search

Drive-Trust-Alliance / sedutil

DTA sedutil Self encrypting drive software
603 stars 233 forks source link

Trying to encyrpt a TCG-E SED with Sedutil. Does my SED not support OPAL? #374

Closed FullStackRyfi closed 2 years ago

FullStackRyfi commented 2 years ago

Here is my scan results:

[root@localhost ~]# sedutil-cli --scan Scanning for Opal compliant disks /dev/sda E Micron_5210_MTFDDAK1T9QDE D2MU005 /dev/sdb E Micron_5210_MTFDDAK1T9QDE D2MU005 No more disks present ending scan

and here is my debug info:

Drive Info

Device Name : /dev/sdb Model No : Micron_5210 Serial No : xxxxxxxxxxxxxx
FW-Rev : D2MU005
Total Size : 1920.00GB Drive Status : Drive in good health SMARTEnabled : Yes Sata Link Speed : Gen3 (6.0 Gbps) Sata Link Max Speed : Gen3 (6.0 Gbps) TCG Status : Deactivated TCG SSC type : Enterprise

according to this page there should be a number after /dev/sdb

_Check if your disk supports OPAL

sedutil-cli --scan

If you get something like

Scanning for Opal compliant disks /dev/sda No LITEONIT LMT-256L9M-11 MSATA 256GB HM8110B

then your disk does not support OPAL. On the contrary, the following output means OPAL standards 1.0 and 2.0 are supported:

/dev/sda 12 Samsung SSD 850 EVO 500GB EMT02B6Q__

When attempting the first step to even initialize the SED I receive this error

[root@localhost ~]# sedutil-cli --initialsetup password /dev/sdb One or more header fields have 0 length Session start failed rc = 136 Unable to start Unauthenticated session /dev/sdb One or more header fields have 0 length EndSession Failed takeOwnership failed unable to retrieve MSID Initial setup failed - unable to take ownership

I have been troubleshooting for days now and just cannot figure out how to enable encryption on this drive. and and all help would be appreciated

r0m30 commented 2 years ago

To answer the question in your title, no your drive does not support Opal. The E means your drive supports the enterprise spec. There are many differences in the specs.

A few major ones are.... There is no PBA in the enterprise spec so you can't boot from an encrypted enterprise Drive. There is also a different user structure (bandmasters is all I seem to remember).

There are people using sedutil on enterprise drives but none that I know of are home users. 

Honestly it's been so long since I used an enterprise drive I don't remember how to set one up.

epaul1967 commented 2 years ago

Here is my scan results:

[root@localhost ~]# sedutil-cli --scan Scanning for Opal compliant disks /dev/sda E Micron_5210_MTFDDAK1T9QDE D2MU005 /dev/sdb E Micron_5210_MTFDDAK1T9QDE D2MU005 No more disks present ending scan

and here is my debug info:

Drive Info

Device Name : /dev/sdb Model No : Micron_5210 Serial No : xxxxxxxxxxxxxx FW-Rev : D2MU005 Total Size : 1920.00GB Drive Status : Drive in good health SMARTEnabled : Yes Sata Link Speed : Gen3 (6.0 Gbps) Sata Link Max Speed : Gen3 (6.0 Gbps) TCG Status : Deactivated TCG SSC type : Enterprise

according to this page there should be a number after /dev/sdb

_Check if your disk supports OPAL

sedutil-cli --scan

If you get something like

Scanning for Opal compliant disks /dev/sda No LITEONIT LMT-256L9M-11 MSATA 256GB HM8110B

then your disk does not support OPAL. On the contrary, the following output means OPAL standards 1.0 and 2.0 are supported:

/dev/sda 12 Samsung SSD 850 EVO 500GB EMT02B6Q__

When attempting the first step to even initialize the SED I receive this error

[root@localhost ~]# sedutil-cli --initialsetup password /dev/sdb One or more header fields have 0 length Session start failed rc = 136 Unable to start Unauthenticated session /dev/sdb One or more header fields have 0 length EndSession Failed takeOwnership failed unable to retrieve MSID Initial setup failed - unable to take ownership

I have been troubleshooting for days now and just cannot figure out how to enable encryption on this drive. and and all help would be appreciated

Did you solve the issue? I have same problem with enterprise drive

r0m30 commented 2 years ago

This may be related to the use of sessiontimeout in the start session. There is code in DTAsession.cpp that adds sessiontimeout to the startsession for enterprise drives. If you can build sedutil yourself then you may want to try commenting out that code. The developer who contributed that code wanted this value because he was running on a production server farm and did not want to have to reboot the server if a command failed.

epaul1967 commented 2 years ago

This may be related to the use of sessiontimeout in the start session. There is code in DTAsession.cpp that adds sessiontimeout to the startsession for enterprise drives. If you can build sedutil yourself then you may want to try commenting out that code. The developer who contributed that code wanted this value because he was running on a production server farm and did not want to have to reboot the server if a command failed.

I'll try, thanks a lot

madsl commented 2 years ago

Sorry to comment on a closed case, but I have a WD My Book 25ED, and I experience the same thing. Then I commented out this block in DtaSession.cpp:

    // e.g., when interrupted by ^C. 60 seconds is inconveniently long,
    // but revert may require that long to complete.
    if (d->isEprise()) {
        cmd->addToken(OPAL_TOKEN::STARTNAME);
        cmd->addToken("SessionTimeout");
        cmd->addToken(60000);
        cmd->addToken(OPAL_TOKEN::ENDNAME);
    }

and then it worked without a hitch.

Surely that timeout should be a non-default option or something? Isn't it bad if sedutil-cli doesn't work with enterprise drives without changing the source code?

madsl commented 2 years ago

Hm nevermind, seems like sedutil-cli does not work with unlocking my WD Drive after disconnection. It's better to check out guides like https://github.com/SofianeHamlaoui/WD-Decrypte unfortunately.