I need help in using SEDutil with Crucial mx500

[m-403]

Hi @oom-is, i need your help to use SEDutil as I'm a newbie/beginner, i purchased Crucial mx500 sata SSD to give a boost to my old laptop, after installing it in the laptop i knew it's TCG/opal SED so i need a software such as SEDutil to manage Pre-Boot Authentication, I've read some of the issues related to the same Crucial drive model/part number and i chose to use either your fork of SEDutil or ChubbyAnd fork, my laptop is HP pavilion dv6, legacy bios, Intel core i7 2nd generation, and the SED drive as i mentioned is sata Crucial mx500 with firmware M3CR043 , i'm planning to install on the drive Windows 10 and Linux Ubuntu dual boot, so i have a few inquiries:-

• Should i use SEDutil and enable OPAL locking BEFORE OR AFTER installing the two Operating Systems ?
• Do i need to disable/remove OPAL locking BEFORE next time i format/delete the drive for fresh installation a new Operating System ?
• Which Rescue system file i should download in my case to file onto a USB stick RESCUE64 OR RESCUE32 ?
• For just confirming, in my case The proper PBA to load is BIOS32 version ?
• Why does the original version of SEDutil still use SHA1 hashing for the password while SHA512 is more secure ?
• What i know is hardware-based encryption is better than software-based encryption regarding to the performance, but How much percentage loss in the performance with hardware-based encryption using OPAL locking and Pre-Boot Authentication ?

I appreciate your help in advance.

[oom-is]

Answers in order:

1. It's your call - there's no "correct" order but I usually find it easier to install the OS then enable TCG Opal 2.0 later. Whether the booted OS is Windows or Linux it's quite possible to install SEDUtil, and since we need some OS booted I 1a. I will admit that for the drives that require a PSID erase in order to enable TCG Opal functions (e.g. Samsung NVME) I usually do fully enable TCG Opal functions including PBA from a boot disk, and then disable locking, because I'm always skittish about having to do a PSID erase on a system with OS and data present (particularly if I already had to tune things to get Windows 10+Ubuntu installed). 1b. If you do install SEDUtil first, then it's easy enough to disable locking from the CLI. I would definitely recommend this if you're installing dual-boot, and then re-enable locking once you're finished tweaking the boot sequence etc.
2. If you try to do a drive format/delete on a live system without disabling the TCG Opal locking, then you'll end up in a problem as the PBA tries to chain to a boot loader on the hard disk. Yes, I would recommend disabling TCG Opal locking as the first step of any re-format/delete event.
3. Unless you have a CPU that's only 32-bit, I would always use RESCUE64. But that's just me.
4. I can't tell you for sure, but if you're legacy BIOS (not UEFI boot) then I would expect the BIOS32 PBA would be the right one.
5. SHA1 vs SHA512 has to do with when the project started, its goals/requirements/desirements, and programmer effort. The good news is that we do now have other options, but honestly the risk/exposure from the SHA1 use is minor in my opinion (and I'm CISSP certified and helped stand up a FIPS 140 lab, so I actually do understand crypto.)
6. I haven't done any specific comparisons of similar drives/same manufacturer with and without TGC Opal functions, but "my perception" is that there's no "human perceivable" performance impact on interactive tasks - particularly with an SSD. 6a. Note that for many manufacturers, either a product line includes TCG Opal or it does not, and therefore there's no good way to compare (e.g. the Crucial MX500 is ALWAYS passing everything through the Trusted Peripheral "TPer" hardware that supports TCG Opal, the only question is whether there's an actual decrypt key configured...)

Good luck - note also that the ChubbyAnt fork has some extra documentation online that they created at SEDUtil.com - I can't say I've reviewed it all but I know of a couple of places where what they have was more useful than the docs for the original source on GitHub.