Make VeraCrypt support TCG Opal Compliant Self-encrypted Drives

Open source disk encryption with strong security for the Paranoid

Brought to you by: idrassi

Make VeraCrypt support TCG Opal Compliant Self-encrypted Drives

Forum: Feature requests

Creator: Adam Zeferino

Created: 2016-02-15

Updated: 2017-10-07

Adam Zeferino - 2016-02-15

Hi,

Would it be possible to add this feature to VeraCrypt? It allows to encrypt drive (for example SSD) without any performance drop. Windows 8(.1)/10 are supporting this feature as eDrive but it requires TPM and UEFI for this to work. A tool for enabling this feature was made for Linux and it's open source so I think this may help with development.

You can read more about it here:
https://vxlabs.com/2015/02/11/use-the-hardware-based-full-disk-encryption-your-tcg-opal-ssd-with-msed/

Disadvantages of using software encryption for SSD is a huge performance drop and unnecessary host writes to the drive. Enabling support for TCG Opal would help avoid all this. Also most SSDs are already encrypted they just need a software that would allow for protection of encrypted keys and I think that VeraCrypt is the perfect software to do that.

I would like to know your thoughts about it.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Camis - 2016-06-15

I Agree!

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Zeitler - 2017-01-23

Is there any progress on this topic? I currently have 10 notebooks with opal ssd's to encrypt. Would be nice to use veracrypt instead of bitlocker.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Alex - 2017-05-06

I wrote PBA for VeraCrypt(DCS) It can be adopted to OPAL drives

Scenario is not clear because most of notebooks with OPAL disks contain support in BIOS to unlock disks.

to unlock/configure OPAL disks tool is sedutil. sedutil can be integrated to linux initrd

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Raza - 2017-05-11

+1. Have to resort to bitlocker now in order to have both hardware-supported encryption of my SSD system disc and the ability to mount non-system supporting HDDs automatically alongside it on startup (I think the BPA could do the former, but not the latter?).

I'm afraid I don't quite follow Alex's post above me. Is the OPAL BPA somehow integrated with veracrypt?

Last edit: Raza 2017-05-11

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Alex - 2017-05-12

I wrote the comment above to explain situation with the topic. OPAL drives support is possible to implement but I cannot find sponsors for the work.

e.g. I wrote TPM 2.0 support but there are no volunteers to help test even. (My hardware is TPM 1.2 only)

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Raza - 2017-10-07

Thanks for explaining, and for working on this!

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.