SafeGuard Device Encryption: OPAL Support

  • Artikel-ID: 113366
  • Aktualisiert: 22 Mrz 2014

Issue
SafeGuard Device Encryption: OPAL Support

First seen in

Sophos SafeGuard Disk Encryption 5.60.0
SafeGuard Easy 6.0
SafeGuard Easy 5.60.0
SafeGuard  Device Encryption 6.10.0
SafeGuard Device Encryption 6.0
SafeGuard Device Encryption 5.60.0

 

What To Do

In general, SafeGuard Device Encryption as of version 5.60 supports all drives (HDD/SSD) that follow the OPAL specification. Known exceptions are listed in the second table of this article.

 

OPAL drives that were successfully tested by Sophos’ QA

Make

Model

Needs IGNORE_OPAL_AUTHORITYCHECK_RESULTS

Installation Parameter?

Notes

Fujitsu

MJA2250CH G2 T1

 No

Fujitsu‘s HDD production has been acquired by Toshiba in the meantime.
The model is not available anymore.

Hitachi

HTS725016A9A365

 No

500 GB version also available

Toshiba

MK2561GSYD

 No

 

Seagate

ST250LT014

 Yes

Same hardware as below. Version with Seagate Firmware

Seagate

ST250LT002

 Yes

Same hardware as above. Version with Lenovo Firmware

 LITE-ON  LCS-256M6S  Yes  FW 1C852T5, P/N 3C01140049 supported as of SGN 6.10
 Micron C400   Yes

At least to firmware version 04TH required

supported as of SGN 6.10

 Intel  SSDSC2BF180A4  Yes

SSD Pro 1500 180GB

supported as of SGN 6.10

Sophos can provide a tool (OpalReqCheck.exe) to generically check a drive’s parameters and basic compatibility. This tool is available to customers on request. However this tool can only be used for negative testing (i.e. to indicate any incompatibilities) as a drive that passes these checks can still cause subsequent issues.
For SafeGuard 6.10 a new version of the OpalReqCheck.exe is available.
 

OPAL Drives that cannot be managed by SafeGuard Enterprise (fallback to software encryption) 

Make

Model

Notes
Hitachi

HTS723232A7A365

A different size of the Z7K320 series has been successfully tested.
Samsung

SSD PB22-JS3 FDE 2.5  128GB


Samsung

SSD PB22-JS3 FDE 2.5  64GB

 
 Samsung  SSD PM810 FDE TM  
 Hitachi  HTS727550A9E365  
 Hitachi  HTS723225A7A365  
 Toshiba  MK3261GSYD   

NOTE: SafeGuard 6.0 supports Opal drives with firmware 1.0, Opal drives with firmware 2.0 are only supported if they are fully compatible with firmware 1.0.

Technical background:

In an ideal world, technical standards and specifications would be comprehensive and unambiguous and their real-world implementations would adhere to them and be, of course, bug-free. At Sophos, we have gone to great lengths to ensure that the support of Self Encrypting Drives (SEDs) that are based on the TCG Storage Group’s OPAL standard, which is available with the SafeGuard Enterprise 5.60 release, follows the standard closely. To this end, two types of checks are performed at installation time:

  • Functional Checks
    These include, among others, checking whether the drive identifies itself as an “OPAL” drive, whether the communications properties are ok, and whether all SafeGuard Enterprise-required OPAL features are supported by the drive.
  • Security checks
    These checks are made to ensure that only SafeGuard Enterprise users are registered on the drive, just as only SafeGuard Enterprise users are the owners of the keys used to software-encrypt non-SED drives. If other users are found to be registered at installation time, or when an encryption policy arrives after a successful OPAL-mode installation, SafeGuard Enterprise automatically tries to disable these users. The ability to disable these users is required by the standard, with the exception of a few well-known default “authorities” which are needed to run an OPAL system in the first place and which have well-defined functionality.

If any of these checks fail in an unrecoverable way, installation does not fall back to software-based encryption. Instead all volumes on the Opal disk remain unencrypted.

While working on the OPAL feature, Sophos was in close contact with the drive manufacturers and it soon became clear that some specific drives need special treatment. Thus, the SafeGuard Enterprise client now maintains an internal table that stores specifics on how certain drives are best operated. However, this table includes only functional issues (such as optimizations to attain maximum data transfer speed). It does, of course, not cover security issues.

However, we also noted that some drives also have potential security issues. Please note the word “potential”. There is no way to find out automatically which privileges have been assigned to an unknown user/authority that is already registered on the drive at SafeGuard Enterprise installation/encryption time. If the drive refuses the command to disable such users, SafeGuard Enterprise will fall back to software encryption to ensure maximum security for the SafeGuard Enterprise user.

Please note that at least one manufacturer, Seagate, has chosen to preinstall those users that are not covered by the OPAL standard. Sophos does not believe that these pose any security issue in any way, as Seagate has a long history of implementing SEDs, and their current line of OPAL drives also boast a number of security certificates. However, Sophos cannot give any security guarantees in any other manufacturer’s name, which is why we implemented a special installation switch to enable customers to use such drives at their own discretion.

If you want use any drive in the table above that has a “Yes” in the “Needs IGNORE_OPAL_AUTHORITYCHECK_RESULTS Installation Parameter?” column, do as follows:

On the command prompt, type:

MSIEXEC /i <name_of_selected_client_msi.msi> IGNORE_OPAL_AUTHORITYCHECK_RESULTS=1

 

 

 

 
Wenn Sie weitere Informationen oder Unterstützung benötigen, wenden Sie sich bitte an den technischen Support.

Artikel bewerten

Ungenügend Hervorragend

Anmerkungen