SafeGuard Device Encryption: OPAL Support

  • Article ID: 113366
  • Rating:
  • 5 customers rated this article 5.8 out of 6
  • Updated: 09 Oct 2014

This article provides information on SafeGuard Device Encryption and support for OPAL drives.

Applies to the following Sophos product(s) and version(s)

Sophos SafeGuard Disk Encryption 5.60.0
SafeGuard Easy 6.0
SafeGuard Easy 5.60.0
SafeGuard Device Encryption 6.0
SafeGuard Device Encryption 5.60.0
SafeGuard  Device Encryption 6.10.0

SafeGuard Device Encryption: OPAL Support

In general, SafeGuard Device Encryption as of version 5.60 supports all drives (HDD/SSD) that follow the OPAL specification. Known exceptions are listed in the second table of this article.

OPAL drives that were successfully tested by Sophos’ QA

Make Model Needs IGNORE_OPAL_AUTHORITYCHECK_RESULTS Installation Parameter? Notes
Fujitsu MJA2250CH G2 T1 No Fujitsu‘s HDD production has been acquired by Toshiba in the meantime.
The model is not available any more.
Hitachi HTS725016A9A365 No 500 GB version also available
Toshiba MK2561GSYD No  
Seagate ST250LT014 Yes Same hardware as below. Version with Seagate Firmware

Seagate

ST250LT002

Yes

Same hardware as above. Version with Lenovo Firmware

 LITE-ON  LCS-256M6S  Yes  FW 1C852T5, P/N 3C01140049 supported as of SGN 6.10
 Micron C400   Yes

Firmware version 04TH required

supported as of SGN 6.10

 Intel  SSDSC2BF180A4  Yes

SSD Pro 1500 180GB

supported as of SGN 6.10

Crucial (Micron)  CT512MX100SSD1  Yes Firmware version MU01 required

supported as of SGN 6.10

A tool is available (OpalReqCheck.exe) to generically check a drive’s parameters and basic compatibility. Information on this tool and the tool itself is available in article 120985.

OPAL Drives that cannot be managed by SafeGuard Enterprise (fallback to software encryption) 

Make

Model

Notes
Hitachi

 HTS723232A7A365

A different size of the Z7K320 series has been successfully tested.
Samsung

 SSD PB22-JS3 FDE 2.5  128GB


Samsung

 SSD PB22-JS3 FDE 2.5  64GB

 
 Samsung  SSD PM810 FDE TM  
 Samsung  840 EVO   
 Samsung  SM841N MZ7PD256HCGM-000H7
 Hitachi  HTS727550A9E365  
 Hitachi  HTS723225A7A365  
 Toshiba  MK3261GSYD   

Note: SafeGuard 6.0 supports Opal drives with firmware 1.0, Opal drives with firmware 2.0 are only supported if they are fully compatible with firmware 1.0.

Technical background

In an ideal world, technical standards and specifications would be comprehensive and unambiguous and their real-world implementations would adhere to them and be, of course, bug-free. At Sophos, we have gone to great lengths to ensure that the support of Self Encrypting Drives (SEDs) that are based on the TCG Storage Group’s OPAL standard, which is available with the SafeGuard Enterprise 5.60 release, follows the standard closely. To this end, two types of checks are performed at installation time:

  • Functional Checks
    These include, among others, checking whether the drive identifies itself as an “OPAL” drive, whether the communications properties are ok, and whether all SafeGuard Enterprise-required OPAL features are supported by the drive.
  • Security checks
    These checks are made to ensure that only SafeGuard Enterprise users are registered on the drive, just as only SafeGuard Enterprise users are the owners of the keys used to software-encrypt non-SED drives. If other users are found to be registered at installation time, or when an encryption policy arrives after a successful OPAL-mode installation, SafeGuard Enterprise automatically tries to disable these users. The ability to disable these users is required by the standard, with the exception of a few well-known default “authorities” which are needed to run an OPAL system in the first place and which have well-defined functionality.

If any of these checks fail in an unrecoverable way, installation does not fall back to software-based encryption. Instead all volumes on the Opal disk remain unencrypted.

While working on the OPAL feature, Sophos was in close contact with the drive manufacturers and it soon became clear that some specific drives need special treatment. Thus, the SafeGuard Enterprise client now maintains an internal table that stores specifics on how certain drives are best operated. However, this table includes only functional issues (such as optimizations to attain maximum data transfer speed). It does, of course, not cover security issues.

However, we also noted that some drives also have potential security issues. Please note the word “potential”. There is no way to find out automatically which privileges have been assigned to an unknown user/authority that is already registered on the drive at SafeGuard Enterprise installation/encryption time. If the drive refuses the command to disable such users, SafeGuard Enterprise will fall back to software encryption to ensure maximum security for the SafeGuard Enterprise user.

Please note that at least one manufacturer, Seagate, has chosen to preinstall those users that are not covered by the OPAL standard. Sophos does not believe that these pose any security issue in any way, as Seagate has a long history of implementing SEDs, and their current line of OPAL drives also boast a number of security certificates. However, Sophos cannot give any security guarantees in any other manufacturer’s name, which is why we implemented a special installation switch to enable customers to use such drives at their own discretion.

If you want use any drive in the table above that has a “Yes” in the “Needs IGNORE_OPAL_AUTHORITYCHECK_RESULTS Installation Parameter?” column, do as follows:

On the command prompt, type:

MSIEXEC /i <name_of_selected_client_msi.msi > IGNORE_OPAL_AUTHORITYCHECK_RESULTS=1

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments