This article provides information on SafeGuard Device Encryption and support for OPAL drives.
Applies to the following Sophos product(s) and version(s) SafeGuard Device Encryption 6.10.0SafeGuard Device Encryption 7.0SafeGuard Device Encryption 8.0
In general, SafeGuard Device Encryption supports all drives (HDD/SSD) that follow the OPAL specification. Known exceptions are listed in the second table of this article.
Same hardware as above. Version with Lenovo Firmware
Firmware version 04TH required
supported as of SGN 6.10
SSD Pro 1500 180GB
A tool is available (OpalReqCheck.exe) to generically check a drive’s parameters and basic compatibility. Information on this tool and the tool itself is available in article 122017.
SSD PB22-JS3 FDE 2.5 128GB
SSD PB22-JS3 FDE 2.5 64GB
This means that, although an Opal drive is present, SafeGuard Enterprise will encrypt volumes on this drive via software-based encryption.
If you want to force that Opal checks are performed, use the following command line syntax:
MSIEXEC /i <name_of_selected_client_msi>.msi OPALMODE=0
An upgrade of SafeGuard Enterprise 6.x to SafeGuard Enterprise 7.0 on a PC with an Opal HDD used in Opal HW-encryption mode will preserve the Opal HW-encryption mode.
In an ideal world, technical standards and specifications would be comprehensive and unambiguous and their real-world implementations would adhere to them and be, of course, bug-free. At Sophos, we have gone to great lengths to ensure that the support of Self Encrypting Drives (SEDs) that are based on the TCG Storage Group’s OPAL standard, follows the standard closely. To this end, two types of checks are performed at installation time:
If any of these checks fail in an unrecoverable way, installation does not fall back to software-based encryption. Instead all volumes on the Opal disk remain unencrypted.
While working on the OPAL feature, Sophos was in close contact with the drive manufacturers and it soon became clear that some specific drives need special treatment. Thus, the SafeGuard Enterprise client now maintains an internal table that stores specifics on how certain drives are best operated. However, this table includes only functional issues (such as optimizations to attain maximum data transfer speed). It does, of course, not cover security issues.
However, we also noted that some drives also have potential security issues. Please note the word “potential”. There is no way to find out automatically which privileges have been assigned to an unknown user/authority that is already registered on the drive at SafeGuard Enterprise installation/encryption time. If the drive refuses the command to disable such users, SafeGuard Enterprise will fall back to software encryption to ensure maximum security for the SafeGuard Enterprise user.
Please note that at least one manufacturer, Seagate, has chosen to preinstall those users that are not covered by the OPAL standard. Sophos does not believe that these pose any security issue in any way, as Seagate has a long history of implementing SEDs, and their current line of OPAL drives also boast a number of security certificates. However, Sophos cannot give any security guarantees in any other manufacturer’s name, which is why we implemented a special installation switch to enable customers to use such drives at their own discretion.
If you want use any drive in the table above that has a “Yes” in the “Needs IGNORE_OPAL_AUTHORITYCHECK_RESULTS Installation Parameter?” column, do as follows:
On the command prompt, type:
MSIEXEC /i <name_of_selected_client_msi.msi > IGNORE_OPAL_AUTHORITYCHECK_RESULTS=1
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.