Installations on self-encrypting, Opal-compliant hard drives

SafeGuard Enterprise supports the vendor-independent Opal standard for self-encrypting hard drives and offers management of endpoints with hard drives of this type.

To ensure that the support of self-encrypting, Opal-compliant hard drives follows the standard closely, two types of check are carried out at the installation of SafeGuard Enterprise on the endpoint:

If any of these checks fail in an unrecoverable way, the installation does not fall back to software-based encryption. Instead all volumes on the Opal drive remain unencrypted.

From SafeGuard Enterprise version 7 onwards, no Opal checks are performed by default. This means that, although an Opal drive is present, SafeGuard Enterprise will encrypt volumes on this drive using software-based encryption.

If you want to force Opal checks, use the following command line syntax:

MSIEXEC /i <name_of_selected_client_msi>.msi OPALMODE=0
Note: An upgrade from SafeGuard Enterprise 6.x to SafeGuard Enterprise 7.0 on a system with an Opal HDD used in Opal HW-encryption mode will preserve the Opal HW-encryption mode.

Some Opal hard drives may have potential security issues. There is no way to automatically determine which privileges have been assigned to an unknown user/authority that has already been registered on the drive when SafeGuard Enterprise installation/encryption is carried out. If the drive refuses the command to disable such users, SafeGuard Enterprise falls back to software encryption to ensure maximum security for the SafeGuard Enterprise user. As we cannot give any security guarantees for the hard drives themselves, we have implemented a special installation switch to enable you to use drives which may have potential security risks at your own discretion. For a list of hard drives for which this installation switch is necessary and for further information on supported hard drives, refer to the SafeGuard Enterprise Release Notes.

To apply the installation switch, use the following command line syntax:

MSIEXEC /i <name_of_selected_client_msi>.msi IGNORE_OPAL_AUTHORITYCHECK_RESULTS=1

The internal property of the .msi has the same name, if you want to install it using a transform.