Uses the built-in encryption in your TCG OPAL 2.0 drive on Intel and AMD systems.
Pre-Boot Authentication for NVME & SATA drives.
SEDutil is 100% open source and free to use.
For the most comprehensive information, review this first:
Both the PBA and rescue systems use the us_english keyboard. This can cause issues when setting the password on your normal operating system if you use another keyboard mapping. To make sure the PBA recognizes your password you are encouraged to set up you drive from the rescue system as described on this page.
These are the instructions for modern UEFI NVME equipped systems using SEDutil OPAL locking and unlocking utility as a windows pre-boot bootloader:
*UEFI support currently requires that Secure Boot be turned off
BACKUP YOUR ENTIRE DRIVE before proceeding. You may LOSE ALL YOUR DATA by following these instructions!
Download the RESCUE64-1.15.*.img.gz rescue image from here.
Transfer the Rescue image to the USB stick with a program like Balena Etcher.
Restart your computer, enter the BIOS, and disable secure boot.
Note: Earlier versions of SEDutil also required BIOS enable of "legacy boot" or "CSM" or "Compatility Mode" - this is no longer required with this version of SEDutil.
Boot the USB thumb drive with the rescue system on it. You will see the Login prompt, enter "root" there is no password so you will get a root shell prompt.
enter the command sedutil-cli --scan
Expected Output:
#sedutil-cli --scan Scanning for Opal compliant disks /dev/nvme0 2 Samsung SSD 960 EVO 250GB 2B7QCXE7 /dev/sda 2 Crucial_CT250MX200SSD1 MU04 /dev/sdb 12 Samsung SSD 850 EVO 500GB EMT01B6Q /dev/sdc 2 ST500LT025-1Dh342 0001SDM7 /dev/sdd 12 Samsung SSD 850 EVO 250GB EMT01B6Q No more disks present ending scan
Verify that your drive has a 2 in the second column indicating OPAL 2 support. If it doesn't do not proceed, there is something that is preventing sedutil from supporting your drive. If you continue you may erase all of your data.
Enter the command linuxpba and use a pass-phrase of debug. If you don't use debug as the pass-phrase your system will reboot!
Expected Output:
#linuxpba DTA LINUX Pre Boot Authorization Please enter pass-phrase to unlock OPAL drives: ***** Scanning.... Drive /dev/nvme0 Samsung SSD 960 EVO 250GB is OPAL NOT LOCKED Drive /dev/sda Crucial_CT250MX200SSD1 is OPAL NOT LOCKED Drive /dev/sdb Samsung SSD 850 EVO 500GB is OPAL NOT LOCKED Drive /dev/sdc ST500LT025-1Dh342 is OPAL NOT LOCKED Drive /dev/sdd Samsung SSD 850 EVO 250GB is OPAL NOT LOCKED
Verify that Your drive is listed and the that the PBA reports it as "is OPAL"
Issuing the commands in the steps that follow will enable OPAL locking. If you have a problem you will need to follow the steps at the end of these instructions to either disable or remove OPAL locking.
The following steps use /dev/nvme0 as the device and UEFI64-1.15.img.gz for the PBA image, substitute the proper /dev/nvme? for your drive and the proper PBA name for your system
Enter the commands below: (Use the password of debug for this test, it will be changed later)
gunzip /usr/sedutil/UEFI64-*img.gz sedutil-cli --initialsetup debug /dev/nvme0 sedutil-cli --enablelockingrange 0 debug /dev/nvme0 sedutil-cli --setlockingrange 0 lk debug /dev/nvme0 sedutil-cli --setmbrdone off debug /dev/nvme0 sedutil-cli --loadpbaimage debug /usr/sedutil/UEFI64-*.img /dev/nvme0
Expected Output:
#sedutil-cli --initialsetup debug /dev/nvme0 - 14:06:39.709 INFO: takeOwnership complete - 14:06:41.703 INFO: Locking SP Activate Complete - 14:06:42.317 INFO: LockingRange0 disabled - 14:06:42.694 INFO: LockingRange0 set to RW - 14:06:43.171 INFO: MBRDone set on - 14:06:43.515 INFO: MBRDone set on - 14:06:43.904 INFO: MBREnable set on - 14:06:43.904 INFO: Initial setup of TPer complete on /dev/nvme0 #sedutil-cli --enablelockingrange 0 debug /dev/nvme0 - 14:07:24.914 INFO: LockingRange0 enabled ReadLocking,WriteLocking #sedutil-cli --setlockingrange 0 lk debug /dev/nvme0 - 14:07:46.728 INFO: LockingRange0 set to LK #sedutil-cli --setmbrdone off debug /dev/nvme0 - 14:08:21.999 INFO: MBRDone set off #gunzip /usr/sedutil/UEFI64-1.15.img.gz #sedutil-cli --loadpbaimage debug /usr/sedutil/UEFI64-1.15.img /dev/nvme0 - 14:10:55.328 INFO: Writing PBA to /dev/nvme0 33554432 of 33554432 100% blk=1500 - 14:14:04.499 INFO: PBA image /usr/sedutil/UEFI64.img written to /dev/nvme0 #
Enter the command linuxpba and use a pass-phrase of debug
This second test will verify that your drive really does get unlocked.
Expected Output:
#linuxpba DTA LINUX Pre Boot Authorization Please enter pass-phrase to unlock OPAL drives: ***** Scanning.... Drive /dev/nvme0 Samsung SSD 960 EVO 250GB is OPAL Unlocked <--- IMPORTANT!! Drive /dev/sda Crucial_CT250MX200SSD1 is OPAL NOT LOCKED Drive /dev/sdb Samsung SSD 850 EVO 500GB is OPAL NOT LOCKED Drive /dev/sdc ST500LT025-1Dh342 is OPAL NOT LOCKED Drive /dev/sdd Samsung SSD 850 EVO 250GB is OPAL NOT LOCKED
Verify that the PBA unlocks your drive, it should say "is OPAL Unlocked" If it doesn't then you will need to follow the steps at the end of this page to either remove OPAL or disable locking.
The SID and Admin1 passwords do not have to match but it makes things easier.
edutil-cli --setsidpassword debug yourrealpassword /dev/nvme0 sedutil-cli --setadmin1pwd debug yourrealpassword /dev/nvme0
Expected Output:
#sedutil-cli --setsidpassword debug yourrealpassword /dev/nvme0 #sedutil-cli --setadmin1pwd debug yourrealpassword /dev/nvme0 - 14:20:53.352 INFO: Admin1 password changed
Make sure you didn't mistype your password by testing it.
sedutil-cli --setmbrdone on yourrealpassword /dev/nvme0
Expected Output:
14:22:21.590 INFO: MBRDone set on
Your drive in now using OPAL locking.
You now need to COMPLETELY POWER DOWN YOUR SYSTEM. This will lock the drive so that when you restart your system it will boot the PBA.
If there is an issue after enabling locking you can either disable locking or remove OPAL to continue using your drive without locking.
If you want to disable Locking and the PBA, run these commands:
sedutil-cli -–disableLockingRange 0sedutil-cli –-setMBREnable off
sedutil-cli --disablelockingrange 0 debug /dev/nvme0
Expected Output:
14:07:24.914 INFO: LockingRange0 disabled
sedutil-cli --setmbrenable off debug /dev/nvme0
Expected Output:
14:08:21.999 INFO: MBREnable set off <You can re-enable locking and the PBA using this command sequence:
sedutil-cli -–enableLockingRange 0sedutil-cli –-setMBREnable on
sedutil-cli --enablelockingrange 0 debug /dev/nvme0
Expected Output:
14:07:24.914 INFO: LockingRange0 enabled ReadLocking,WriteLocking
sedutil-cli --setmbrenable on debug /dev/nvme0
Expected Output:
14:08:21.999 INFO: MBREnable set on
Some OPAL drives have a firmware bug that will erase all of your data if you issue the commands below. See [Remove OPAL](https://github.com/Drive-Trust-Alliance/sedutil/wiki/Remove-OPAL) for a list of drive/firmware pairs that is know to have been tested.
To remove OPAL issue these commands:
sedutil-cli --revertnoerase
sedutil-cli --revertnoerase debug /dev/nvme0Expected Output:
14:22:47.060 INFO: Revert LockingSP complete
Verify that the locking SP has been deactivated:
sedutil-cli --query {drive}
Look at the query output and make certain that the Locking section shows ```lockingEnabled=N```
Locking function (0x0002) Locked = N, LockingEnabled = N, LockingSupported = Y,
If the query does not show lockingEnabled=N DO NOT CONTINUE with the next step, if you do all your data will be erased.
Remove OPAL:
sedutil-cli --reverttper {SIDpassword} {drive}
sedutil-cli --reverttper debug /dev/nvme0
Expected Output:
14:23:13.968 INFO: revertTper completed successfully
When this is finished the drive will be in a non-opal managed state. This would allow you to do anything that you could have done before starting OPAL management under OPAL. You can also reinitiate OPAL management if you wish.
SEDutil is an open source set of tools that provides locking and unlocking of TCG OPAL 2.0 boot and non-boot drives in Windows and Linux.
We think it is utterly insane for people not to use full disk encryption to protect their data.
If you spend the money for a fancy drive with TCG OPAL 2.0 hardware encryption you should use it. Unfortunately, we found it very hard to find out how to activate hardware full disk encryption with our Samsung NVME drives in Windows. Once we figured out how to use SEDutil and implemented security enhancements to the code we published this site to help others.
SEDutil works with almost any TCG OPAL 2.0 drive, including the Samsung 960 EVO Pro, Samsung 970 Evo, Samsung 970 Evo Plus, and more.
Hardware Bitlocker is great, except (1) some implementations of hardware Bitlocker require a complete clean reinstallation of Windows after TCG OPAL activation (hint, very inconvenient), and (2) hardware Bitlocker is so integrated into the Windows system that Windows Update issues arise that may lock access to your computer.
Have you ever been on a business trip, you get to your hotel late at night, and you turn on your notebook to be greeted by the dreaded Bitlocker "enter recovery key for this drive" message, because unbeknownst to you a random Windows KB* update pushed through and made some change that Bitlocker determined to be system weirdness like "an unexpected configuration change, or another security event" requiring reauthentication with the recovery key? Don't think this can happen to you? Good luck with that!
First, see "Why is using SEDutil better than hardware Bitlocker?" above.
Second, although it is true that modern CPUs have acceleration code that "only results in a 1%-2% performance hit when using software Bitlocker" is technically true, that is not what happens in real life use. When you have 20 Chrome tabs open, while you are watching YouTube, while you have a VM compiling something in the background, and then you try to unzip a 20gb compressed file, let us know what happens with that "only 1%-2% performance hit."
Third, if you are using a notebook on battery and you are not doing intense work, then battery life will not take much of a hit with software Bitlocker. But, if you are doing CPU and disk intensive work software Bitlocker crushes battery life while also making your user experience sad face inducing.
Yes. The original SEDutil did not work with many AMD Ryzen systems. Our version of SEDutil allows users of AMD Ryzen systems to lock and unlock NVME Windows 10 boot drives via pre-boot authentication.
The original SEDutil and our version works with Intel systems.
In order to use SEDutil for pre-boot authentication and unlocking of a NVME Windows 10 boot drive, you must disable Secure Boot in your system BIOS. Some users might consider that to be a downside.
Sleep does not work with SEDutil and Windows 10. Instead, you have to use hibernate. Hibernation is nearly insant with NVME, so this is probably not a downside. Years ago there was a concern with excessive hibernation and SSD write cycles. But, that is not a concern anymore with today's NVME write cycle tolerance.
Oh yes, you might!
Anytime you are running commands to setup encryption on a drive your data is at risk. Do not attempt to use SEDutil until you have backed up your data!
Sleep does not work with SEDutil in Windows. Instead, you have to use hibernate. Hibernation is nearly insant with NVME, so this is probably not a downside.
Years ago there was a concern with excessive hibernation and SSD write cycles. But, that is not a concern anymore with today's NVME write cycle tolerance.
Yes! Via pre-boot authentication, SEDutil unlocks NVME Windows 10 boot drives. It is amazing.
No!
Unlike the Samsung encryption process for activating hardware Bitlocker in Windows 10, reinstallation of Windows is not required after initializing hardware full disk encryption (FDE) with SEDutil.
After incredible frustration with enabling hardware Bitlocker with Windows 10, we searched for alternatives. SEDutil appeared to be an alternative, but the documentation was extremely poor and it was hard to tell if it was really a viable solution.
We attempted to use SEDutil and found it to be amazing. We made minor tweaks to the code, implemented enhanced security protocols (SHA512 vs SHA1 password hashing) and published our work to help others with similar frustrations.
Support? No way! Are you kidding?
SEDutil is open source. By jumping on the SEDutil bandwagon you get to experience the join and pain of dealing with open source software. When you chose SEDutil you chose to risk it all because that is how you live your life. Bravo!
There is no support for SEDutil, but there are resources available. You can drop a question in the comment section below, you can see our SEDutil issue section on Github, or you can look into the original SEDutil issue section on Github - keep in mind, our version of SEDutil implements SHA512 password hashing, and therefore it is not backward compatibile with standard SEDutil SHA1 password hashing. If you don't know what any of this means then you should probably run, run away fast and just stick with software Bitlocker before you lose all of your data.
If you think Bitlocker is garbage but don't want to risk it all with sketchy open source software like SEDutil and you are looking for a tool with customer support for pre-boot authentication for your fancy TCG OPAL 2.0 Self Encrypting Drive (SED), then you should check out the non-free SecureDoc WinMagic.
No. SEDutil was created by volunteer programmers and the Drive Trust Alliance.
We made minor tweaks to the code, implemented enhanced security protocols (SHA512 vs SHA1 password hashing) and published our work to help others with similar frustrations.