Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
kuro68k

NVMe SSDs that support eDrive/OPAL v2 encryption

Recommended Posts

Posted · Original PosterOP

I'm having a hard time finding an NVMe drive that supports eDrive (Bitlocker) or OPAL v2 encryption. For those that don't know these allow you to encrypt the drive with your own key, but the drive does all the work of encrypting stuff so there is no performance loss (unlike software encryption).

 

Samsung used to support it but their current range doesn't seem to. Anyone know of any decent NVMe drives that do?

Link to post
Share on other sites
Posted · Original PosterOP

Thanks, I'm aware of that, fortunately I'm not too worried about sophisticated opponents interfering with the drive's firmware or launching zero day attacks against it. I'm just looking to protect the data from the other 99.9% of people and will use software crypto for specific stuff as needed.

Link to post
Share on other sites
Posted · Original PosterOP

Thanks Slasyerking92. Intel don't mention it on their site but digging through reviews it seems you are right, the 7600P does support eDrive and OPALv2.

 

Not cheap but a definite option.

Link to post
Share on other sites

The BarraCuda NVMe ZP512CM30031 and also the ZP256CM30031 are Self-encrypted models, you can see more details here in case you are interested:


Seagate Technology | Official Forums Team

IronWolf Drives for NAS Applications - SkyHawk Drives for Surveillance Applications - BarraCuda Drives for PC & Gaming

Link to post
Share on other sites

Phison E12 SSD controller based drives support opal, but not bitlocker. You can get the MyDigitalSSD BPX Pro in up to 2TB.


ლ(ಠ益ಠ)ლ
(ノಠ益ಠ)╯︵ /(.□ . \)

Link to post
Share on other sites
19 hours ago, kuro68k said:

Thanks. Is 512GB the largest you do?

No, for internal storage we can reach up to 1.92TB in other line models, look at the Nytro 5000 which is also an NVMe encrypted by hardware:

And of course much more than that with a hard drive, the Exos line offers one of up to 12TB with hardware encryption but those are enterprise level, here I put them in case you are curious to see which are these HDDs:


Seagate Technology | Official Forums Team

IronWolf Drives for NAS Applications - SkyHawk Drives for Surveillance Applications - BarraCuda Drives for PC & Gaming

Link to post
Share on other sites
Posted · Original PosterOP

I've been doing some research. The Samsung 970 Evo Pro seems to be the best option. Best performance, best price. You really have to dig but it does support eDrive/OPAL v2.

 

BUT for all NVMe drives you need to make sure your BIOS supports encryption with NVMe drives. ASRock seem to be good for that, have not confirmed other boards.

Link to post
Share on other sites
4 minutes ago, kuro68k said:

BUT for all NVMe drives you need to make sure your BIOS supports encryption with NVMe drives. ASRock seem to be good for that, have not confirmed other boards.

2

Oh yes, that's for sure! the BIOS needs to support hardware encryption otherwise it won't work. It is my understanding that the units with this feature do it by themselves, meaning it is always enabled thou.


Seagate Technology | Official Forums Team

IronWolf Drives for NAS Applications - SkyHawk Drives for Surveillance Applications - BarraCuda Drives for PC & Gaming

Link to post
Share on other sites
On 4/9/2019 at 1:43 PM, seagate_surfer said:

Oh yes, that's for sure! the BIOS needs to support hardware encryption otherwise it won't work. It is my understanding that the units with this feature do it by themselves, meaning it is always enabled thou.

 

Hardware boot drive encryption with NVME TCG OPAL drives works great with SEDutil. This is why we created https://sedutil.com. We struggled to find information on this issue and there is a lot of false information out there. 

 

If you have a TCG OPAL 2.0 compliant NVME drive, like a Samsung 960 Pro, 970 Pro 970 Evo, or 970 EVO plus, then you can use the SEDutil pre-boot authentication bootloader to unlock that drive and then automatically load Windows. SEDutil is BIOS independent and does not require a clean installation of Windows. Also, you can add and remove the SEDutil pre-boot authentication bootloader at will without having to reinstall Windows. Or, you can disable pre-boot authentication and leave the bootloader in place.

 

With hardware Bitlocker you need a compatible drive, and the BIOS needs to specifically support Bitlocker. This is not the case with SEDutil. 

 

The only two downsides with SEDutil in Windows is that sleep is not supported (not really an issue with instant NVME hibernation,  which is fully supported), and you must disable Secure Boot with SEDutil (debatable whether that is a security issue).

 

Most of your questions will probably be answered here: https://sedutil.com/#faq

 

If you have any questions please ask, and we will add them to the FAQs.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×