This article provides information on SafeGuard Device Encryption and support for OPAL drives.
Applies to the following Sophos product(s) and version(s)
Sophos SafeGuard Disk Encryption 5.60.0
SafeGuard Easy 6.0
SafeGuard Easy 5.60.0
SafeGuard Device Encryption 6.10.0
SafeGuard Device Encryption 6.0
SafeGuard Device Encryption 5.60.0
SafeGuard Device Encryption: OPAL Support
In general, SafeGuard Device Encryption as of version 5.60 supports all drives (HDD/SSD) that follow the OPAL specification. Known exceptions are listed in the second table of this article.
OPAL drives that were successfully tested by Sophos’ QA
|Make ||Model ||Needs IGNORE_OPAL_AUTHORITYCHECK_RESULTS Installation Parameter? ||Notes |
|Fujitsu ||MJA2250CH G2 T1 ||No ||Fujitsu‘s HDD production has been acquired by Toshiba in the meantime. |
The model is not available any more.
|Hitachi ||HTS725016A9A365 ||No ||500 GB version also available |
|Toshiba ||MK2561GSYD ||No || |
|Seagate ||ST250LT014 ||Yes ||Same hardware as below. Version with Seagate Firmware |
Same hardware as above. Version with Lenovo Firmware
| LITE-ON || LCS-256M6S || Yes || FW 1C852T5, P/N 3C01140049 supported as of SGN 6.10 |
| Micron ||C400 || Yes || |
At least to firmware version 04TH required
supported as of SGN 6.10
| Intel || SSDSC2BF180A4 || Yes || |
SSD Pro 1500 180GB
supported as of SGN 6.10
A tool is available (OpalReqCheck.exe) to generically check a drive’s parameters and basic compatibility. Information on this tool and the tool itself is available in article 120985.
OPAL Drives that cannot be managed by SafeGuard Enterprise (fallback to software encryption)
|Make || |
|Hitachi || |
|A different size of the Z7K320 series has been successfully tested. |
|Samsung || |
SSD PB22-JS3 FDE 2.5 128GB
|Samsung || |
SSD PB22-JS3 FDE 2.5 64GB
| Samsung || SSD PM810 FDE TM || |
| Samsung || 840 EVO || |
| Hitachi || HTS727550A9E365 || |
| Hitachi || HTS723225A7A365 || |
| Toshiba || MK3261GSYD || |
Note: SafeGuard 6.0 supports Opal drives with firmware 1.0, Opal drives with firmware 2.0 are only supported if they are fully compatible with firmware 1.0.
In an ideal world, technical standards and specifications would be comprehensive and unambiguous and their real-world implementations would adhere to them and be, of course, bug-free. At Sophos, we have gone to great lengths to ensure that the support of Self Encrypting Drives (SEDs) that are based on the TCG Storage Group’s OPAL standard, which is available with the SafeGuard Enterprise 5.60 release, follows the standard closely. To this end, two types of checks are performed at installation time:
- Functional Checks
These include, among others, checking whether the drive identifies itself as an “OPAL” drive, whether the communications properties are ok, and whether all SafeGuard Enterprise-required OPAL features are supported by the drive.
- Security checks
These checks are made to ensure that only SafeGuard Enterprise users are registered on the drive, just as only SafeGuard Enterprise users are the owners of the keys used to software-encrypt non-SED drives. If other users are found to be registered at installation time, or when an encryption policy arrives after a successful OPAL-mode installation, SafeGuard Enterprise automatically tries to disable these users. The ability to disable these users is required by the standard, with the exception of a few well-known default “authorities” which are needed to run an OPAL system in the first place and which have well-defined functionality.
If any of these checks fail in an unrecoverable way, installation does not fall back to software-based encryption. Instead all volumes on the Opal disk remain unencrypted.
While working on the OPAL feature, Sophos was in close contact with the drive manufacturers and it soon became clear that some specific drives need special treatment. Thus, the SafeGuard Enterprise client now maintains an internal table that stores specifics on how certain drives are best operated. However, this table includes only functional issues (such as optimizations to attain maximum data transfer speed). It does, of course, not cover security issues.
However, we also noted that some drives also have potential security issues. Please note the word “potential”. There is no way to find out automatically which privileges have been assigned to an unknown user/authority that is already registered on the drive at SafeGuard Enterprise installation/encryption time. If the drive refuses the command to disable such users, SafeGuard Enterprise will fall back to software encryption to ensure maximum security for the SafeGuard Enterprise user.
Please note that at least one manufacturer, Seagate, has chosen to preinstall those users that are not covered by the OPAL standard. Sophos does not believe that these pose any security issue in any way, as Seagate has a long history of implementing SEDs, and their current line of OPAL drives also boast a number of security certificates. However, Sophos cannot give any security guarantees in any other manufacturer’s name, which is why we implemented a special installation switch to enable customers to use such drives at their own discretion.
If you want use any drive in the table above that has a “Yes” in the “Needs
IGNORE_OPAL_AUTHORITYCHECK_RESULTS Installation Parameter?” column, do as follows:
On the command prompt, type:
MSIEXEC /i <name_of_selected_client_msi.msi > IGNORE_OPAL_AUTHORITYCHECK_RESULTS=1