SDB:Self Encrypting Drive
You bought the SSD advertised with hardware encryption support complaint with TCG Opal 2.0 standard. Such drive is named by Trusted Computing Group (TCG) as Self Encrypting Drive (SED) in their specification to distinguish with others without the feature. Here I'll stick to the abbreviation "SED" when referring to it.
This article gives procedure on how to setup full disk encryption (FDE) on SED via it's encrypting hardware and also how to boot from it through shadowed MBR, which is used to boot the preboot authentication (PBA) image to unlock the disk.
Install the sedutil package, the open source offering to manage SED credit to the Drive Trust Alliance Software for distributing it as GPLv3 license.
zypper install sedutil
The main utility is sedutil-cli. You can learn to use it through reading it's man page first.
In openSUSE we also provide an extra tool, sedutil-pba.pl, to help in creating the Rescue and PBA Images. Both are needed if you want to setup bootable SED with FDE. Without it one can only resort to upstream released executable which is not ideal solution to packaged distribution.
Prepare the Image
Prepare the iso hybrid image to manage your SED from a live system. Run
It will create two images and picking the current booted kernel for the live system. Assuming the kernel version is 4.17.9-1-default.
The linuxpba image is used to perform preboot authentication booted from the shadowed mbr, while the sedutil-rescue is the live system system to manage your SED.
Prepare the Rescue System
Prepare bootable USB drive to manage SED, assuming /dev/sdb is your USB drive. Run
dd if=sedutil-rescue-4.17.9-1-default.iso of=/dev/sdb
Boot this USB thumb drive on the PC/laptop with SED attached. You are ready to go. :)
Setup FDE from Rescue System
Here I don't want to duplicate the effort as upstream already provided great tutorial for it. Please visit their wiki page.
The only difference is on loading of the PBA image to the shadowed MBR. Please replace below two steps mentioned in Enable locking and the PBA
gunzip /usr/sedutil/UEFI64-n.nn.img.gz sedutil-cli --loadpbaimage debug /usr/sedutil/UEFI64-n.nn.img /dev/sdc
with the one built from sedutil-pba.pl
sedutil-cli --loadpbaimage debug /inuxpba-4.17.9-1-default.iso /dev/sdc
If you want to run sedutil in an installed openSUSE system, you have to set libata.allow_tpm=1 in kernel boot parameter.
Edit file /etc/default/grub with
Update grub2 config