Technical Articles ID:
KB89333
Last Modified: 2024-01-06 09:22:33 Etc/GMT
Environment
Drive Encryption (DE) 7.2.x, 7.1.x
Summary
This article is a consolidated list of common questions and answers. It's intended for users who are new to the product, but can be useful to all users.
NOTES:
This article covers questions that relate to DE and specifically Opal drives.
To view the other DE FAQs that cover Compatibility, Installation or Upgrade, Configuration and general Functionality, see KB79784 - FAQs for Drive Encryption 7.x.
Recent updates to this article
Date
Update
May 2, 2023
Minor formatting changes; no content changes.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents
Click to expand the section you want to view:
What's Opal or Opal Drive?
Opal
Opal is the name of a specification related to self-encrypting drives that have been developed by a standards body named the Trusted Computing Group. Opal is a standard or specification that details the commands that the drive needs to respond to and the standard behavior. The standard has been created and ratified by the Storage Working Group of the Trusted Computing Group (TCG).
Opal Drive
An Opal drive is a self-contained, standalone Hard-Disk (HDD) that conforms to the TCG Opal standard. The drive is always encrypted but may or may not be locked. In addition to the standard components of a HDD, an Opal drive contains extra components such as an on-board cryptographic processor that performs all the necessary encryption or decryption of data on the HDD itself. In addition to regular spinning media (HDDs), SSDs may also support the TCG Opal Standard. An Opal drive is a Self-Encrypting Drive but not the only type. There are also other proprietary self-encrypting drives on the market.
NOTE:TCG is a not-for-profit organization formed to develop, define, and promote open, vendor-neutral, industry standards for trusted computing building blocks and software interfaces across multiple platforms. A TCG-compliant self-encrypting drive is the same as an Opal drive.
Do all users in my organization need an Opal drive?
No. Software Encryption will suffice for most users. Most productivity workers won't notice or be impacted due to software encryption. With DE 7.1, the impact of software encryption on systems with Intel CPUs that support AES-NI is negligible, making software encryption comparable in performance to Opal drives.
What threat model does an Opal drive address?
The primary use case is loss or theft of laptops or desktops. It covers similar threats as Software Full Disk Encryption and is designed for protection of data at rest.
What usage scenarios are best suited for Opal drives?
Opal drives are well suited for users who require extremely high disk I or O (performance-sensitive applications). Examples of these users are software developers, video editors, and aeronautical engineers. These users will most likely also use SSDs instead of spinning HDDs.
Would an SSD Opal drive preserve the performance of an SSD without compromising security?
Yes. For the most sensitive of users, an SSD implementation of an Opal drive can retain the speed and performance of an SSD while retaining all the security and encryption of an Opal drive. But, because an Opal drive is always encrypted by the on-board crypto processor, it's difficult to ascertain exactly what performance degradation (if any) is levied by the onboard crypto processing.
What's the DE experience like with an Opal drive?
The day-to-day tasks of an administrator are exactly the same regardless of whether the device has an Opal drive or a normal HDD. The policy, method of deployment, and management are all the same. The recovery process changes slightly, but the steps an administrator performs in a recovery scenario are the same. For more details about DE Experience with Opal, see the "DE Experience with Opal" section of this article.
Does DE help in recovery situations with an Opal drive?
All the standard DE recovery mechanisms are available to users and administrators, regardless of whether the end user has an Opal drive or a normal HDD.
Will DE support other types of Self-Encrypting Drives (SEDs)?
No. At this time, there are no plans to support other types of SEDs other than those implementing the TCG Opal Standard.
Why is DE still required if an Opal drive handles all the encryption?
Opal drives need to be managed. Until an Opal drive is managed, it behaves and responds just like a normal HDD. The combination of DE and ePolicy Orchestrator (ePO) provides versatile management, reporting, and recovery functionalities, which are all critical to an administrator. DE provides value by installing a secure preboot environment, which unlocks the Opal drive, performs Opal user management, makes sure that the organization's encryption policy is continuously enforced, and in the event of loss, proves that the device was encrypted at the last time it synchronized with ePO. Also, for organizations that have a mixture of both Opal drives and normal HDDs, it's important that an administrator can utilize a single tool to manage, enforce policies, report on devices, and assess the company's potential risk exposure; DE provides that tool. DE also offers the advantage that it can support potentially many more users than a non-managed Opal drive. Back to top
How will Trellix detail the support for Opal drives?
The following article details DE support for Opal drives from different manufacturers. It also includes details of how to self-certify an Opal drive in the case that the drive isn't on the supported list. For details, see KB81136 - Drive Encryption support for Opal drives.
Will DE support Opal drives on all the supported Operating Systems?
No. There are no plans at this time to support Opal on other operating systems. Current support details are as follows:
DE 7.x supports Opal drives on Windows 7 SP1 and later, and Windows 8.x in both legacy (BIOS) and UEFI modes.
DE 7.x supports Opal drives in Windows 8.x in UEFI mode on systems that are Windows 8-certified and where the OEM has included the UEFI protocol used for secure communications.
UEFI systems where the OEM hasn't bundled the secure communications protocol aren't supported as there's no mechanism whereby the DE preboot environment can communicate with the drive. Software encryption will be automatically used in this case.
Why do I need at least SP1 for Windows 7?
Some Opal drives are 512e drives; that is, they're actually drives with sectors of size 4096 bytes, but which emulate old-fashioned 512-byte sector drives. Windows 7 SP1 includes crucial driver fixes that allow these 512e drives to function correctly.
What happens if a user attempts to activate DE on an Opal drive while running an unsupported operating system?
If DE detects an incompatible or unsupported combination of Operating System and Opal drive, it continues the activation process, but it uses Software Encryption instead of the native Opal functionality. The system is shown as using Software Encryption in ePO.
Will Opal drives be supported on Mac OS X?
No, not until Apple adds support to their FileVault encryption product. Back to top
Does an administrator need to manage computers with Opal drives differently to those with a standard HDD?
No. Administrators don't need to treat Opal drives any differently to a normal HDD. The very same policy can be used on laptops with Opal drives and laptops with a normal HDD.
In the DE policy, there's a priority order for Encryption Providers. What does that do?
That allows the administrator to tailor how the DE Intelligent Client enforces the policy on a client. If the Opal Encryption Provider is at a higher priority than the Software Encryption Provider, the DE Client first searches for an Opal drive. If all the attached drives support Opal, it uses the Opal functionality to enforce the encryption policy. If the drives don't meet this criteria, it moves on to the next Encryption Provider in the list, which means it then uses Software Encryption to enforce the encryption policy. By changing the order of priority and making Software Encryption the highest priority, an administrator can specify that all machines use Software Encryption regardless of whether there's an Opal drive or a normal HDD in the machine.
IMPORTANT: When the computer is fitted with an Opal drive, offline activations use Opal Encryption first. OPAL preferences are hard-coded in the Offline Activation Packages and don't use the custom policy settings.
Is deployment any different to an Opal drive?
No. It's exactly the same regardless of whether the client system has an Opal drive or a normal HDD.
How can an administrator or user tell if a client is using the Opal functionality or software encryption?
Administrator
Look at the computer in ePO to see which Encryption Provider is enforcing the encryption policy. If it states Opal, it's using the Opal functionality.
User
A user can't directly determine this, but it can be implied from the list of volumes or drives that are encrypted in the Endpoint Encryption Status Monitor window.
Will an end user see any difference in preboot depending on whether they have a standard hard disk or an Opal drive?
No. The preboot looks and behaves exactly the same. An end user can be completely unaware of the hardware that's powering the encryption on their computer.
How long does it take to go from an Unencrypted to Encrypted status with an Opal drive?
Around a minute. This is because the drive is technically already encrypted. The time to go from an unencrypted to an encrypted state is the time required to activate the native Locking mechanisms of the Opal drive and install the preboot environment.
Does DE ever know the key that encrypts the data?
No. The encryption key never leaves the Opal drive.
How does Recovery work?
The same DE recovery procedures and tools can be used to perform a recovery on an Opal drive and a Normal HDD. DETech is updated to know how to unlock an Opal drive, although there's no possibility to decrypt it as the Opal drive never hands out the encryption key and never decrypts the disk. DETech simply unlocks the disk to allow the Operating System to boot.
What about Forensics software from third-party companies? Can they work with an Opal drive?
Trellix has been working with companies that provide forensic software and our interaction with them remains largely the same. Instead of those applications asking DE for the encryption key, they ask DE for the necessary credentials to unlock the drive. Note that it's not possible to take a sector-level copy of an Opal drive and perform decryption of that sector-level copy using the encryption key since the encryption key can never be known. Back to top
Is an Opal drive always encrypted?
Yes. Regardless of whether the drive is locked or unlocked, it's always encrypted. It's not possible to have a decrypted Opal drive.
NOTE:The Disk Encryption Key (DEK) can never be read from the drive. DE only shows two valid states: Unlocked and Locked.
What's the difference between locked and unlocked?
Technically, the difference is in terms of the access to the encryption key by the encryption processor on-board the drive.
If the disk is unlocked, the on-board encryption processor has access to the disk encryption key and the drive behaves exactly like a normal HDD. An end user wouldn't be able to tell the difference in this state between an Opal drive and a normal HDD.
If the disk is locked, the disk encryption key is protected and a preboot environment is required to unlock the disk before the data can be accessed and the Operating System allowed to boot. Note that the disk encryption key is kept internal to the drive; it's not possible to read it from the drive.
What's the default state for an Opal drive?
When you first receive an Opal drive, the state is unlocked. It behaves and responds exactly like a normal HDD. You need to explicitly lock the drive by enabling the native Locking Mechanism of the drive. One way of doing this is to use DE to manage the drive.
How can you take the drive from an unlocked to a locked state?
An application such as DE, which has a preboot environment, needs to perform the necessary steps to enable the native locking mechanism of the Opal drive and install the preboot environment. Once the drive is locked, the preboot environment is required to unlock the drive before the Operating System can start its boot process. Without a preboot environment, nothing would be present to unlock the drive and allow the operating system to boot.
When a locked drive is unlocked, how long does it stay unlocked?
The Opal drive remains unlocked until the next power cycle. This means that once you unlock an Opal drive, it remains unlocked until you turn off the device, or move to another power state where the Opal drive loses power. But, in DE, to ensure the same user experience as with DE software encryption, the drive is explicitly locked on a restart as well.
Can I take a disk image of the drive and decrypt it using a tool such as EnCase?
No. The key is created on the drive and it never leaves the drive. It's not possible for applications or other pieces of hardware to ask the drive for its key(s), and therefore the key isn't available for use in tools such as EnCase.
What do I do if the Opal drive is locked and I forgot my password?
DE has a recovery mechanism to assist.
Can you restore an Opal drive to its default factory state?
There's one TCG-ratified mechanism for a revert process to occur, but the drive master credential must be known. Some drive manufacturers include an additional non-TCG revert process where the master credential isn't known (known as a PSID revert). If the drive doesn't support a PSID revert and you're locked out (and for some reason DE's normal recovery functions don't work or the drive fails to respond), the drive is now unusable, your data is lost, and you need to purchase a new Opal drive. If the drive does support a PSID revert, you can return it to a default factory state even without unlocking the drive first, but all the data on the drive will be lost. Tools are available to do this (it's not a supported use case in DE).
What happens if there's a physical hardware failure and the Opal drive stops responding to Unlock requests?
In this situation, the drive is now completely non-functional. There's nothing you can do to access the data. Consider the data lost and purchase a new Opal drive. This is because DE doesn't know the actual disk encryption key; the disk encryption key can't be read from the drive.
Is the preboot for Opal different from the preboot for software encryption?
Yes and no. The preboot needs to know how to unlock an Opal drive to allow the Operating System to boot. But, the rest of the preboot looks and behaves the same as with software encryption. In fact, much of the preboot code is shared between software and Opal preboot applications.
Are there multiple versions of the Opal Standard?
Yes, with the currently implemented version being 1.0. The TCG has also published version 2.0. Support for TCG's Opal v2.0 specification is being considered for possible inclusion in a future release.
Does an Opal drive have a concept of users?
Yes. Once the drive is locked, a username and PIN are required to unlock the drive.
Where are the users maintained?
Each user is specific and local to each Opal drive. The application managing the Opal drive needs to also manage the Opal Users.
Is an Opal User the same as an DE User or a Windows Domain User?
No. All three are completely separate entities.
Is there a maximum number of Opal Users?
Yes. Only a small number of Opal Users can be assigned to a single Opal drive. Opal drives from different manufacturers vary as to the maximum number of users they can support.
What happens if I want to assign more DE Users to a device than are available as Opal Users?
The DE architecture allows you to assign as many users as needed to the Opal drive, regardless of the technical limitation of Opal Users on the device. This complexity is hidden from the administrator and allows them to assign users to the device in the same manner as if it was a normal HDD. The recommendation and limitations for the number of users assigned to a device remains constant, regardless of the type of HDD used.
Can an Opal drive have more than one disk encryption key?
Yes. There's a section of the Opal specification that deals with Logical Block Addressing, but can also be referred to as Local Ranges.
What's the Global Range?
The Global Range contains all sectors of the disk that aren't in a defined Local Range (see below).
What's a Local Range?
A Local Range is a contiguous range of sectors that each have a different encryption key. These ranges can be Locked or can remain Unlocked. As an example, a Local Range may be applied to a partition, but a range doesn't have to map exactly to a partition.
Why would someone use Local Ranges?
They would use Local Ranges if they want a specific part of the disk to always be available and accessible, regardless of whether the disk is in a Locked or Unlocked state.
If a Local Range is a contiguous range of sectors, what happens when I define a new Range?
A new encryption key is automatically generated for the new range. If the Opal drive supports re-encryption, the data is decrypted with the old key and re-encrypted with the new key. Re-encryption is an optional part of the standard, and at present, we believe that no drives support it. If the drive doesn't support re-encryption, you've now lost all the data that was previously in that range since it has been cryptographically erased.
If I use a partition tool, could I lose all my data if I use Local Ranges?
Yes, that's a possibility.
How many Local Ranges can there be?
The Opal Standard specifies at least five (including the Global Range).
Does DE support Local Ranges for specifying whether partitions are locked or not?
No.
Does DE support S3 with Opal drives?
Yes. S3 is a power state, commonly known as Standby, Sleep, or Suspend to RAM. A system in an S3 state appears to be turned off. The CPU has no power, the RAM is in a slow refresh mode, and the power supply is in a reduced power mode.
Opal drives lock when they have no power; is that a problem?
Yes. It's hard to restart Windows when the drive is locked and Windows doesn't have a way to unlock it. The TCG doesn't have a common and agreed solution to the S3 issue.
Because S3 works with DE, is it a proprietary implementation of S3 Support?
Yes.
Does DE support a mixed-mode?
Yes. A mixed-mode is defined as a situation where a computer has more than one physical HDD drive and also has a combination of Opal drives and Normal HDD. The lowest common denominator is always software encryption. If in doubt, the software encryption functionality is used to encrypt both the Opal drive and Normal HDD.
What happens if I have an Opal and a normal HDD in one computer? Will DE use the native Opal functionality on the Opal drive and software encryption for the normal HDD?
No. This is what's described as a mix-mode environment. DE needs to make a decision as to how it's going to enforce the encryption policy on the computer. By default, software encryption is chosen automatically if you have Opal and non-Opal drives in the same computer.
Can you use software encryption on an Opal drive?
Yes. Until the native locking mechanism of an Opal drive has been enabled, an Opal drive responds and behaves exactly like a normal HDD. Nothing stops an administrator from encrypting the drive using Software Encryption instead of using the native functionality of the Opal drive. Technically speaking, the data is then encrypted twice, once by software encryption and again by the Opal drive. But, since the drive isn't locked, the Opal encryption is transparent. Back to top
