search

ladar / sedutil

Use sedutil for setting up and using self encrypting drives (SEDs) that comply with the TCG OPAL 2.00 standard. This includes the requisite pre-boot authentication image.
https://trustedcomputinggroup.org/work-groups/storage/
80 stars 24 forks source link

Documentation on how to unlock a drive with a User password? #14

Closed pjreed closed 4 years ago

pjreed commented 4 years ago

Apologies if this isn't the right place to ask this, but it seems like the Drive-Trust-Alliance/sedutil repository has been dead for years, and this fork seems to be regularly incorporating new work and has other issues and pull requests associated with it...

I want to be able to set a User password on a drive and use that to unlock it, but I cannot seem to find any examples or documentation on how to do so. Commit 0f13dcb052ac2ee6585560e87807b42162011d02 seems like it added the ability to give a User access to a locking range, but I'm not sure if that's even working at all.

I have a drive that is set up so that I can unlock it with the Admin1 password, and everything is working fine. I have tried setting a password on User1 and adding that user to the locking range, like so:

sedutil-cli -s --setPassword User1 /dev/nvme0
(enter passwords)
sedutil-cli -s --addUserToLockingACEs User1 /dev/nvme0
(enter password)

Both of these commands seems like they ran succesfully, according to the output, but when I reboot and enter User1's password during PBA, it prints NOT_AUTHORIZED. The Admin1 password still works fine. Is there something I'm missing, or is there a way I can test User1's password?

pjreed commented 4 years ago

Additionally, the instructions at https://github.com/ladar/sedutil#setup seem to indicate that you can set the SID password differently from the Admin1 password and use that as a user password, but that seems to also have no effect for me. Setting the SID password seems to work -- at least, the command prints nothing and returns without an error code -- but that password still cannot unlock the disk during PBA.

pjreed commented 4 years ago

So, another addendum:

After spending a while going through the source code, I found another command, --enableUser, that is not mentioned anywhere in the documentation nor in the --help dialog, but has to be used to enable a user. It can be run like so:

sedutil-cli -s -v --enableUser User1 /dev/nvme0

After running that, I was able to unlock the drive using the User1 password I had set.

I also found some other documentation indicating that the SID password is definitely not a user password and should not be used as such: http://chrisarges.net/2018/02/16/using-sed-encryption-on-disks.html

ladar commented 4 years ago

Sounds like the solution is update the tutorial with a note stating that if you want to unlock with the user password, then you need to run that command.

ladar commented 4 years ago

Yeah, the tutorial makes you set the Admin1 and the SID password because it was found that with some OPAL drives, if you failed to set both, it becomes possible to bypass the encryption. The tutorial doesn't mention user passwords because they are entirely optional.

ladar commented 4 years ago

I'll make a quick change. But if you have more suggestions for improvement, feel free to submit a pull request with the change.