NVMe SSDs that support eDrive/OPAL v2 encryption

[Monstieur]

5 hours ago, maleagour37 said:

"SEDutil is abandoned" - Are you sure about that? I saw that the latest release dates back to Jan, which is not too far.

"doesn't support basic functionality like sleep mode on Windows" - If that's the only functionality that it does not support (plus secure boot), I personally do not really care. Nowadays hibernation is lightning fast with a 980 PRO and will hardly affect the endurance of the drive (600TBW).

"so you need to type the password on every boot." - not sure if that is an issue; That's actually what I want upon each boot. Even Bitlocker in my work laptop does that.

 

"and the implementation of TCG OPAL is also insecure on many drives." - I think that the implementation of TCG Opal (in Samsung SSDs/NVMEs) since 950 PRO and above is secure if I judge from this study: https://repository.ubn.ru.nl/bitstream/handle/2066/207837/207837.pdf?sequence=1

 

"At this point, I would use only BitLocker with an eDrive capable SSD and UEFI like the Samsung 980 PRO, Intel SSD DC, or Intel Optane DC drives. BitLocker no longer uses hardware encryption by default even if available, so you have to enable it manually." - I would rather use TCG Opal and Veracrypt at the same time so that I have 2 layers of protection. Hopefully once this issue is resolved (https://github.com/veracrypt/VeraCrypt/issues/136), the performance of Veracrypt is going to improve, and it will be a good alternative to Bitlocker.

 

I see there's a new fork with updates.

 

You don't use TCG OPAL directly. You use it through a management utility like BitLocker or SEDutil.

 

There's no reason to use SEDutil over BitLocker on a Windows eDrive capable sytem. eDrive is a seamless integration of TCG OPAL and Secure Boot. If your system doesn't support eDrive then you can fall back to SEDutil.

 

You can use either BitLocker or SEDutil in combination with Veracrypt. It will probably require some fiddling to get the two PBAs to chainload successfully.