TCG OPALv2 support

Can anyone confirm if the Framework 16 works with TCG Opal v2 self encrypting drives?

To work the BIOS needs to support sending the right commands, and not block sending control commands by locking drive at boot.

While it’s not a hard requirement, it is helpful if the BIOS allows the user to load their own keys for SecureBoot, so that the Linux based pre-boot environment that unlocks drives can work with SecureBoot turned on.

The most common tool for working with self encrypting drives (SEDs) is sedutil.


It would be best to email Framework support about this, but I’d be curious to know the answer too.

For the loading your own keys for Secure Boot, that’s required for Windows qualification, so you’ll almost certainly be able to do that.


@kuro68k, I assume if you are asking about SED support, you are considering using them in your future FW16.

May I ask you which SSDs will you use, especially for the M.2 2230 slot?

Sorry, it isn’t an answer to your question, but I’m just curious.

Sure. Yes, I want to use SED. It offers decent security at no cost to performance.

I usually use Samsung SSDs. They perform well and I have found them to be reliable. Above all, their SED support is really good and actually works.

I have also had decent results with Crucial SSDs. They seem to come with eDrive enabled from the factory.

You have to be somewhat careful with other drives, especially Intel ones. They can be bricked by trying to enable SED. Samsung and Crucial have never had that issue. My advice is to turn it on as soon as you get the drive, and if it bricks just return it under warranty. Broken firmware that bricks is probably why some manufacturers stopped supporting SED.

You can use them out of the box with sedutil. You can also use Samsung Magician to enable eDrive, which is needed for Bitlocker support. It’s called something like “prepare drive for encryption”. Once enabled you have to do a fresh install of Windows, and then enable hardware encryption in the Group Policy Editor.

The main issue with Bitlocker is that it only works for the boot drive. If you enable hardware encryption on a second drive, when you sleep or hibernate the machine, upon waking it the drive will be inaccessible. Worse still, writing to the drive will corrupt data on it. It’s a truly craptacular effort from Microsoft.

Sedutil does not support sleep, but it does support hibernation, so I use that. The other issue with sedutil, more of an issue with OPALv2, is that drives are not re-locked on reboot, only on power cycle. Not really an issue for threats like theft, only if someone is able to take the machine while it is booted up.

That’s probably way more detail than you wanted!

1 Like

Thank you for your detailed answer.

I’ve heard a lot of good things about Samsung and Crucial SSDs, especially regarding self-encryption and you confirmed them once again.

But when it comes to the availability of self-encrypting SSD, most of retail available solutions are M.2 2280 drives. When looking for M.2 2230 SEDs, one should look for SSDs primarily available to systems integrators who purchase their components directly from drives manufacturers.

That means most FW16 users will hardly be able to get their hands on SED for its secondary SSD slot. Do you know a way to easily purchase an M.2 2230 SED?

Also do you have any particular drive model in mind, in M.2 2230 format and for your own use or are you planning to use only the primary M.2 2280 SSD slot of the FW16?

I might try WD for the second drive, if I can’t get an OEM Samsung with a warranty. The Samsung PM991a is sometimes available.

1 Like

31 posts were split to a new topic: Self-encrypting drives vs. software encryption

This thread has been off-topic for a while now. Please limit discussion in this thread to the OP’s original question - the Framework 16 and TCG Opal v2 self encrypting drives.

We will move the discussion of the merits of self-encrypting drives vs. software encryption to General Topics, General Topics - Framework Community, you may continue this discussion there.