Article Number: 000132842
Encrypting Your Ubuntu Operating System Using a SED Hard Drive
Summary: Dell's Best Effort guide to encrypting your Ubuntu OS when using a Self-Encrypting Hard Drive.
Article Content
Symptoms
Encrypting Ubuntu
Warning: Dell does not officially support Linux Encryption. This guide is being provided to you for your information purposes. Dell is not able to assist with troubleshooting or setting up Ubuntu to use hardware Self-Encrypting Drives.
Taken from: https://github.com/Drive-Trust-Alliance/sedutil/wiki/Encrypting-your-drive
Enable Hibernation
-
Open the terminal.
-
Type the following to verify if the system can hibernate:
# sudo systemctl hibernate -
If it works, you can either use the command to hibernate on demand or create a file to add the hibernation option to the menu systems:
create/etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla. Add the following to the file and, save:
[Re-enable hibernate by default in upower]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=yes
[Re-enable hibernate by default in logind]
Identity=unix-user:*
Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.handle-hibernate-key;org.freedesktop.login1;org.freedesktop.login1.hibernate-multiple-sessions;org.freedesktop.login1.hibernate-ignore-inhibit
ResultActive=yes -
If hibernation does not work:
Check if your swap partition is at least as large as your available RAM.
The presence of btrfs partitions has proved to make hibernation fail, so check that you are not using any btrfs partitions. Besides removing or reformatting such partitions, you may need to remove the btrfs-tools package:# sudo apt purge btrfs-tools
Enable sedutil to work by enabling allow_tpm
Taken from: http://jorgenmodin.net/
You must enable TPM:
libata.allow_tpm=1
...must be added to your Grub's parameters.
In /etc/default/grub that means that there should be a line that says something like this:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash libata.allow_tpm=1"
Then update grub and reboot.
# sudo update-grub
Encrypting Your Drive
Taken from: https://github.com/Drive-Trust-Alliance/sedutil/wiki/Encrypting-your-drive
Warning: Users of non-us_english keyboards:
Both the PBA and rescue systems use the us_english keyboard. This can cause issues when setting the password on your normal operating system if you use another keyboard mapping. To make sure the PBA recognizes your password, you are encouraged to set up you drive from the rescue system as described on this page.
Both the PBA and rescue systems use the us_english keyboard. This can cause issues when setting the password on your normal operating system if you use another keyboard mapping. To make sure the PBA recognizes your password, you are encouraged to set up you drive from the rescue system as described on this page.
Cause
Prepare a Bootable Rescue System
Download the rescue system for BIOS 
* UEFI support requires that Secure Boot be turned off.
Decompress the Rescue system: (Windows users must use 7-zip
gunzip RESCUE32.img.gz
--or--gunzip RESCUE64.img.gz
Transfer the Rescue image to the USB stick.
Linux: dd if=RESCUE32.img of=/dev/sd? (/dev/sd? is the USB stick base device node, no number)
--or--dd if=RESCUE64.img of=/dev/sd?
Windows: Use Win32DiskImager from sourceforge to write the image to the USB stick.
Boot the USB thumb drive with the rescue system on it. You see the Login prompt, enter root there is no password so you get a root shell prompt.
ALL steps below should be run on the RESCUE SYSTEM.
Test sedutil
Enter the command: sedutil-cli --scan
Expected Output:#sedutil-cli --scan
Scanning for Opal compliant disks
/dev/nvme0 2 Samsung SSD 960 EVO 250GB 2B7QCXE7
/dev/sda 2 Crucial_CT250MX200SSD1 MU04
/dev/sdb 12 Samsung SSD 850 EVO 500GB EMT01B6Q
/dev/sdc 2 ST500LT025-1DH142 0001SDM7
/dev/sdd 12 Samsung SSD 850 EVO 250GB EMT01B6Q
No more disks present ending scan.
Verify that your drive has a two in the second column indicating OPAL 2 support. If it does not do not proceed, there is something that is preventing sedutil from supporting your drive. If you continue, you may erase all data.
Test the PBA
Enter the command linuxpba and use a pass-phrase of debug. If you do not use debug as the pass-phrase your system reboots.
Expected Output:#linuxpba
DTA LINUX Pre Boot Authorization
Enter pass-phrase to unlock OPAL drives: *****
Scanning....
Drive /dev/nvme0 Samsung SSD 960 EVO 250GB is OPAL NOT LOCKED
Drive /dev/sda Crucial_CT250MX200SSD1 is OPAL NOT LOCKED
Drive /dev/sdb Samsung SSD 850 EVO 500GB is OPAL NOT LOCKED
Drive /dev/sdc ST500LT025-1DH142 is OPAL NOT LOCKED
Drive /dev/sdd Samsung SSD 850 EVO 250GB is OPAL NOT LOCKED
Verify that Your drive is listed and the that the PBA reports it as "is OPAL."
Issuing the commands in the steps that follow will enable OPAL locking. If you have a problem, you must follow the steps at the end of this page (Recovery Information
The following steps use /dev/sdc as the device and UEFI64-1.15.img.gz for the PBA image, substitute the proper /dev/sd? for your drive and the proper PBA name for your system.
Resolution
Enable locking and the PBA
Enter the commands below: (Use the password of debug for this test, it is changed later)
sedutil-cli --initialsetup debug /dev/sdc
sedutil-cli --enablelockingrange 0 debug /dev/sdc
sedutil-cli --setlockingrange 0 lk debug /dev/sdc
sedutil-cli --setmbrdone off debug /dev/sdc
gunzip /usr/sedutil/UEFI64-n.nn.img.gz <-- Replace n.nn with the release number.sedutil-cli --loadpbaimage debug /usr/sedutil/UEFI64-n.nn.img /dev/sdc <-- Replace n.nn with the release number.
Expected Output:
#sedutil-cli --initialsetup debug /dev/sdc
- 14:06:39.709 INFO: takeOwnership complete
- 14:06:41.703 INFO: Locking SP Activate Complete
- 14:06:42.317 INFO: LockingRange0 disabled
- 14:06:42.694 INFO: LockingRange0 set to RW
- 14:06:43.171 INFO: MBRDone set on
- 14:06:43.515 INFO: MBRDone set on
- 14:06:43.904 INFO: MBREnable set on
- 14:06:43.904 INFO: Initial setup of TPer complete on /dev/sdc
#sedutil-cli --enablelockingrange 0 debug /dev/sdc
- 14:07:24.914 INFO: LockingRange0 enabled ReadLocking,WriteLocking
#sedutil-cli --setlockingrange 0 lk debug /dev/sdc
- 14:07:46.728 INFO: LockingRange0 set to LK
#sedutil-cli --setmbrdone off debug /dev/sdc
- 14:08:21.999 INFO: MBRDone set off
#gunzip /usr/sedutil/UEFI64-1.15.img.gz
#sedutil-cli --loadpbaimage debug /usr/sedutil/UEFI64-1.15.img /dev/sdc
- 14:10:55.328 INFO: Writing PBA to /dev/sdc
33554432 of 33554432 100% blk=1500
- 14:14:04.499 INFO: PBA image /usr/sedutil/UEFI64.img written to /dev/sdc
#
Test the PBA, Again
Enter the command linuxpba, and use a pass-phrase of debug.
This second test verifies that your drive really does get unlocked.
Expected Output:
#linuxpba
DTA LINUX Pre Boot Authorization
Enter pass-phrase to unlock OPAL drives: *****
Scanning....
Drive /dev/nvme0 Samsung SSD 960 EVO 250GB is OPAL NOT LOCKED
Drive /dev/sda Crucial_CT250MX200SSD1 is OPAL NOT LOCKED
Drive /dev/sdb Samsung SSD 850 EVO 500GB is OPAL NOT LOCKED
Drive /dev/sdc ST500LT025-1DH142 is OPAL Unlocked <--- IMPORTANT!!
Drive /dev/sdd Samsung SSD 850 EVO 250GB is OPAL NOT LOCKED
Verify that the PBA unlocks your drive, it should say "is OPAL Unlocked" If it does not then you must follow the steps at the end of this page to either remove OPAL or disable locking.
Set a Real Password
The SID and Admin1 passwords do not have to match but it makes things easier.
sedutil-cli --setsidpassword debug yourrealpassword /dev/sdc
sedutil-cli --setadmin1pwd debug yourrealpassword /dev/sdc
Expected Output:
#sedutil-cli --setsidpassword debug yourrealpassword /dev/sdc
#sedutil-cli --setadmin1pwd debug yourrealpassword /dev/sdc
- 14:20:53.352 INFO: Admin1 password changed
Make sure you did not mistype your password by testing it.
sedutil-cli --setmbrdone on yourrealpassword /dev/sdc
Expected Output:
#sedutil-cli --setmbrdone on yourrealpassword /dev/sdc
- 14:22:21.590 INFO: MBRDone set on
Your drive in now using OPAL locking.
You now must COMPLETELY POWER DOWN YOUR SYSTEM.
This locks the drive so that when you restart your system it boots the PBA.
Recovery Information:
If there is an issue after enabling locking, you can either disable locking or remove OPAL to continue using your drive without locking.
If you want to disable Locking and the PBA:
sedutil-cli -–disableLockingRange 0 <password> <drive>
sedutil-cli –-setMBREnable off <password> <drive>
Expected Output:
#sedutil-cli --disablelockingrange 0 debug /dev/sdc
- 14:07:24.914 INFO: LockingRange0 disabled
#sedutil-cli --setmbrenable off debug /dev/sdc
- 14:08:21.999 INFO: MBREnable set off
You can reenable locking and the PBA using this command sequence.
sedutil-cli -–enableLockingRange 0 <password> <drive>
sedutil-cli –-setMBREnable on <password> <drive>
Expected Output:
#sedutil-cli --enablelockingrange 0 debug /dev/sdc
- 14:07:24.914 INFO: LockingRange0 enabled ReadLocking,WriteLocking
#sedutil-cli --setmbrenable on debug /dev/sdc
- 14:08:21.999 INFO: MBREnable set on
Some OPAL drives have a firmware bug that erases all data if you issue the commands below. See remove opal
To remove OPAL, issue these commands:
sedutil-cli --revertnoerase <password> <drive>
sedutil-cli --reverttper <password> <drive>
Expected Output:
#sedutil-cli --revertnoerase debug /dev/sdc
- 14:22:47.060 INFO: Revert LockingSP complete
#sedutil-cli --reverttper debug /dev/sdc
- 14:23:13.968 INFO: revertTper completed successfully
#
Article Properties
Affected Product
Security, Software
Last Published Date
21 Aug 2023
Version
6
Article Type
Solution