8

I've ordered a Samsung SSD (850 PRO SATA) that supports TCG Opal 2.0.

At first I was planning on setting an HDD password (aka ATA password) via BIOS. But motherboard manufacturers don't seem to specify whether this functionality is supported by the motherboards. My understanding is that with TCG Opal we can skip the BIOS entirely and set the disk password using a tool such as sedutil. The disk itself then has a shadow operating system that asks for the password during boot, independently of the whatever operating system is in use (in my case linux) and of the BIOS.

I have two questions about drive portability and hibernation support.

  1. Can I take an encrypted disk, with the password set (TCG Opal), and move it to a different computer? Since the password is stored inside the disk and handled by this shadow OS I'm assuming this will work, but I couldn't find confirmation anywhere.
  2. Will hibernation work as usual and is the password for the disk asked after booting the computer from hibernation?
Improve this question

1 Answer 1

Reset to default
5

Let me provide some extended details. I marked answer to your two questions with bold:

  1. Most BIOS implementations support ATA Security feature set (also referred as ATA password or ATA Security Class 0) for SATA devices. If all that you need from SED is data encryption and locking with a single password then consider this option first.
  2. MBR Shadowing feature allows host to unlock TCG Opal devices without any BIOS support. After power up device shows to host a special shadow PBA partition (Pre-Boot Authentication) instead of the original disk content. This partition contains code to unlock device and remove shadowing. BIOS loads this code and executes it (thinking that this is the actual OS). Only then the original disk content becomes visible and original boot loader is executed. Portability of such solution is lower because PBA code can't support all architectures (the sedutil you mentioned provides PBA image only for x86-compatible PCs and Macs) and can't unlock device after Sleep (S3 mode).
  3. Shadow PBA works for Hibernation but it doesn't work for Sleep. Device is powered off in both cases, but BIOS loads system from scratch only for the first case. Device remains locked after waking up from Sleep and required TCG support from the OS or security application.
  4. Code from shadow PBA partition does not manage the unlock password, it just provides a GUI to input it and to use it for authentication. The password (or usually its derivation) is managed by device firmware in a vendor-specific way.
Improve this answer
6
  • 2
    Can we expect BIOS level support for TCG Opal in the future? PCIe drives are becoming more common, and can not benefit from ATA Security.
    – jiggunjer
    Commented Feb 5, 2018 at 10:26
  • 1
    Security ecosystem for NVMe devices is just establishing. In contrast to ATA, NVMe specification doesn't include any security functionality besides two commands for tunneling of security protocols. It’s enough for TCG Opal but that protocol is an overkill for most usages. Instead of adding complete BIOS support for TCG Opal, industry looked for a simple password locking protocol to be used on NVMe devices that resulted in two approaches:
    – Artem Zankovich
    Commented Feb 7, 2018 at 2:55
  • 1
    1. Port security commands from ATA devices as a security protocol for NVMe. Similar approach exists for SCSI devices and it requires minimal changes to current BIOS implementations. All major BIOSes already support this approach. The tricky part is that there is no industry specification for this protocol and most device vendors just don’t know how to identify it in whitepapers: it can be called ATA Security Class 0 or ATA pass-through for NVMe
    – Artem Zankovich
    Commented Feb 7, 2018 at 2:55
  • 1
    2. Define industry specification for password locking based on ATA use cases but using TCG Opal commands. TCG Pyrite is released to support this approach. BIOS vendors are adding implementation of this protocol. Since Pyrite is a subset of Opal and shares most commands with its bigger brother, Pyrite implementation in BIOS allows managing Opal devices as well. The benefit for home user is that it can substitute 3rd-party ISV implementation for most local security scenarios: single range, 1 or 2 password authorities
    – Artem Zankovich
    Commented Feb 7, 2018 at 2:55
  • 1
    Bottom-line: BIOSes support NVMe port of ATA Security and are adding support of TCG Pyrite. Complete TCG Opal in BIOS is not expected
    – Artem Zankovich
    Commented Feb 7, 2018 at 2:55

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .