Using TCG Opal encrypted SSD drive with hardware encryption

No specific Bitcoin Bounty has been announced by author. Still, anyone could send Bitcoin Tips to those who provide a good answer.

My laptop's SSD drive is Crucial MX500 which is supporting TCG Opal hardware encryption. I wonder how should I configure my Lenovo Thinkpad laptop to enable and use hardware-based FDE (Full Disk Encryption) in my SSD disk? Thank you!

1 Answer

Internet users could send Bitcoin Tips to you if they like your answer!

What is TCG Opal?

TCG is Trusted Computing Group and TCG Opal is a new standard for communicating with drives that support hardware-based encryption.

What is Pre-Boot Authentication (PBA)?

For client computing systems (notebooks and desktops) the TCG Opal specification provides an additional security feature known as pre-boot authentication (PBA). PBA can be performed in a system BIOS or UEFI, enabling authentication by password or other methods before the OS is up and running.

If your BIOS/UEFI does not support TCG Opal, there is also an option to use software-based implementation of TCG Opal.

When the system is booted, the Opal-encrypted disc exposes a fake disc from its firmware, called the shadow MBR (master boot record), 128MB in size. Usually this shadow MBR is flashed with the pre-boot authentication (PBA) image, which is in essence a small operating system (including MBR, boot sector, filesystem) that asks the user for their drive password, which it then communicates to the disc via OPAL commands. If the password is valid, the disc unlocks itself, and then the real operating system is loaded up.

SED UTIL is an open source software that implemented their own PBA based on syslinux. It also includes TCG Opal utilities software to unlock the main area of the encrypted disk.

Using free open source SED UTIL (former MSED) software

This blog post has a good guide and discussion on how to use Opal / MSED software:

enable OPAL SSD encryption on Windows without BitLocker

This is original SED UTIL repo - it uses SHA1 hashing and does not support AMD Ryzen How to enable TCG Opal encryption with SED UTIL software (former MSED)

This is another forked repo of SED UTIL that uses SHA512 hashing and also supports AMD Ryzen repo: website:

It is not clear if SED UTIL works with UEFI Secure Boot (I've seen authors say it does not currently work with UEFI Secure Boot). The computer must be UEFI 2.3.1 based and have the EFISTORAGESECURITYCOMMANDPROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).

Links about TCG Opal specs / Self-Encrypting Drives (SED)

Self-encrypting deception: weaknesses in the encryption of solid state drives (2018)

SSDs with TCG Opal

TCG OPAL Design and Testing

Using BitLocker - Windows Pro Editions only

TCG Opal is called eDrive by Microsoft. Good guide for Windows eDrive:

Other FDE software vendors supporting Self-Encrypting Drives (SED)

There are other vendors who provide commercial full-disk encryption software. Most of these vendors would support TCG Opal standard for Self-Encrypting Drives. For example, Sophos, Secude, WinMagic SecureDoc, Wave Embassy, McAfee Endpoint Encryption, etc

Forum discussions


Too many commands? Learning new syntax? is a free tool to save your favorite scripts and commands, then quickly find and copy-paste your commands with just few clicks.

Boost your productivity with!

Post Answer