Can anyone confirm if the Framework 16 works with TCG Opal v2 self encrypting drives?
To work the BIOS needs to support sending the right commands, and not block sending control commands by locking drive at boot.
While it’s not a hard requirement, it is helpful if the BIOS allows the user to load their own keys for SecureBoot, so that the Linux based pre-boot environment that unlocks drives can work with SecureBoot turned on.
The most common tool for working with self encrypting drives (SEDs) is sedutil.
Sure. Yes, I want to use SED. It offers decent security at no cost to performance.
I usually use Samsung SSDs. They perform well and I have found them to be reliable. Above all, their SED support is really good and actually works.
I have also had decent results with Crucial SSDs. They seem to come with eDrive enabled from the factory.
You have to be somewhat careful with other drives, especially Intel ones. They can be bricked by trying to enable SED. Samsung and Crucial have never had that issue. My advice is to turn it on as soon as you get the drive, and if it bricks just return it under warranty. Broken firmware that bricks is probably why some manufacturers stopped supporting SED.
You can use them out of the box with sedutil. You can also use Samsung Magician to enable eDrive, which is needed for Bitlocker support. It’s called something like “prepare drive for encryption”. Once enabled you have to do a fresh install of Windows, and then enable hardware encryption in the Group Policy Editor.
The main issue with Bitlocker is that it only works for the boot drive. If you enable hardware encryption on a second drive, when you sleep or hibernate the machine, upon waking it the drive will be inaccessible. Worse still, writing to the drive will corrupt data on it. It’s a truly craptacular effort from Microsoft.
Sedutil does not support sleep, but it does support hibernation, so I use that. The other issue with sedutil, more of an issue with OPALv2, is that drives are not re-locked on reboot, only on power cycle. Not really an issue for threats like theft, only if someone is able to take the machine while it is booted up.
I’ve heard a lot of good things about Samsung and Crucial SSDs, especially regarding self-encryption and you confirmed them once again.
But when it comes to the availability of self-encrypting SSD, most of retail available solutions are M.2 2280 drives. When looking for M.2 2230 SEDs, one should look for SSDs primarily available to systems integrators who purchase their components directly from drives manufacturers.
That means most FW16 users will hardly be able to get their hands on SED for its secondary SSD slot. Do you know a way to easily purchase an M.2 2230 SED?
Also do you have any particular drive model in mind, in M.2 2230 format and for your own use or are you planning to use only the primary M.2 2280 SSD slot of the FW16?
This thread has been off-topic for a while now. Please limit discussion in this thread to the OP’s original question - the Framework 16 and TCG Opal v2 self encrypting drives.
We will move the discussion of the merits of self-encrypting drives vs. software encryption to General Topics, General Topics - Framework Community, you may continue this discussion there.
WD_BLACK SN850X (M.2 2280) and SN770M (M.2 2230) both support TCG Opal, and the Framework Laptop 16 AMD Ryzen 7040-series BIOS does prompt for the password(s) to unlock the drives during POST. It’s a little annoying to have to type two passwords to unlock two drives when those passwords are identical, but I can live with it.
What I can’t live with is that apparently the drives relock when the system goes into suspend/sleep, and then the BIOS doesn’t re-unlock them upon awakening before returning control to the kernel, so suddenly Linux finds itself unable to read/write the drives. Nothing can be done at that point except curse and hit SysRq+B.
I may have spoken too soon about the SN770M. The Laptop 16 BIOS 3.03 does support setting a storage password on it, and the drive refuses I/O commands while it is locked, but sedutil-cli reports that the drive does not support Opal, so I guess maybe the storage password on that drive is only a “dumb” access lock and the drive does not actually do any encryption. (That perhaps should not be surprising since it is a “DRAM-less” drive after all.) By contrast, sedutil-cli --query on the SN850X reports the following:
/dev/nvme0 NVMe WD_BLACK SN850X 1000GB 620361WD
TPer function (0x0001)
ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
Locked = N, LockingEnabled = Y, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
Geometry function (0x0003)
Align = Y, Alignment Granularity = 1 (4096), Logical Block size = 4096, Lowest Aligned LBA = 0
SingleUser function (0x0201)
ALL = N, ANY = N, Policy = Y, Locking Objects = 9
DataStore function (0x0202)
Max Tables = 9, Max Size Tables = 10485760, Table size alignment = 1
OPAL 2.0 function (0x0203)
Base comID = 0x7ffe, Initial PIN = 0x00, Reverted PIN = 0x00, comIDs = 1
Locking Admins = 4, Locking Users = 9, Range Crossing = N
**** 1 **** Unknown function codes IGNORED
TPer Properties:
MaxComPacketSize = 16896 MaxResponseComPacketSize = 16896
MaxPacketSize = 16876 MaxIndTokenSize = 16388 MaxPackets = 1
MaxSubpackets = 1 MaxMethods = 1 MaxSessions = 1
MaxAuthentications = 2 MaxTransactionLimit = 1 DefSessionTimeout = 360000
ContinuedTokens = 0 SequenceNumbers = 0 AckNak = 0
Asynchronous = 0
Host Properties:
MaxComPacketSize = 2048
MaxResponseComPacketSize = 2048 MaxPacketSize = 2028 MaxIndTokenSize = 1992
MaxPackets = 1 MaxSubpackets = 1 MaxMethods = 1
Note especially the “Locked = N, LockingEnabled = Y, LockingSupported = Y”, which means the drive supports locking, the lock is enabled, and the drive is currently unlocked (because I am booted from it).
Oh, and I had forgotten to mention: the Laptop 16 BIOS 3.03 lets you choose whether you want it to freeze the security on the drive at boot or not. That is controlled by the “BlockSID” switch. Enabling or disabling “BlockSID” is awkward since it’s not like typical boolean BIOS options; rather, you have to set the operation field to “Enable_BlockSID” and then save and exit, and then the next time you bring up that screen after rebooting, it’ll say BlockSID is enabled. You can also command whether you want to require physical presence to enable or disable BlockSID, although that should be irrelevant unless you enable the networking stack and find some way to remotely administrate the firmware.
Unfortunately I would guess that none of the secondary storage(M.2 2230) drives on offer by Framework support anything beyond the incomparable “TCG Pyrite”. Western Digital’s data sheet for the SN770 has no mention of relevant functionality at all which considering they do mention this normally suggests it’s not supported, and at least in my case with a 2TB SN740 they sadly didn’t opt for the SED/Opal variant(SDDQTQE-2T00) instead choosing the Non-SED/Pyrite offering SDDPTQE-2T00.
As far as primary storage goes I can at least attest to my SN850X having proper Opal support(v2.01), and given that I can simply keep my system boot data on this drive while leaving nothing that isn’t encrypted in software on the other it’s not a big deal.