NOT AUTHORIZED error/Samsung EVO 970 plus

[jarmomak]

I am trying to setup OPAL password with sedutil. I have enabled encrypted drive feature with samsung magician software. sedutil-cli --scan correctly shows my disk as OPAL disk. But trying to run initialization command fails. It seems that password is already set (somehow). I tried initialization with "debug" option, same results.

What is wrong?

[JaBoMa]

Please, do not enable neither the BIOS password for your disk, neither the "Encrypted Drive | Ready to Enable" feature in Samsung Magician for it, if you would like to setup your drive as the Self Encrypted Drive according to the TCG Opal specification. Use just sedutil for that task, preferably from the rescue system on USB (in order to avoid discrepancies in password hashing between Windows and Linux). Read the Wiki, how to do that. If your disk will be finally set as OPAL encrypted, the Samsung Magician will show your "Encrypted Drive | Disabled" (in Encrypted Drive Tab), at least the Samsung Magician version 6.x.x and above. Earlier versions of Samsung Magician, kike 4,5.1, I guess, could show you, that your drive is "Opal Enabled", but the Samsung Magician could not prepare your disk to be Opal locked. Check it in the Samsung Magician Installation Guide pdf for your version of Samsung Magician. It serves also as the Operating Manual for that program. Stay safe and regards J.

[savchenko]

@JaBoMa that's an impressive "community support" :) Thank you.

[VoidAndCaffeine]

@jarmomak I had that issue, I heard a rumor that it was a "security feature" by Samsung. to prevent someone from hijacking the SED password, sealing your disk, and ransoming it back to you.

even so, all you have to do is a PSID revert, https://github.com/Drive-Trust-Alliance/sedutil/wiki/PSID-Revert

Pardon my English, it is my first language, I'm just an idiot :)

[JaBoMa]

That "rumor" is mentioned in the following thread: https://github.com/Drive-Trust-Alliance/sedutil/issues/291 , which was opened in 2019 (last comment from May 2020). It seems to be reasonable. But with my Samsung 970 Evo Plus 1TB drive I bought in July 2020, I didn't need a PSID revert to properly execute the sedutil-cli --initialsetup command (running from USB Rescue System ver. 1.20, 32-bit for BIOS).

This does not change the fact that Samsung Magician is not suitable for preparing a TCG Opal encrypted disk. And this does not change the fact that the disk, encrypted according to TCG Opal, should not be locked with a BIOS password. Or that such a drive should not be encrypted by the operating system, e.g. with BitLocker.

I hope that my English is understandable, even though it is not my native language ;) ATB and Regards J.

[rpuskas0]

Hi, I have pretty much the same problem with a Samsung 980 SSD. I couldn't initialize the drive at first, so I did a PSIDrevert, then did all the necessary steps:

• init
• enablelock
• setlock
• setmbrdone off
• loadpbaimage After this, when I run the linuxpba with "debug" password, I get the following:

ERR : method status code NOT_AUTHORIZED ERR : Session start failed rc = 1 ERR : EndSession Failed ERR : Unable to set MBRDone on ERR : method status code NOT_AUTHORIZED ERR : Session start failed rc = 1 ERR : EndSession Failed

So what could be the reason for it? I have my own fork of ChubbyAnt with updated sedutil (1.20.0), buildroot and kernel to make it boot on newer systems, but I just can't figure out why am I getting this same result. Any ideas? Thanks.

[stuckj]

I had this problem as well. I initially was using bitlocker with hardware encryption using Samsung magician. It worked for Windows, but you can't dual boot to Linux on the same drive with that setup and I was sick of booting Linux with a separate drive in a thunderbolt enclosure. So, I decided to switch to sedutil instead.

But, as @rpuskas0 mentioned above, you need to psid revert (either with Samsung magician or sedutil) which wipes the drive to enable sedutil encryption if it was previously enabled in any other way (since you don't have the admin key used by bitlocker or whatever you enabled it with). And, those tools (at least BitLocker) doesn't disable it for you when you disable BitLocker (quite annoying).

If you have a spare drive, you can just use dd to back it up to an image first. If you have a lot of empty space (as I did), you can pipe it through gzip to shrink the size (and speed it up). E.g., sudo dd if=/dev/nvme0p1 bs=1M status=progress | gzip >FILE_ON_EXTERNAL_STORAGE.img.gz. Installpigzand replacegzipwithpigz` in the above command if you want parallelized gzip for faster encryption.

Do the dd backup first, then psid revert the drive, setup encryption, unlock it and reboot (without shutting down so it remains unlocked) and restore your backup with gzip -cd < FILE_ON_EXTERNAL_STORAGE.img.gz | dd of=/dev/nvme0p1 bs=1M status=progress.

Replace /dev/nvme0p1 with your actual nvme device to backup.