Wednesday, January 25, 2017

How to setup TCG OPAL 2.0

What is it?

The Trusted Computer Group has a new standard called OPAL 2.0 which dictates how to create self-encrypted drives (SED). This allows you to encrypt your data at rest.

Is it easy to use?

I recently bought a new Samsung SSD which advertised self-encryption (SED) and OPAL 2.0 support. I was excited to try out the latest and greatest encryption tools the industry had to offer, surely they've come up with something user-friendly by now?... Sadly this turned out to be an incredibly complex procedure with very little documentation which drove me to write this post. The Samsung drive wouldn't recognize properly until I plugged it into a SATA III port. The included software "Samsung Magician" could now see the drive and erase it (which regenerates the stored encryption key) but couldn't actually do much else. Clicking on the buttons to enable SED or OPAL 2.0 simply brought up help text saying "additional software is required" but failed to give any pointers beyond that...

Can I trust it?

Trust is a difficult thing when it comes to technology. My SSD was certified as OPAL 2.0 compliant by the TCG but the spec leaves a few things vaguely defined to allow manufacturers more flexibility including where to store the encryption key. The hardware and software are closed source and rather difficult to reverse engineer. While I have the tools available to desolder the chips, dump the ROM, and start reading ARM assembly I would really prefer not to ruin a brand new drive. One of the advantages of self-encrypting drives is that the performance overhead is very very low compared to unencrypted drives due to dedicated hardware on the drive itself. Software-based disk encryption relies on the CPU to encrypt and decrypt each block during read and write operations, which slows down programs waiting for that data or competing for time on the CPU. The upside is most software-based disk encryption systems are open source and much easier to independently verify.

Why not both?

If you're already using software-based disk encryption, turning on OPAL 2.0 SED on your drive adds an extra layer of defense without any noticeable performance hit. OPAL 2.0 keys are stored somewhere on the drive and aren't accessible in RAM. An attacker would need both sets of keys to access your data once the system is powered off, which is more difficult than using only one method.

What could go wrong?

There are a few known attacks already available for this brand new technology! The Evil Maid attack still works since there are numerous ways of recording passwords on a tampered system, encryption does not prevent hardware tampering or software alterations. The Hot Plug attack also works since the drive only locks when power is removed. SED drives support a mode called "Class 0" which uses BIOS to prompt for an ATA password, while this is better than nothing the password is easily recovered via JTAG.

A friendly reminder, encryption is a great tool, but it is only a single layer of defense against a fairly limited set of attacks such as physical theft. Following the steps below are very likely to lock you out of your computer and make your data disappear for ever... you have been warned.

How do I set this up?

  1. Backup any data you care about ever seeing again.
  2. Verify you actually backed up all of your data.
  3. Secure Erase the drive. This usually requires software tools from the manufacturer and ensures that the default encryption key installed by the manufacturer is changed.
  4. Install your OS of choice to the drive like you normally would.
  5. Enable software-based full disk encryption:
     - Windows users can use TrueCrypt, VeraCrypt, BitLocker, etc...
     - Linux users should use whatever is best supported by their distro
  6. Follow the instructions from Drive Trust Alliance to enable OPAL and encrypt your drive including the "optional" testing steps.
    1. Shutdown your system and make sure it's powered off entirely then power it back on (don't reboot). Verify you're prompted for both sets of passwords and that everything boots correctly. If something went wrong, use the Rescue System to Remove OPAL.

    Questions?

    Leave a comment!