My laptop's SSD drive is Crucial MX500 which is supporting TCG Opal hardware encryption. I wonder how should I configure my Lenovo Thinkpad laptop to enable and use hardware-based FDE (Full Disk Encryption) in my SSD disk? Thank you!
TCG is Trusted Computing Group and TCG Opal is a new standard for communicating with drives that support hardware-based encryption.
For client computing systems (notebooks and desktops) the TCG Opal specification provides an additional security feature known as pre-boot authentication (PBA). PBA can be performed in a system BIOS or UEFI, enabling authentication by password or other methods before the OS is up and running.
If your BIOS/UEFI does not support TCG Opal, there is also an option to use software-based implementation of TCG Opal.
When the system is booted, the Opal-encrypted disc exposes a fake disc from its firmware, called the shadow MBR (master boot record), 128MB in size. Usually this shadow MBR is flashed with the pre-boot authentication (PBA) image, which is in essence a small operating system (including MBR, boot sector, filesystem) that asks the user for their drive password, which it then communicates to the disc via OPAL commands. If the password is valid, the disc unlocks itself, and then the real operating system is loaded up.
SED UTIL is an open source software that implemented their own PBA based on syslinux. It also includes TCG Opal utilities software to unlock the main area of the encrypted disk.
This blog post has a good guide and discussion on how to use Opal / MSED software:
This is original SED UTIL repo - it uses SHA1 hashing and does not support AMD Ryzen How to enable TCG Opal encryption with SED UTIL software (former MSED)
It is not clear if SED UTIL works with UEFI Secure Boot (I've seen authors say it does not currently work with UEFI Secure Boot). The computer must be UEFI 2.3.1 based and have the EFISTORAGESECURITYCOMMANDPROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).
TCG Opal is called eDrive by Microsoft. Good guide for Windows eDrive: https://www.ckode.dk/desktop-machines/how-to-enable-windows-edrive-encryption-for-ssds/
There are other vendors who provide commercial full-disk encryption software. Most of these vendors would support TCG Opal standard for Self-Encrypting Drives. For example, Sophos, Secude, WinMagic SecureDoc, Wave Embassy, McAfee Endpoint Encryption, etc