Talk:Self-encrypting drives

Suspend locks the drive (Dell E6410 + Samsung EVO 850) and drive is not accessible after wake up. One solution is to disable Suspend - see https://wiki.archlinux.org/index.php/Polkit#Disable_suspend_and_hibernate

Is possible to unlock drive after wake up? -> A fork to sedutil-cli is available that allows providing the password *BEFORE* sleeping such that the system can resume: https://aur.archlinux.org/packages/sedutil-sleep-git/ Germafab (talk) 12:39, 10 May 2020 (UTC)Reply

Unfortunately, OPAL breaks Linux UEFI boot on my Asus motherboard. I use a dualboot configuration. As I understand it, during the initial boot, when the firmware sees an "empty" SSD it removes all UEFI boot entries. When it gets rebooted after entering the encryption password in the PBA, the firmware notices the EFI boot partition and automatically inserts a single new boot entry (of course, only the Windows one). I have only tested it on Asus H97M-E, but I wouldn't be surprised to see this behaviour at least on other Asus motherboards.

Maybe the possibility of firmware bugs of this kind should be mentioned in the "disadvantages" section?

Catnip (talk) 14:40, 9 March 2020 (UTC)Reply

I see something similar as a consequence of the issue explained in "Troubleshooting: PBA Cold Reboot Locks Drives Again": after unlocking the drive, if I manage to break the cold reboot (by hitting F2 at the right moment) and do a warm reboot instead, I see the unlocked drive in UEFI, but its boot entry doesn't work. My workaround is choosing "Boot From File" in UEFI and select the proper grubx64.efi. Then normal boot is possible. But this has to be done for each boot. -- XX (talk) 11:18, 3 October 2023 (UTC)Reply

I've added [1]. Ideally, we could add example references of such firmware behaviour (bug report, BBS topic). Please add one, if you come across it (must not be yours, but conclusive for a firmware). --Indigo (talk) 21:22, 15 March 2024 (UTC)Reply

It's unfortunate that there's barely any information on SED/OPAL online. Given that resume from sleep doesn't work, I suspect many notebook users will not want to go this route at all. While it's commendable that the article attempts to show the (hacky) ways of getting OPAL to work, I think there should an early notification about the flaky nature of current solutions, so users can make an informed choice.

Having a cautionary message above every section is not the answer. I'd rather the article be rewritten from scratch based on the current state of information. Adrian5 (talk) 22:00, 25 February 2021 (UTC)Reply

According to my experience resume from sleep works. Resume from suspend may not work. -- XX (talk) 11:18, 3 October 2023 (UTC)Reply

Heads-up: If all goes well, the upcoming cryptsetup 2.7.0 gains OPAL support. While it won't be suitable for pre-boot authentification (whole drive encryption), it will make the hardware features much easier to deploy for individual devices. See the release candidate Notes. As a first thought how to integrate the new support, the Self-encrypting drives#Encrypting a non-root drive could be applicable for an initial example once the release lands.? -- Indigo (talk) 23:10, 12 December 2023 (UTC)Reply

I am so looking forward to this, it was merged 5 months ago. Pottering on how this would fix OPAL and SecureBoot - https://github.com/systemd/systemd/issues/16089#issuecomment-1681980103 What is bash? (talk) 05:04, 25 December 2023 (UTC)Reply

I did a first test with with a sata ssd. This now triggers a pre-boot pw on uefi and when I plug it into a legacy bios (no tcg support, hence no pre-boot pw), it opens opal with the luks device or also a luks header for opal-only (yay). Performance does not seem to differ with opal-only or opal+luks, could be the drive maxes sata in both cases. What did not work yet was (1) luksFormat on the legacy bios, and a nvme on uefi, (2) a FIDO2 cryptenroll on the opal-only device. --Indigo (talk) 16:20, 14 January 2024 (UTC)Reply

With cryptsetup 2.7.0-1 now in the repo, a luksFormat on legacy bios and a FIDO2 cryptenroll on the opal-only device was now possible. --Indigo (talk) 21:08, 28 January 2024 (UTC)Reply

Is it possible for you to add some examples to the wiki? What is bash? (talk) 21:02, 2 February 2024 (UTC)Reply

Yes, I've collected example output for Special:diff/799562 and will add first paras soon. --Indigo (talk) 16:27, 4 February 2024 (UTC)Reply

I've added initial examples. Welcome to add to it. I have not tried crypttab/resume yet and will add that if no-one is faster. If it works as expected, it should be enough to crosslink dm-crypt/suspend sections. --Indigo (talk) 19:26, 4 February 2024 (UTC)Reply

Does anyone know if there are any compatibility issues with stacked block devices? My gut says that it should not be possible to place LUKS on top of LVM or mdadm RAID, but cryptsetup luksFormat --hw-opal-only didn't complain about creating LUKS on top of a LVM logical volume (a single LV in a single VG in a single PV) when I tested it. Unfortunately I don't have multiple spare OPAL drives to test RAID configurations. --nl6720 (talk) 10:11, 10 July 2024 (UTC)Reply