Using hardware cryptography (OPAL) instead of software (LUKS)

[rsd]

I am not a big fan of software cryptographic layer in the the fs on my own machine. Primarily because of the performance waste and the possibility of a bad upgrade leave lock out.

However, I do understand the pros on having that, specially on notebooks with serious stuff on it.

So, I decide to go for a hardware one, in a way that there is no loss of performance and hopefully shielded from upgrade issues.

Also, another objective is to have a complete transparent cryptographic layer that even the OS is aware of, be it Linux or Windows.

The Hardware

The OPAL standard exists for quite a long time by now. So the chances of you already having a drive capable is somewhat good.

Be aware that in the past some drives / vendors had some issues regarding bad implementations on some models. So be sure to do a research on the model you have before continue or the one you might buy.

Also, need to check the firmware for the drive, some issues in the past were solved by upgrading the firmware.

I got a Samsung 990 Pro and did a firmware upgrade on Samsung Magician.

Ranges

The OPAL specification has many possibilities, like mapping the cryptographic sessions to LBA areas (which would allow for unprotect areas like /boot).

I prefer to go to what is called Range 0, which is a all-in setup.

Sedutils

The most common way to set the drive is with sedutils from The Drive Trust Alliance

You will need the rescue disk from: https://github.com/ChubbyAnt/sedutil/releases

The way this works, sedutil will install a Pre Boot Authentication (PBA) to unlock the drive in a Shadow MBR. The Shadow MBR is like a hidden boot sector that host the PBA firmware. After unlocking the drive it will be replaced by the real cryptographed boot sector.

Special BIOS

Some professional BIOS might have support for PBA, not needing to install it from sedutils.

PSID

This varies from vendor to vendor.

The drive might be locked by a MSID (Manufacturer Security ID), the vendor key. In this case, in order to be able to unlock and use OPAL, you will need the PSID (Physical Security ID).

The PSID usually is printed in the drive itself or as a qrcode in it. Yes, you will need visual access to the drive.

The Process

A. Boot from the Sedutil Rescue Image

Unlock the drive with:

sedutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSID> /dev/nvme0

Which will also erase everything from the drive.

B. Try a Initial Setup

sedutil-cli --initialsetup <YOUR-KEY> /dev/nvme0

If this fails it is because the BIOS is block the Secure ID.

Check if your BIOS has something like:
Disable Block SID

B.1 Disable thru Windows

If your BIOS does not have it, you can still do it thru Windows (hope you have that USB one).

In a Powershell (not 7) as Administrator, run:

$tpm = gwmi -n root\cimv2\security\microsofttpm win32_tpm
$tpm.SetPhysicalPresenceRequest(97) 

• 97 is the Disable_BlockSID in the next boot.
• you can run this later on with 96 to reenable: Enable_BlockSID

After this, reboot into the sedutils rescue disk. Note that a cold reboot can make this not work.

Try again the --initialsetup command. It should work now.

C. Configuring Range 0

Enable Range 0 locking:

sedutil-cli --enableLockingRange 0 <YOUR-KEY> /dev/nvme0

This command is to show the Shadow MBR when disk is locked (so that PBA will work):

sedutil-cli --enableLockingRange 0 <YOUR-KEY> /dev/nvme0
sedutil-cli --setMBREnable on <YOUR-KEY> /dev/nvme0

D. Install the UEFI image in the Shadow MBR

gunzip /usr/sedutil/UEFI64-*.img.gz

sedutil-cli --loadpbaimage <YOUR-KEY> /usr/sedutil/UEFI64-*.img /dev/nvme0

Now you are done and can reboot.

In case you need to change the password:

sedutil-cli --setAdmin1Pwd <YOUR-KEY> <YOUR-NEW-KEY> /dev/nvme0

E. Install Arch

Now you almost can install Omarchy.

However there is a caveat. You can´t install from Omarchy ISO, you will need to install Arch first. The reason is that Omarchy will use LUKS (software criptography) by default and the whole objective in this howto is to use a hardware one.

Unfortunally the Omarchy manual was updated and the Arch installation part removed.

So this is a fast pace dirty version:

• Get an iso from: https://archlinux.org/download/
• Enable wifi if you need:

iwctl 

device list # confirm the device is wlan0

station wlan0 scan # look for wifi networks
station wlan0 get-netowrks # list them
station wlan0 connect <NETWORK NAME>

• run:

archinstall

• select your locale, keyboard mapping, mirror, timzone.
• enable bluetooth and sound (pipewire).
• network (same as installation).
• partition the way you like (I like a 512M ESP on /boot, a swap large enough for hybernation and a brtfs partition which I use subvolumes @ for / and @home for /home).
• create the user and set root password.
• install and reboot.

F. Omarchy

Now you can.

Login as your user and install wget with:

pacman -S wget

run:

wget -qO- [https://omarchy.org/install](https://omarchy.org/install) | bash

reboot.

Remember that this is a lot more work that the 1m48 iso install.
However you will get a transparent cryptographic layer that Linux (or any other OS would be aware of).

Note: Please @dhh, keep this remote install script to allow non iso installs. :D