SDB:Self Encrypting Drive

Jump to: navigation, search


You bought the SSD advertised with hardware encryption support complaint with TCG Opal 2.0 standard. Such drive is named by Trusted Computing Group (TCG) as Self Encrypting Drive (SED) in their specification to distinguish with others without the feature. Here I'll stick to the abbreviation "SED" when referring to it.

This article gives procedure on how to setup full disk encryption (FDE) on SED via it's encrypting hardware and also how to boot from it through shadowed MBR, which is used to boot the preboot authentication (PBA) image to unlock the disk.


Install the sedutil package, the open source offering to manage SED credit to the Drive Trust Alliance Software for distributing it as GPLv3 license.

zypper install sedutil

The main utility is sedutil-cli. You can learn to use it through reading it's man page first.

man sedutil-cli

In openSUSE we also provide an extra tool,, to help in creating the Rescue and PBA Images. Both are needed if you want to setup bootable SED with FDE. Without it one can only resort to upstream released executable which is not ideal solution to packaged distribution.


Prepare the Image

Prepare the iso hybrid image to manage your SED from a live system. Run

It will create two images and picking the current booted kernel for the live system. Assuming the kernel version is 4.17.9-1-default.


The linuxpba image is used to perform preboot authentication booted from the shadowed mbr, while the sedutil-rescue is the live system system to manage your SED.

Prepare the Rescue System

Prepare bootable USB drive to manage SED, assuming /dev/sdb is your USB drive. Run

dd if=sedutil-rescue-4.17.9-1-default.iso of=/dev/sdb

Boot this USB thumb drive on the PC/laptop with SED attached. You are ready to go. :)

Setup FDE from Rescue System

Here I don't want to duplicate the effort as upstream already provided great tutorial for it. Please visit their wiki page.

The only difference is on loading of the PBA image to the shadowed MBR. Please replace below two steps mentioned in Enable locking and the PBA

gunzip /usr/sedutil/UEFI64-n.nn.img.gz
sedutil-cli --loadpbaimage debug /usr/sedutil/UEFI64-n.nn.img /dev/sdc

with the one built from

sedutil-cli --loadpbaimage debug /inuxpba-4.17.9-1-default.iso /dev/sdc

Kernel Parameter

If you want to run sedutil in an installed openSUSE system, you have to set libata.allow_tpm=1 in kernel boot parameter.

Edit file /etc/default/grub with


Update grub2 config

update-bootloader --refresh

See also

External links