Free/Libre software to handle TCG OPAL 2.0-compliant Self-Encrypting Drives (SEDs)?

Question

I'm in search of a free/libre software that is able to handle OPAL (2.0)-compliant SEDs (i.e. manage the setting of Pre-Boot Authentification (PBA) environment, encryption keys...).

It could be a utility that runs as a live image (thus OS-independant), or a client software that would work on GNU/Linux distributions. It would allow one end-user (not looking for fancy enterprise stuff) to manage the lock key (set, modify and delete the password used to encrypt the encryption key) and create the PBA.

hdparm is nearly what I'm looking for, but only works with ATA security features (no OPAL consideration, no PBA...), which can be troublesome with loosy BIOS (cf this blog post to understand how BIOS can screw up ATA password feature on SEDs).

The Trusted Computing Group (which edicts the OPAL standard) mentions a couple of "Independent Software Vendors" that handle OPAL SEDs, but most if not all of them require a Windows copy to be set up, or are aimed at large companies. I've been referred to SecureDoc's WinMagic Enterprise edition for its GNU/Linux compatibility and OPAL compliance, but I couldn't get in touch with their sales department because I don't have a "non-free"/corporate address (sure, why not).

More importantly, I don't trust closed ("proprietary") software for anything related to security. In those times of PRISM scandal and other large-scale impingements on privacy, it would be completely absurd to rely on opaque encryption technology proposed by a US-based company. Hence the search for a libre software which acts "in the clear" and whose source code can be reviewed and compiled for oneself.

If you do not know of such a software, any hints on how one could be produced? Start a crowdfunding campaign, make a request during a DefCon...? I'm just a normal end-user with no development skills, but I wouldn't mind participating in the funding of such a project.

Other interesting resource: SSDs with usable built-in hardware-based full disk encryption, a blog post with the most comprehensive info I could find on the topic of SEDs and FDE ;

Answer 1

A developer has started work on a GPL'd command line tool for supporting TCG Opal 1.0/Opal 2.0/Enterprise drives under linux and windows. It's in very early development (v0.02alpha), but I like what I see so far and I have done some testing for the developer.

Source: https://github.com/r0m30/msed

Binaries: http://www.r0m30.com/msed/files

Answer 2

The latest version of msed had been pushed to github with executables at www.r0m30.com/msed. The 0.20beta release has a PBA for bios machines and the ability to load it after activating the locking SP. I'm still developing some real documentation but the announcement contains some quick and dirty instructions for activating OPAL 2.0 hardware FDE using either Windows or Linux.

Answer 3

You're smart to not trust black box security, but then that leaves software security. LUKS works, is well-regarded, and supports TRIM on SSD's.

Yes, you have to enter your password when you boot the machine (when it boots your /boot, actually). Having your BIOS know your password is closer to the 'convenient' side of the spectrum than the 'secure' one. Depends what your end goals are.