA graphics. What you don’t see is me, smiling maniacally behind the camera phone.

Ubuntu 12.04 multi-monitor support FTW!

The Displays configuration window seems to think the 40″ panel is 72″, but the resolution has been correctly deduced.

Miscellaneous hardware support

Power saving looks pretty good. With the brightness set to 40% (brightness setting is not persisent unfortunately), my power usage at idle is just under 9W:

PowerTop says my idle power consumpting at 40% brightness is under 9W.

Actually with normal browsing over wlan, I was not able to push it that far over 10W. This is after having toggled 10 or so powertop tunables from “bad” to “good”. After having installed laptop-mode-tools, the tunables are all automatically and persistently “good”, except for a VM timeout. However, this seems to be a misunderstanding between laptop-mode-tools and powertop, and it is in fact quite OK.

The hardware config panel key (Fn-F1) does nothing, the touchpad disable key (Fn-F5) just works, the volume keys (Fn-F6 to Fn-F8) just work, but the hardware fan (Fn-F11) and wireless (Fn-F12) keys do nothing.

Initially the brightness keys (Fn-F2 and Fn-F3) didn’t really work, only allowing me to switch between two brightness levels (100% and 90%). Adding “acpi_osi=Linux acpi_backlight=vendor” to GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub, running sudo update-grub and then rebooting gives you 100% working hardware brightness control. Based on the information on this page, this configures brightness setting to happen through vendor-specific driver modules instead of through the ACPI default driver. Also see my askubuntu answer regarding this issue. Things have unfortunately changed to and fro with subsequent Ubuntu kernel releases, this page is up to date with linux kernel 3.2.0-31.

In the working cases, you get the gorgeous notifier display (and in the case of volume even a mac-like audio feedback as you change levels):

Pretty notifications with Unity

As mentioned before, suspend to and resume from RAM works like a charm, out of the box, and the resume is really fast. Hibernate does NOT work. I tested this with “sudo pm-hibernate”, but when I switched the laptop back on, it acted like it was being cold-started.

I tested the webcam and sound setup (speakers and built-in microphone) with the gmail talk plugin and with the cheese application. These both work fine. However, with Skype for Linux, you get the dreaded too-dark webcam image. The often-posted solution of using luvcview to adjust brightness does NOT work. Here’s a better solution: Install v4l2ucp, the video4linux2 universal control panel. Keep this running when you start Skype. If the video is dark, switch the “Exposure, Auto Priority” off and then back on again. This solves the problem on my setup (built-in WebCam SCB-1100N). Whenever you startup Skype’s video capturing again, it manages to screw up the setting, so you have to retoggle it with v4l2ucp unfortunately.

The touchpad can be easily configured for two-finger scrolling, but not for three-finger gestures like it can be on Windows.

The touchpad configuration dialogue.

USB tethering with my Android-powered (CyanogenMod 7.1) HTC Desire Z works like a charm. I connect the USB cable, activate USB tethering on the telephone, and my laptop is online. This definitely qualifies as a Just Works(tm), and it seems to connect a whole lot faster than Windows 7 does.


When I bought this laptop, I had resigned myself to not being able to use it for Linux, for the largest part due to NVIDIA Optimus. However, due to the efforts of the Bumblebee people, and also due Ubuntu 12.04 as a whole with the multi-monitor support being a highlight, my verdict is that this laptop is a great buy also when you’re planning to go exclusively Linux.

More resources

  • My gnome-terminal uses the Solarized colour scheme from here, and my vim (both console and gnome) are using the setup from the main Solarized repository.


  • August 27, 2012: Updated fix for brightness controls.
  • June 14, 2012: Added warning about the default home encryption being completely broken.
  • May 6, 2012: Added USB tethering.
  • May 4, 2012: Added the Unity Launcher icon grouping bug fix.
  • May 3, 2012: Added the multi-monitor section after testing with my HDMI Sony TV. Added solution for dark webcam capture in Skype. Also, thanks to Ladislav Bodnar, host of, this review is now linked from the Ubuntu page.