Managing Opal self-encrypting drives

Opal drives are self-contained, standalone hard disk drives (HDDs) that conform to the TCG Opal standard. Drive Encryption provides a management tool for Opal drives.

Background

An Opal drive is always encrypted by the onboard crypto processor; however, it might or might not be locked. Although the Opal drives handle all of the encryption, the unlock keys need to be managed by Drive Encryption. If an Opal drive is not managed, it behaves and responds like a non-Opal HDD.

Management of Opal drives

The combination of Drive Encryption and McAfee ePO for Opal provides these features:

  • Centralized management
  • Reporting and recovery functionality
  • Secure Pre-Boot Authentication that unlocks the Opal drive
  • Efficient user management
  • Continuous policy enforcement
Note: In some cases, Drive Encryption installed systems might fail to lock OPAL disks during reboot. Subsequent policy enforcement might fail until a full power-cycle is performed.

Recovery

Importantly, the overall experience for administrators and users in installing and using Drive Encryption is the same, whether the target system has an Opal drive or a non-Opal HDD. The installation of the product extension, deployment of the software packages, policy definition and enforcement, recovery, and the method of management are the same for systems with Opal and non-Opal HDDs. You can apply the same policy to Opal and non-Opal systems, and the client system will choose the appropriate encryption provider for the system, giving Drive Encryption a powerful, seamless and transparent approach to managing Opal and non-Opal systems in the same environment.

Note: To activate a system using Opal encryption, Windows 7 SP1 or later is required. On systems with Opal drives where the operating system is Windows 7 RTW or earlier, software encryption is used.
Note: Opal activation might occasionally fail because certain Microsoft APIs used in the activation process fail. If this occurs, the activation will restart at the next ASCI.

Important note about reimaging Opal drives

When any OPAL system activated using OPAL encryption is reimaged and restarted without removing Drive Encryption prior to reimaging, the user will be locked out of the system. This happens because:

  • The pre-boot remains active, but the authentication screen is not displayed, and the user is locked out, even though, you have reimaged the disk
  • The Pre-Boot File System (PBFS) is destroyed during the imaging process, thereby user data is not available to authenticate.

Compatible systems

Opal self-encrypting drives are supported on:

  • Systems that boot using BIOS in AHCI mode
  • Systems that boot using UEFI only where the UEFI protocol EFI_STORAGE_SECURITY_COMMAND_PROTOCOL is present on the system. This protocol is only guaranteed to be present if the system is Windows 8 logo compliant and the system was shipped from the manufacturer fitted with an Opal self-encrypting drive.

This release provides support for Opal Compatibility tool that tests the Opal drive on your systems to verify if it is compatible to use the Opal features. For more information about this tool, see this KnowledgeBase article KB76182.

Opal self-encrypting drives might not be supported on UEFI systems if the system is not Windows 8, Windows 8.1, or Windows 10 compliant, or if the system is not shipped from the manufacturer fitted with an Opal self-encrypting drive. A UEFI security protocol that is required for Opal management is only mandatory on Windows 8 logo-compliant systems where an Opal self-encrypting drive is fitted at the time of shipping. Systems shipped without self-encrypting drives might not include the required security protocol. Without the security protocol, Opal management is not possible, since Drive Encryption cannot communicate with the security features of the drive in the pre-boot environment.

This does not affect support for Opal drives under BIOS.