Knowledge Base

Encrypting Your Ubuntu Operating System Using a SED Hard Drive



Encrypting Ubuntu

Note: Dell does not officially support Linux Encryption. This is a "Best Effort Guide" and is being provided to you for your information purposes. Dell is not able to assist with troubleshooting or setting up Ubuntu to use hardware Self Encrypting Drives.

Taken from: https://github.com/Drive-Trust-Alliance/sedutil/wiki/Encrypting-your-drive External Link

Enable Hibernation

  • Open terminal.
  • Type the following to verify if the system can hibernate:
    # sudo systemctl hibernate
  • If it works, you can either use the command to hibernate on demand or create a file to add hibernation option to the menu systems:

    create /etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla. Add the following to the file and save:

    [Re-enable hibernate by default in upower]
    Identity=unix-user:*
    Action=org.freedesktop.upower.hibernate
    ResultActive=yes


    [Re-enable hibernate by default in logind]
    Identity=unix-user:*
    Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.handle-hibernate-key;org.freedesktop.login1;org.freedesktop.login1.hibernate-multiple-sessions;org.freedesktop.login1.hibernate-ignore-inhibit
    ResultActive=yes
  • If hibernate doesn't work:
    Check if your swap partition is at least as large as your available RAM.

    The presence of btrfs partitions has proved to make hibernation fail, so check that you're not using any btrfs partitions. Besides removing or reformatting such partitions, you may need to remove the btrfs-tools package:
    # sudo apt purge btrfs-tools

Enable sedutil to work by enabling allow_tpm

Taken from: http://jorgenmodin.net/index_html/how-to-encrypt-your-linux-machine-and-session-with-a-self-encrypting%20disk External Link

You need to enable TPM:
libata.allow_tpm=1

...must be added to your Grub's parameters.

In /etc/default/grub that means that there should be a line that says something like this:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash libata.allow_tpm=1"

Then update grub and reboot.
# sudo update-grub

Encrypting Your Drive

Taken from: https://github.com/Drive-Trust-Alliance/sedutil/wiki/Encrypting-your-drive External Link

Warning: Users of non us_english keyboards:

Both the PBA and rescue systems use the us_english keyboard. This can cause issues when setting the password on your normal operating system if you use another keyboard mapping. To make sure the PBA recognizes your password you are encouraged to set up you drive from the rescue system as described on this page.

Prepare a Bootable Rescue System

Download the rescue system for BIOS External Link or 64bit UEFI External Link machine.

* UEFI support currently requires that Secure Boot be turned off.
Decompress the Rescue system: (Windows users will need to use 7-zip External Link)

gunzip RESCUE32.img.gz
--or--
gunzip RESCUE64.img.gz

Transfer the Rescue image to the USB stick.
Linux: dd if=RESCUE32.img of=/dev/sd? (/dev/sd? is the USB stick base device node, no number)
--or--
dd if=RESCUE64.img of=/dev/sd?

Windows: Use Win32DiskImager from sourceforge to write the image to the USB stick.
Boot the USB thumb drive with the rescue system on it. You will see the Login prompt, enter "root" there is no password so you will get a root shell prompt.

ALL steps below should be run on the RESCUE SYSTEM.

Test sedutil

Enter the command: sedutil-cli --scan

Expected Output:

#sedutil-cli --scan
Scanning for Opal compliant disks
/dev/nvme0 2 Samsung SSD 960 EVO 250GB 2B7QCXE7
/dev/sda 2 Crucial_CT250MX200SSD1 MU04
/dev/sdb 12 Samsung SSD 850 EVO 500GB EMT01B6Q
/dev/sdc 2 ST500LT025-1DH142 0001SDM7
/dev/sdd 12 Samsung SSD 850 EVO 250GB EMT01B6Q
No more disks present ending scan.

Verify that your drive has a 2 in the second column indicating OPAL 2 support. If it doesn't do not proceed, there is something that is preventing sedutil from supporting your drive. If you continue you may erase all of your data.

Test the PBA

Enter the command linuxpba and use a pass-phrase of debug. If you don't use debug as the pass-phrase your system will reboot!

Expected Output:

#linuxpba
DTA LINUX Pre Boot Authorization
Please enter pass-phrase to unlock OPAL drives: *****
Scanning....
Drive /dev/nvme0 Samsung SSD 960 EVO 250GB is OPAL NOT LOCKED
Drive /dev/sda Crucial_CT250MX200SSD1 is OPAL NOT LOCKED
Drive /dev/sdb Samsung SSD 850 EVO 500GB is OPAL NOT LOCKED
Drive /dev/sdc ST500LT025-1DH142 is OPAL NOT LOCKED
Drive /dev/sdd Samsung SSD 850 EVO 250GB is OPAL NOT LOCKED

Verify that Your drive is listed and the that the PBA reports it as "is OPAL".

Issuing the commands in the steps that follow will enable OPAL locking. If you have a problem you will need to follow the steps at the end of this page (Recovery Information External Link) to either disable or remove OPAL locking.

The following steps use /dev/sdc as the device and UEFI64-1.15.img.gz for the PBA image, substitute the proper /dev/sd? for your drive and the proper PBA name for your system.

Enable locking and the PBA

Enter the commands below: (Use the password of debug for this test, it will be changed later)

sedutil-cli --initialsetup debug /dev/sdc
sedutil-cli --enablelockingrange 0 debug /dev/sdc
sedutil-cli --setlockingrange 0 lk debug /dev/sdc
sedutil-cli --setmbrdone off debug /dev/sdc

gunzip /usr/sedutil/UEFI64-n.nn.img.gz <-- Replace n.nn with the release number.
sedutil-cli --loadpbaimage debug /usr/sedutil/UEFI64-n.nn.img /dev/sdc <-- Replace n.nn with the release number.

Expected Output:

#sedutil-cli --initialsetup debug /dev/sdc
- 14:06:39.709 INFO: takeOwnership complete
- 14:06:41.703 INFO: Locking SP Activate Complete
- 14:06:42.317 INFO: LockingRange0 disabled
- 14:06:42.694 INFO: LockingRange0 set to RW
- 14:06:43.171 INFO: MBRDone set on
- 14:06:43.515 INFO: MBRDone set on
- 14:06:43.904 INFO: MBREnable set on
- 14:06:43.904 INFO: Initial setup of TPer complete on /dev/sdc
#sedutil-cli --enablelockingrange 0 debug /dev/sdc
- 14:07:24.914 INFO: LockingRange0 enabled ReadLocking,WriteLocking
#sedutil-cli --setlockingrange 0 lk debug /dev/sdc
- 14:07:46.728 INFO: LockingRange0 set to LK
#sedutil-cli --setmbrdone off debug /dev/sdc
- 14:08:21.999 INFO: MBRDone set off
#gunzip /usr/sedutil/UEFI64-1.15.img.gz
#sedutil-cli --loadpbaimage debug /usr/sedutil/UEFI64-1.15.img /dev/sdc
- 14:10:55.328 INFO: Writing PBA to /dev/sdc
33554432 of 33554432 100% blk=1500
- 14:14:04.499 INFO: PBA image /usr/sedutil/UEFI64.img written to /dev/sdc
#

Test the PBA, Again

Enter the command linuxpba and use a pass-phrase of debug.
This second test will verify that your drive really does get unlocked.

Expected Output:

#linuxpba
DTA LINUX Pre Boot Authorization

Please enter pass-phrase to unlock OPAL drives: *****
Scanning....
Drive /dev/nvme0 Samsung SSD 960 EVO 250GB is OPAL NOT LOCKED
Drive /dev/sda Crucial_CT250MX200SSD1 is OPAL NOT LOCKED
Drive /dev/sdb Samsung SSD 850 EVO 500GB is OPAL NOT LOCKED
Drive /dev/sdc ST500LT025-1DH142 is OPAL Unlocked <--- IMPORTANT!!
Drive /dev/sdd Samsung SSD 850 EVO 250GB is OPAL NOT LOCKED

Verify that the PBA unlocks your drive, it should say "is OPAL Unlocked" If it doesn't then you will need to follow the steps at the end of this page to either remove OPAL or disable locking.

Set a Real Password

The SID and Admin1 passwords do not have to match but it makes things easier.
sedutil-cli --setsidpassword debug yourrealpassword /dev/sdc

sedutil-cli --setadmin1pwd debug yourrealpassword /dev/sdc

Expected Output:

#sedutil-cli --setsidpassword debug yourrealpassword /dev/sdc
#sedutil-cli --setadmin1pwd debug yourrealpassword /dev/sdc
- 14:20:53.352 INFO: Admin1 password changed

Make sure you didn't mistype your password by testing it.
sedutil-cli --setmbrdone on yourrealpassword /dev/sdc

Expected Output:

#sedutil-cli --setmbrdone on yourrealpassword /dev/sdc
- 14:22:21.590 INFO: MBRDone set on

Your drive in now using OPAL locking.
You now need to COMPLETELY POWER DOWN YOUR SYSTEM
This will lock the drive so that when you restart your system it will boot the PBA.

Recovery Information:

If there is an issue after enabling locking you can either disable locking or remove OPAL to continue using your drive without locking.

If you want to disable Locking and the PBA:

sedutil-cli -–disableLockingRange 0 <password> <drive>
sedutil-cli –-setMBREnable off <password> <drive>

Expected Output:

#sedutil-cli --disablelockingrange 0 debug /dev/sdc
- 14:07:24.914 INFO: LockingRange0 disabled
#sedutil-cli --setmbrenable off debug /dev/sdc
- 14:08:21.999 INFO: MBREnable set off

You can re-enable locking and the PBA using this command sequence.

sedutil-cli -–enableLockingRange 0 <password> <drive>
sedutil-cli –-setMBREnable on <password> <drive>

Expected Output:

#sedutil-cli --enablelockingrange 0 debug /dev/sdc
- 14:07:24.914 INFO: LockingRange0 enabled ReadLocking,WriteLocking
#sedutil-cli --setmbrenable on debug /dev/sdc
- 14:08:21.999 INFO: MBREnable set on

Some OPAL drives have a firmware bug that will erase all of your data if you issue the commands below. See remove opal External Link for a list of drive/firmware pairs that is know to have been tested.

To remove OPAL issue these commands:

sedutil-cli --revertnoerase <password> <drive>
sedutil-cli --reverttper <password> <drive>

Expected Output:

#sedutil-cli --revertnoerase debug /dev/sdc
- 14:22:47.060 INFO: Revert LockingSP complete
#sedutil-cli --reverttper debug /dev/sdc
- 14:23:13.968 INFO: revertTper completed successfully
#





Article ID: SLN308600

Last Date Modified: 02/14/2018 06:18 AM


Rate this article

Accurate
Useful
Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.