FAQs for Drive Encryption 7.x (Opal Drives) (2024)

Is an Opal drive always encrypted?
Yes. Regardless of whether the drive is locked or unlocked, it's always encrypted. It's not possible to have a decrypted Opal drive.

NOTE: The Disk Encryption Key (DEK) can never be read from the drive. DE only shows two valid states: Unlocked and Locked.

What's the difference between locked and unlocked?
Technically, the difference is in terms of the access to the encryption key by the encryption processor on-board the drive.

  • If the disk is unlocked, the on-board encryption processor has access to the disk encryption key and the drive behaves exactly like a normal HDD. An end user wouldn't be able to tell the difference in this state between an Opal drive and a normal HDD.
  • If the disk is locked, the disk encryption key is protected and a preboot environment is required to unlock the disk before the data can be accessed and the Operating System allowed to boot. Note that the disk encryption key is kept internal to the drive; it's not possible to read it from the drive.

What's the default state for an Opal drive?
When you first receive an Opal drive, the state is unlocked. It behaves and responds exactly like a normal HDD. You need to explicitly lock the drive by enabling the native Locking Mechanism of the drive. One way of doing this is to use DE to manage the drive.

How can you take the drive from an unlocked to a locked state?
An application such as DE, which has a preboot environment, needs to perform the necessary steps to enable the native locking mechanism of the Opal drive and install the preboot environment. Once the drive is locked, the preboot environment is required to unlock the drive before the Operating System can start its boot process. Without a preboot environment, nothing would be present to unlock the drive and allow the operating system to boot.

When a locked drive is unlocked, how long does it stay unlocked?
The Opal drive remains unlocked until the next power cycle. This means that once you unlock an Opal drive, it remains unlocked until you turn off the device, or move to another power state where the Opal drive loses power. But, in DE, to ensure the same user experience as with DE software encryption, the drive is explicitly locked on a restart as well.

Can I take a disk image of the drive and decrypt it using a tool such as EnCase?
No. The key is created on the drive and it never leaves the drive. It's not possible for applications or other pieces of hardware to ask the drive for its key(s), and therefore the key isn't available for use in tools such as

EnCase.

What do I do if the Opal drive is locked and I forgot my password?
DE has a recovery mechanism to assist.

Can you restore an Opal drive to its default factory state?
There's one TCG-ratified mechanism for a revert process to occur, but the drive master credential must be known. Some drive manufacturers include an additional non-TCG revert process where the master credential isn't known (known as a PSID revert). If the drive doesn't support a PSID revert and you're locked out (and for some reason DE's normal recovery functions don't work or the drive fails to respond), the drive is now unusable, your data is lost, and you need to purchase a new Opal drive. If the drive does support a PSID revert, you can return it to a default factory state even without unlocking the drive first, but all the data on the drive will be lost. Tools are available to do this (it's not a supported use case in DE).

What happens if there's a physical hardware failure and the Opal drive stops responding to Unlock requests?
In this situation, the drive is now completely non-functional. There's nothing you can do to access the data. Consider the data lost and purchase a new Opal drive. This is because DE doesn't know the actual disk encryption key; the disk encryption key can't be read from the drive.

See Also
The Benefits of a Self-Encrypting DriveAn Overview of Hardware EncryptionWhat is TCG Opal 2.0?Best ways for visitors to pay

Is the preboot for Opal different from the preboot for software encryption?
Yes and no. The preboot needs to know how to unlock an Opal drive to allow the Operating System to boot. But, the rest of the preboot looks and behaves the same as with software encryption. In fact, much of the preboot code is shared between software and Opal preboot applications.

Are there multiple versions of the Opal Standard?
Yes, with the currently implemented version being 1.0. The TCG has also published version 2.0. Support for TCG's Opal v2.0 specification is being considered for possible inclusion in a future release.

Does an Opal drive have a concept of users?
Yes. Once the drive is locked, a username and PIN are required to unlock the drive.

Where are the users maintained?
Each user is specific and local to each Opal drive. The application managing the Opal drive needs to also manage the Opal Users.

Is an Opal User the same as an DE User or a Windows Domain User?
No. All three are completely separate entities.

Is there a maximum number of Opal Users?
Yes. Only a small number of Opal Users can be assigned to a single Opal drive. Opal drives from different manufacturers vary as to the maximum number of users they can support.

What happens if I want to assign more DE Users to a device than are available as Opal Users?
The DE architecture allows you to assign as many users as needed to the Opal drive, regardless of the technical limitation of Opal Users on the device. This complexity is hidden from the administrator and allows them to assign users to the device in the same manner as if it was a normal HDD. The recommendation and limitations for the number of users assigned to a device remains constant, regardless of the type of HDD used.

See Also
What are the benefits and drawbacks of using hardware-based encryption over software-based encryption?

Can an Opal drive have more than one disk encryption key?
Yes. There's a section of the Opal specification that deals with Logical Block Addressing, but can also be referred to as Local Ranges.

What's the Global Range?
The Global Range contains all sectors of the disk that aren't in a defined Local Range (see below).

What's a Local Range?
A Local Range is a contiguous range of sectors that each have a different encryption key. These ranges can be Locked or can remain Unlocked. As an example, a Local Range may be applied to a partition, but a range doesn't have to map exactly to a partition.

Why would someone use Local Ranges?
They would use Local Ranges if they want a specific part of the disk to always be available and accessible, regardless of whether the disk is in a Locked or Unlocked state.

If a Local Range is a contiguous range of sectors, what happens when I define a new Range?
A new encryption key is automatically generated for the new range. If the Opal drive supports re-encryption, the data is decrypted with the old key and re-encrypted with the new key. Re-encryption is an optional part of the standard, and at present, we believe that no drives support it. If the drive doesn't support re-encryption, you've now lost all the data that was previously in that range since it has been cryptographically erased.

If I use a partition tool, could I lose all my data if I use Local Ranges?
Yes, that's a possibility.

How many Local Ranges can there be?
The Opal Standard specifies at least five (including the Global Range).

Does DE support Local Ranges for specifying whether partitions are locked or not?
No.

Does DE support S3 with Opal drives?
Yes. S3 is a power state, commonly known as Standby, Sleep, or Suspend to RAM. A system in an S3 state appears to be turned off. The CPU has no power, the RAM is in a slow refresh mode, and the power supply is in a reduced power mode.

Opal drives lock when they have no power; is that a problem?
Yes. It's hard to restart Windows when the drive is locked and Windows doesn't have a way to unlock it. The TCG doesn't have a common and agreed solution to the S3 issue.

Because S3 works with DE, is it a proprietary implementation of S3 Support?
Yes.

Does DE support a mixed-mode?
Yes. A mixed-mode is defined as a situation where a computer has more than one physical HDD drive and also has a combination of Opal drives and Normal HDD. The lowest common denominator is always software encryption. If in doubt, the software encryption functionality is used to encrypt both the Opal drive and Normal HDD.

What happens if I have an Opal and a normal HDD in one computer? Will DE use the native Opal functionality on the Opal drive and software encryption for the normal HDD?
No. This is what's described as a mix-mode environment. DE needs to make a decision as to how it's going to enforce the encryption policy on the computer. By default, software encryption is chosen automatically if you have Opal and non-Opal drives in the same computer.

Can you use software encryption on an Opal drive?
Yes. Until the native locking mechanism of an Opal drive has been enabled, an Opal drive responds and behaves exactly like a normal HDD. Nothing stops an administrator from encrypting the drive using Software Encryption instead of using the native functionality of the Opal drive. Technically speaking, the data is then encrypted twice, once by software encryption and again by the Opal drive. But, since the drive isn't locked, the Opal encryption is transparent.
Back to top

FAQs for Drive Encryption 7.x (Opal Drives) (2024)
Top Articles
Configure the RSA Keys - Cisco Secure - Cisco Certified Expert
What Are Unregistered Securities or Stocks?
Craigslist St. Paul
Asist Liberty
Satyaprem Ki Katha review: Kartik Aaryan, Kiara Advani shine in this pure love story on a sensitive subject
What spices do Germans cook with?
Craigslist Benton Harbor Michigan
Jesus Calling December 1 2022
Pitt Authorized User
Tribune Seymour
Gt Transfer Equivalency
Helloid Worthington Login
Nutrislice Menus
Tnt Forum Activeboard
Gdlauncher Downloading Game Files Loop
10-Day Weather Forecast for Santa Cruz, CA - The Weather Channel | weather.com
Adam4Adam Discount Codes
Zalog Forum
Publix Super Market At Rainbow Square Shopping Center Dunnellon Photos
[Cheryll Glotfelty, Harold Fromm] The Ecocriticism(z-lib.org)
Crawlers List Chicago
Ups Print Store Near Me
Highmark Wholecare Otc Store
Doki The Banker
Pocono Recird Obits
Wics News Springfield Il
Riversweeps Admin Login
Afni Collections
Weather Underground Durham
Albertville Memorial Funeral Home Obituaries
49S Results Coral
Duke Energy Anderson Operations Center
Why Are The French So Google Feud Answers
Emily Katherine Correro
UPS Drop Off Location Finder
Gwen Stacy Rule 4
Wildfangs Springfield
The Bold And The Beautiful Recaps Soap Central
Gold Nugget at the Golden Nugget
Henry County Illuminate
Froedtert Billing Phone Number
Indio Mall Eye Doctor
Nail Salon Open On Monday Near Me
All-New Webkinz FAQ | WKN: Webkinz Newz
Sig Mlok Bayonet Mount
Noh Buddy
Senior Houses For Sale Near Me
Yourcuteelena
Meee Ruh
Gameplay Clarkston
Acellus Grading Scale
Latest Posts
How to Train Football at Home
The Definitive Way to Download iCloud Photos
Article information

Author: Aracelis Kilback

Last Updated:

Views: 5518

Rating: 4.3 / 5 (64 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Aracelis Kilback

Birthday: 1994-11-22

Address: Apt. 895 30151 Green Plain, Lake Mariela, RI 98141

Phone: +5992291857476

Job: Legal Officer

Hobby: LARPing, role-playing games, Slacklining, Reading, Inline skating, Brazilian jiu-jitsu, Dance

Introduction: My name is Aracelis Kilback, I am a nice, gentle, agreeable, joyous, attractive, combative, gifted person who loves writing and wants to share my knowledge and understanding with you.