Installations on self-encrypting, Opal-compliant hard drives

 FDE

SafeGuard Enterprise supports the vendor-independent Opal standard for self-encrypting hard drives and offers management of endpoints with hard drives of this type.

To ensure that the support of self-encrypting, Opal-compliant hard drives follows the standard closely, two types of check are carried out at the installation of SafeGuard Enterprise on the endpoint:

  • Functional checks

    These include, among others, checking whether the drive identifies itself as an "OPAL" hard drive, whether communication properties are correct, and whether all Opal features required for SafeGuard Enterprise are supported by the drive.

  • Security checks

    Security checks ensure that only SafeGuard Enterprise users are registered on the drive and that only SafeGuard Enterprise users own the keys used to software-encrypt non-self-encrypting drives. If other users are found to be registered at installation, SafeGuard Enterprise automatically tries to disable these users. This is a functionality required by the Opal standard with the exception of a few default "authorities" which are required to run an Opal system.

    Note The security checks are repeated when an encryption policy for the drive is applied after successful Opal-mode installation. If they fail, drive management must have been manipulated outside of SafeGuard Enterprise since the first check at installation. In this case, SafeGuard Enterprise does not lock the Opal hard drive. A corresponding message will be displayed.

If any of these checks fail in an unrecoverable way, the installation does not fall back to software-based encryption. Instead all volumes on the Opal drive remain unencrypted.

From SafeGuard Enterprise version 7 onwards, no Opal checks are performed by default. This means that, although an Opal drive is present, SafeGuard Enterprise will encrypt volumes on this drive using software-based encryption.

If you want to force Opal checks, use the following command line syntax:

MSIEXEC /i SGNClient.msi OPALMODE=0
Note An upgrade from SafeGuard Enterprise 7.0 or 8.0 to SafeGuard Enterprise 8.3 on a system with an Opal HDD used in Opal HW-encryption mode will preserve the Opal HW-encryption mode.

Some Opal hard drives may have potential security issues. There is no way to automatically determine which privileges have been assigned to an unknown user/authority that has already been registered on the drive when SafeGuard Enterprise installation/encryption is carried out. If the drive refuses the command to disable such users, SafeGuard Enterprise falls back to software encryption to ensure maximum security for the SafeGuard Enterprise user. As we cannot give any security guarantees for the hard drives themselves, we have implemented a special installation switch to enable you to use drives which may have potential security risks at your own discretion. For a list of hard drives for which this installation switch is necessary and for further information on supported hard drives, see the release notes.

To apply the installation switch, use the following command line syntax:

MSIEXEC /i SGNClient.msi IGNORE_OPAL_AUTHORITYCHECK_RESULTS=1

The internal property of the .msi has the same name, if you want to install it using a transform.