This post is more than 5 years old
1 Rookie
•
10 Posts
0
28292
M.2 Opal 2.0 SED drive
I have a Latitude 7490 with a M.2 512GB PCIe MVMe Class 40 Opal 2.0 SED Drive.
With past SED drives, I could enter a hard drive password in Setup which would needed to be entered prior to booting the system. This password stayed with the drive so decrypting still required entry of the password if the drive were removed from the system.
There is no option for a drive password in BIOS and hence nothing to enter prior to boot, unless I put in a system password. I assume that the data is encrypted on the drive, but am not sure that the data would be inaccessible if the drive were removed from the 7490. Is the encryption tied to the specific system so the drive is unusable elsewhere?
I've done some searching but can't seem to locate definitive information about this particular type of SED
jphughan
9 Legend
9 Legend
•
14K Posts
1
April 30th, 2018 18:00
OPAL (also known as TCG) is a standard for activating the SED's native encryption that is typically found on enterprise-focused products. The mechanism that activates hardware encryption by using the age-old HDD password entered in the BIOS Setup is called Class 0 encryption -- but Dell systems do not support setting HDD passwords in the BIOS for NVMe drives, regardless of whether they are self-encrypting or not. HDD passwords are only supported for SATA drives. The KB article about that is here.
If you want to take advantage of encryption, you may want to consider BitLocker if you have a Pro version of Windows, or VeraCrypt if you don't. The latter may introduce some extra complications if you're on Windows 10 since Microsoft will be pushing a new release every 6 months and they obviously don't officially support VeraCrypt, whereas BitLocker is Microsoft's own solution. They won't take advantage of the drive's hardware encryption, but CPUs for almost a decade now have had hardware acceleration for AES encryption/decryption operations that allows them to be performed without any performance penalty even when reading/writing at NVMe SSD speeds. It's also typically easier to recover drives protected with software encryption in another PC. With Class 0 encryption, you need to install it internally into another system that knows how to prompt for an HDD password, whereas with software encryption you can connect the drive through an external enclosure and access it just fine that way, no "hardware-level unlock" support required. Granted, NVMe enclosures are still quite expensive, so for the time being that particular advantage is more relevant for SATA drives, but NVMe enclsoures will likely become more common in the future.
jp_miata
2 Posts
0
May 18th, 2018 10:00
I also have a Latitude 7490 with the 512GB NVME Opal 2.0 SED drive. I wanted to know, if there is an instruction how to get Windows 10 with Bitlocker to use the hardware encryption of the drive. I tried to enable Bitlocker, which worked, but it uses software encryption.
jphughan
9 Legend
9 Legend
•
14K Posts
0
May 18th, 2018 13:00
There isn't usually an easy way to do this. The drive has to be prepped before you even run Windows Setup. For Samsung retail SSDs, their recommended process is to install Windows just to run Samsung Magician for this purpose, and then choose to prep the drive. This will trigger a secure erase, at which point your SSD will be ready, but now of course you need to install Windows again. Convenient, right? I'm not sure what the process would be for SEDs shipped from Dell or whether it's even supported, but here is Microsoft's only somewhat helpful documentation about this. But as I said above, given that AES encryption and decryption operations have CPU acceleration and can therefore be done with no meaningful overhead even at NVMe SSD read/write speeds, the benefit doesn't really seem worth the effort.
thomas303
1 Message
3
July 22nd, 2018 04:00
Dell, could it please be up to us, the users, to decide wether we want to use Class0 passwords on NVMe devices or not?
My personal scenario is as follows:
- I think that software-based pre-boot software dealing with encryption passwords is a flaw in itself
- I want to use a feature which my NVMe drive provides and which I payed money for. In other words: I want to use hardware-based encryption. And I not only want to use it for performance reasons but also to increase reliability (whereas software tends to have bugs, updates, security issues, etc.) and security (even when proprietary).
- I want to boot into the system from a linux live distro not having to deal with unlocking the device software-wise every time
- Using OPAL-TCG (the other option to use hardware-based encryption) seems to be a nightmare, both in terms of setting it up with linux and also in terms of support of vendors. On top of that, it again uses software for unlocking the device.
- I also want to have the option to multi-boot into several operating systems (e.g. Linux and Windows).
- That said, bitlocker is not an option for me at all (not using Windows) and LUKS (using Linux) is already overcomplicating things.
I've used hardware based encryption for so many years now (via SSD ATA password) and I still think that it is the best solution in terms of usability and even security (even when proprietary). And I think that usability and security go hand in hand when it comes to the question if users enable encryption or not.
That said, Dell should really support Class0 passwords for NVMe drives. And Dell should not domineer over users (I assume that Dell's price tag might have been on removing Class0 passwords, not on enabling them via BIOS).
The Hardware I'm using is a relatively new Latitude 5580 and a Samsung 960 1TB M.2 NVMe drive. At the time of my purchase, Dell offered no comparable drive via the store.
solarys
1 Message
0
September 27th, 2020 14:00
Hello there!
That’s not the only solution. For TCG Opal you can activate encryption via some third party specific software. I don’t know is so much secrecy about it and i don’t know why everybody keep insisting on using software encryption. Software encryption is old and is from far away beated by hardware encryption. I’m using dell’s and ssd’s especially samsung ssd’s about few good years. I’m using hardware encryption about 6-7 years now and if you do your homework right everything will work by the book.
Now to the solutions: tcg opal is activated by a third party software.
At this moment from what i experienced i used a small software from Driver Trust which is completely free, and the other software is from Winmagic and it cost something like 85$ per year for 1 pc.
Pros and cons for each one.
1. Driver Trust sollutions uses a small shadow partition few mb, where is running a small linux which activate the hardware encryption. The utilities and software along with instructiona are available for free on github.
pro: is free
con: it’s managing only the primary ssd the ones you are booting from it. If you have multiple ssd encrypted inside the same pc you cannot decrypt them from boot. You can decrypt them if you use windows utilitiy later from windows but it’s a little bit complicated. Ofcorse they have a software wich manages more than one ssd but is about 200$
2. second solution from WinMagic SecureDoc, it’s a windows based solution (it is installed from windows, managed from windows, but it’s works kind of the same way as first solution (uses a small linux or windows image to encrypt/decrypt ssd) by installing a small boot manager which after you insert the password decrypt the drive and let you boot into windows. It has a pretty nice gui interface before boot.
pros: it can manage after you decrypted and booted into the main drive and you are in windows, i repeat it can manage from windows interface the others encrypted ssd’s and can decrypt them and mount them. After reboot or shutdown the drives are ofcorse encrypted back.
They are very quick and very helpful with technical support.
cons: at the time i was testing that solution because of the microsoft updates i had to communicate with the vendor support because of some errors occured at instalation. It depends of windows version and can give you errors sometines but with the help of technical stuff from vendor everything worked in the end.
I personally recommend if you are a home user using tcg opal emcryption with the software from Driver Trust for one single ssd. For more ssd in the same pc i recommend WinMagic SecureDoc.
I know Sophos has a business solution too.
Wave Systems have from a very long time solutions for encrypted ssd. Up to few years back they had solutions for individuals too but recently their solution has a corporative price.
Hope this will help you.
Randall Weed
1 Rookie
1 Rookie
•
1 Message
0
May 3rd, 2024 04:00
@jphughan I agree I think the user should decide for his self not getting forced into it but that is why i don’t use windows or pay for Dell I either get it for free or I take four old laptops and make one . And my security is there better there newest Stuff