Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

NVMe SSDs that support eDrive/OPAL v2 encryption

I'm having a hard time finding an NVMe drive that supports eDrive (Bitlocker) or OPAL v2 encryption. For those that don't know these allow you to encrypt the drive with your own key, but the drive does all the work of encrypting stuff so there is no performance loss (unlike software encryption).

 

Samsung used to support it but their current range doesn't seem to. Anyone know of any decent NVMe drives that do?

Link to post
Share on other sites

Thanks, I'm aware of that, fortunately I'm not too worried about sophisticated opponents interfering with the drive's firmware or launching zero day attacks against it. I'm just looking to protect the data from the other 99.9% of people and will use software crypto for specific stuff as needed.

Link to post
Share on other sites

Thanks Slasyerking92. Intel don't mention it on their site but digging through reviews it seems you are right, the 7600P does support eDrive and OPALv2.

 

Not cheap but a definite option.

Link to post
Share on other sites

The BarraCuda NVMe ZP512CM30031 and also the ZP256CM30031 are Self-encrypted models, you can see more details here in case you are interested:

Seagate Technology | Official Forums Team

IronWolf Drives for NAS Applications - SkyHawk Drives for Surveillance Applications - BarraCuda Drives for PC & Gaming

Link to post
Share on other sites

Phison E12 SSD controller based drives support opal, but not bitlocker. You can get the MyDigitalSSD BPX Pro in up to 2TB.

ლ(ಠ益ಠ)ლ
(ノಠ益ಠ)╯︵ /(.□ . \)

Link to post
Share on other sites
19 hours ago, kuro68k said:

Thanks. Is 512GB the largest you do?

No, for internal storage we can reach up to 1.92TB in other line models, look at the Nytro 5000 which is also an NVMe encrypted by hardware:

And of course much more than that with a hard drive, the Exos line offers one of up to 12TB with hardware encryption but those are enterprise level, here I put them in case you are curious to see which are these HDDs:

Seagate Technology | Official Forums Team

IronWolf Drives for NAS Applications - SkyHawk Drives for Surveillance Applications - BarraCuda Drives for PC & Gaming

Link to post
Share on other sites

I've been doing some research. The Samsung 970 Evo Pro seems to be the best option. Best performance, best price. You really have to dig but it does support eDrive/OPAL v2.

 

BUT for all NVMe drives you need to make sure your BIOS supports encryption with NVMe drives. ASRock seem to be good for that, have not confirmed other boards.

Link to post
Share on other sites
4 minutes ago, kuro68k said:

BUT for all NVMe drives you need to make sure your BIOS supports encryption with NVMe drives. ASRock seem to be good for that, have not confirmed other boards.

2

Oh yes, that's for sure! the BIOS needs to support hardware encryption otherwise it won't work. It is my understanding that the units with this feature do it by themselves, meaning it is always enabled thou.

Seagate Technology | Official Forums Team

IronWolf Drives for NAS Applications - SkyHawk Drives for Surveillance Applications - BarraCuda Drives for PC & Gaming

Link to post
Share on other sites
  • 5 months later...
On 4/9/2019 at 1:43 PM, seagate_surfer said:

Oh yes, that's for sure! the BIOS needs to support hardware encryption otherwise it won't work. It is my understanding that the units with this feature do it by themselves, meaning it is always enabled thou.

 

Hardware boot drive encryption with NVME TCG OPAL drives works great with SEDutil. This is why we created https://sedutil.com. We struggled to find information on this issue and there is a lot of false information out there. 

 

If you have a TCG OPAL 2.0 compliant NVME drive, like a Samsung 960 Pro, 970 Pro 970 Evo, or 970 EVO plus, then you can use the SEDutil pre-boot authentication bootloader to unlock that drive and then automatically load Windows. SEDutil is BIOS independent and does not require a clean installation of Windows. Also, you can add and remove the SEDutil pre-boot authentication bootloader at will without having to reinstall Windows. Or, you can disable pre-boot authentication and leave the bootloader in place.

 

With hardware Bitlocker you need a compatible drive, and the BIOS needs to specifically support Bitlocker. This is not the case with SEDutil. 

 

The only two downsides with SEDutil in Windows is that sleep is not supported (not really an issue with instant NVME hibernation,  which is fully supported), and you must disable Secure Boot with SEDutil (debatable whether that is a security issue).

 

Most of your questions will probably be answered here: https://sedutil.com/#faq

 

If you have any questions please ask, and we will add them to the FAQs.

Link to post
Share on other sites
  • 1 month later...

 

On 9/18/2019 at 7:05 PM, SEDutil said:

If you have any questions please ask, and we will add them to the FAQs.

@SEDutil Does SEDUtil support auto-unlock with a TPM?

Link to post
Share on other sites
  • 1 year later...

@kuro68k: what did you learn on your quest?

 

I'm also buying a new drive and I'd like it to support hardware encryption with my own password, using Bitlocker or something else.

Does a drive need to support Opal 2.0 for that purpose? I ask this, because I see that some specify just "256bit AES" encryption, while others have "256bit AES, TCG Opal 2.0". What's the difference between them and how do the non-Opal ones work in terms of password/key management?

 

(I know it's an old thread, but I'm looking to get a reply from OP and other participants on a rather niche topic.)

Link to post
Share on other sites
11 minutes ago, Dunn said:

@kuro68k: what did you learn on your quest?

 

I'm also buying a new drive and I'd like it to support hardware encryption with my own password, using Bitlocker or something else.

Does a drive need to support Opal 2.0 for that purpose? I ask this, because I see that some specify just "256bit AES" encryption, while others have "256bit AES, TCG Opal 2.0". What's the difference between them and how do the non-Opal ones work in terms of password/key management?

 

(I know it's an old thread, but I'm looking to get a reply from OP and other participants on a rather niche topic.)

Drives with TCG Opal 2.0 can be used with SEDutil. Drives that also have IEEE 1667 can be used with BitLocker. Windows no longer supports hardware BitLocker by default as most drives are insecure - you have to force enable it even if the drive is supported. Software encryption is now the recommended configuration, just like Apple never bothered with SED support in FileVault 2. You can't trust random manufacturers with this stuff.

Link to post
Share on other sites

Noted, but software encryption is not something that I'm currently interested in and let's just leave it at that.

 

You said most drives are insecure with hardware encryption. Do you know which are and which aren't, perhaps? Is there an up to date overview somewhere?

I remember when that story first came out years ago... even then not all drives were equally vulnerable, some were easier to hack than others. So I guess manufacturers are able to at least reduce if not completely eliminate the vulnerabilities and maybe some have done that.

 

In any case, I'm considering both BitLocker and SEDutil and maybe even other methods of managing encryption. But for now I'm focusing on finding a compatible NVMe drive, which needs to work with a password (and not a USB key or anything like that).

Link to post
Share on other sites
13 minutes ago, Dunn said:

In any case, I'm considering both BitLocker and SEDutil and maybe even other methods of managing encryption. But for now I'm focusing on finding a compatible NVMe drive, which needs to work with a password (and not a USB key or anything like that).

Only some laptop UEFIs support the NVMe ATA Security / Class 0 password. This method isn't recommended, as once the password is set, it may be impossible to remove without the same model motherboard or specialized hardware, rendering the drive unusable if the PC fails, even if you know the password.

 

TCG Opal 2.0 drives must be managed by pre-boot authentication software like SEDutil / BitLocker. The method of authentication such as password / TPM is entirely up to the PBA software. The drive itself does not "support" passwords or any particular means of authentication.

 

AFAIK SEDutil does not support TPM or unlocking the HDD after sleep mode (the OS will crash). Only BitLocker works properly, so you need an IEEE 1667 drive.

Link to post
Share on other sites

That's right. EFI_STORAGE_SECURITY_COMMAND_PROTOCOL is required to boot from a BitLocker hardware encrypted drive. BitLocker hardware encryption is essentially dead. I don't think SEDutil has this requirement.

Link to post
Share on other sites

Right.

So, there's still that thing which is unclear to me, about drives which have just "256bit AES" encryption, but not Opal 2.0. Do you happen to know how they work in terms of managing the key/password, if that's even possible at all?

An example of such a drive is the Intel 660p.

Link to post
Share on other sites
10 minutes ago, Dunn said:

Right.

So, there's still that thing which is unclear to me, about drives which have just "256bit AES" encryption, but not Opal 2.0. Do you happen to know how they work in terms of managing the key/password, if that's even possible at all?

An example of such a drive is the Intel 660p.

Those are drives which support NVMe ATA Security / Class 0. They are bootable only in certain laptops which have BIOS support for NVMe ATA Security. The password prompt comes from the BIOS. There are Linux tools to set the NVMe ATA password and lock / unlock the drive on any PC, but you can't boot from it without BIOS support.

 

Some drives like the Intel Optane 900p claim AES support because the data is encrypted at rest on the chips, which is completely useless. They do not support NVMe ATA Security commands to actually set a password and protect the key. Encryption with a factory key is just the default behaviour of the controller as the enterprise models support TCG Opal 2.0.

Link to post
Share on other sites

With NVMe ATA Security / Class 0, the entire physical disk is locked, similar to old school HDD ATA passwords. The bootloader will not be readable at all unless the BIOS supports NVMe ATA Security, detects that the disk is locked, and prompts you for the password.

 

TCG Opal 2.0 supports locking individual address ranges (effectively partitions) on the disk. It can leave an unlocked partition at the beginning to hold the bootloader / PBA like SEDutil or BitLocker, while locking the OS and data partitions. Thus the BIOS can boot into the PBA, which unlocks and chain loads the OS partition.

 

IEEE 1667 provides an interface to manage the locked address ranges via software. Windows uses this to setup BitLocker. SEDutil requires manual setup and does not require IEEE 1667.

 

EFI_STORAGE_SECURITY_COMMAND_PROTOCOL lets the PBA request the UEFI to send unlock commands to the drive through a device agnostic interface, instead of the PBA directly communicating with the drive's controller. BitLocker requires this. I think the Linux PBA used by SEDutil has built-in support for various controllers, so it doesn't require this UEFI extension.

 

NVMe ATA Security and TCG Opal 2.0 are unrelated and mutually exclusive. The drive must be configured to run in either mode using manufacturer software like Samsung Magician.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×