Technical Articles ID:
KB89333
Last Modified: 2/5/2020
Environment
McAfee Drive Encryption (DE) 7.2.x, 7.1.x
Summary
This article is a consolidated list of common questions and answers. It is intended for users who are new to the product, but can be useful to all users.
NOTES:
This article covers questions that relate to DE and specifically Opal drives.
To view the other DE FAQs that cover Compatibility, Installation/Upgrade, Configuration and general Functionality, see KB79784.
Recent updates to this article:
Date
Update
February 26, 2018
Implemented expand and collapse design.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
What is Opal or Opal Drive?
Opal
Opal is the name of a specification related to self-encrypting drives which has been developed by a standards body named the Trusted Computing Group. Opal is a standard or specification that details the commands the drive needs to respond to and the standard behavior. The standard has been created and ratified by the Storage Working Group of the Trusted Computing Group (TCG).
Opal Drive
An Opal drive is a self-contained, standalone Hard-Disk (HDD) that conforms to the TCG Opal standard. The drive is always encrypted but may or may not be locked. In addition to the standard components of a HDD, an Opal drive will contain extra components such as an on-board cryptographic processor that performs all of the necessary encryption/decryption of data on the HDD itself. In addition to regular spinning media (HDDs), SSDs may also support the TCG Opal Standard. An Opal drives is a Self-Encrypting Drive but not the only type. There are also other proprietary self-encrypting drives on the market.
NOTE: TCG is a not-for-profit organization formed to develop, define and promote open, vendor-neutral, industry standards for trusted computing building blocks and software interfaces across multiple platforms. TCG-compliant self-encrypting drive is the same as an Opal drive.
Do all users in my organization need an Opal drive?
No. Software Encryption will suffice for most users. Most productivity workers will not notice or be impacted due to software encryption. With DE 7.1, the impact of software encryption on systems with Intel CPUs that support AES-NI is negligible, making software encryption comparable in performance to Opal drives.
What threat model does an Opal drive address?
The primary use case is loss or theft of laptops or desktops. It covers similar threats as Software Full Disk Encryption and is designed for protection of data at rest.
What usage scenarios are best suited for Opal drives?
Opal drives are well suited for users who require extremely high disk I/O (performance-sensitive applications). Examples of these users are software developers, video editors, and aeronautical engineers. These users will most likely also use SSDs instead of spinning HDDs.
Would an SSD Opal drive preserve the performance of an SSD without compromising security?
Yes. For the most sensitive of users an SSD implementation of an Opal drive can retain the speed and performance of an SSD while retaining all of the security and encryption of an Opal drive. However, because an Opal drive is always encrypted by the on-board crypto processor, it is difficult to ascertain exactly what performance degradation (if any) is levied by the onboard crypto processing.
What is the DE experience like with an Opal drive?
The day-to-day tasks of an administrator are exactly the same regardless of whether the device has an Opal drive or a normal HDD. The same policy, method of deployment, and management are all the same. The recovery process changes slightly, but the steps an administrator performs in a recovery scenario are the same. For more details about DE Experience with Opal, see the 'DE Experience with Opal' section of this article.
Does DE help in recovery situations with an Opal drive?
All of the standard DE recovery mechanisms are available to users and administrators, regardless of whether the end user has an Opal drive or a normal HDD.
Will DE support other types of Self-Encrypting Drives (SED)?
No. At this time there are no plans to support other types of SED other than those implementing the TCG Opal Standard.
Why is DE still required if an Opal drive handles all of the encryption?
Opal drives need to be managed. Until an Opal drive is managed, it behaves and responds just like a normal HDD. The combination of DE and ePO provides versatile management, reporting and recovery functionality which are all critical to an administrator. DE provides value by installing a secure preboot environment which unlocks the Opal drive, performs Opal user management, ensures the organization’s encryption policy is continuously enforced and, in the event of loss, proves that the device was encrypted at the last time it synchronized with ePO. Also, for organizations that will have a mixture of both Opal drives and normal HDDs, it is important that an administrator can utilize a single tool to manage, enforce policies, report on devices and assess the company’s potential risk exposure; DE provides that tool. DE also offers the advantage that it can support potentially many more users than a non-managed Opal drive.
How will McAfee detail the support for Opal drives?
The following article details DE support for Opal drives from different manufacturers. It also includes details of how to self-certify an Opal drive in the case that the drive is not on the supported list. For details, see KB81136.
Will DE support Opal drives on all the supported Operating Systems?
No. There are no plans at this time to support Opal on other operating systems. Current support details are as follows:
DE 7.x supports Opal drives on Windows 7 SP1 and later, and Windows 8.x in both legacy (BIOS) and UEFI modes.
DE 7.x supports Opal drives in Windows 8.x in UEFI mode on systems which are Windows 8 certified and where the OEM has included the UEFI protocol used for secure communications.
UEFI systems where the OEM has not bundled the secure communications protocol are not supported as there is no mechanism whereby the DE preboot environment can communicate with the drive. Software encryption will be automatically used in this case.
Why do I need at least SP1 for Windows 7?
Some Opal drives are 512e drives; that is, they are actually drives with sectors of size 4096 bytes, but which emulate old-fashioned 512-byte sector drives. Windows 7 SP1 includes crucial driver fixes that allow these 512e drives to function correctly.
What happens if a user attempts to activate DE on an Opal drive while running an unsupported operating system?
If DE detects an incompatible or unsupported combination of Operating System and Opal drive, it will continue the activation process, but it will use Software Encryption instead of using the native Opal functionality. The system will be shown as using Software Encryption in ePO.
Will Opal drives be supported on Mac OS X?
No. Not until Apple adds support to their FileVault encryption product.
Does an administrator need to manage computers with Opal drives differently to those with a standard HDD?
No. Administrators do not need to treat Opal drives any differently to normal HDD. The very same policy can be used on laptops with Opal drives and laptops with normal HDD.
In the DE policy there is a priority order for Encryption Providers. What does that do?
That allows the administrator to tailor how the DE Intelligent Client will enforce the policy on a client. If the Opal Encryption Provider is higher priority than the Software Encryption Provider, then the DE Client will first search for an Opal drive. If all of the attached drives support Opal, it will use the Opal functionality to enforce the encryption policy. If the drives do not meet this criteria, it moves on to the next Encryption Provider in the list, which means it will then use Software Encryption to enforce the encryption policy. By changing the order of priority and making Software Encryption the highest priority, an administrator can specify that all machines will use Software Encryption regardless of whether there is an Opal drive or a normal HDD in the machine.
IMPORTANT: When the computer is fitted with an Opal drive, offline activations use Opal Encryption first. OPAL preferences are hard-coded in the Offline Activation Packages and do not use the custom policy settings.
Is deployment any different to an Opal drive?
No. It is exactly the same regardless of whether the client system has an Opal drive or a normal HDD.
How can an administrator or user tell if a client is using the Opal functionality or software encryption?
Administrator
Look at the computer in ePO to see which Encryption Provider is enforcing the encryption policy. If it states Opal, then it is using the Opal functionality.
User
A user cannot directly determine this but it can be implied from the list of volumes or drives that are encrypted in the Endpoint Encryption Status Monitor window.
Will an end user see any difference in preboot depending on whether they have a standard hard disk or an Opal drive?
No. The preboot looks and behaves exactly the same. An end user can be completely unaware of the hardware that is powering the encryption on their computer.
How long does it take to go from an Unencrypted to Encrypted status with an Opal drive?
Around a minute. This is because the drive is technically already encrypted. The time to go from an unencrypted to an encrypted state is the time required to activate the native Locking mechanisms of the Opal drive and install the preboot environment.
Does DE ever know the key that encrypts the data?
No. The encryption key never leaves the Opal drive.
How does Recovery work?
The same DE recovery procedures and tools can be used to perform a recovery on an Opal drive and a Normal HDD. DETech is updated to know how to unlock an Opal drive, although there is no possibility to decrypt it as the Opal drive never hands out the encryption key and never decrypts the disk. DETech simply unlocks the disk to allow the Operating System to boot.
What about Forensics software from third-party companies? Can they work with an Opal drive?
McAfee has been working with companies that provide forensic software and our interaction with them remains largely the same. Instead of those applications asking DE for the encryption key, they will ask DE for the necessary credentials to unlock the drive. Note that it is not possible to take a sector-level copy of an Opal drive and perform decryption of that sector-level copy using the encryption key since the encryption key can never be known.
Is an Opal drive always encrypted?
Yes. Regardless of whether the drive is locked or unlocked it is always encrypted. It is not possible to have a decrypted Opal drive.
NOTE: The Disk Encryption Key (DEK) can never be read from the drive. DE will only show two valid states Unlocked and Locked.
What is the difference between locked and unlocked?
Technically, the difference is access to the encryption key by the encryption processor on-board the drive.
- If the disk is unlocked, the on-board encryption processor has access to the disk encryption key and the drive behaves exactly like a normal HDD. An end user would not be able to tell the difference in this state between an Opal drive and a normal HDD.
- If the disk is locked, the disk encryption key is protected and a preboot environment is required to unlock the disk before the data can be accessed and the Operating System allowed to boot. Note that the disk encryption key is kept internal to the drive; it is not possible to read it from the drive.
What is the default state for an Opal drive?
When you first receive an Opal drive, the state is unlocked. It will behave and respond exactly like a normal HDD. You need to explicitly lock the drive by enabling the native Locking Mechanism of the drive. One way of doing this is to use DE to manage the drive.
How can you take the drive from an unlocked to a locked state?
An application such as DE, which has a preboot environment, will need to perform the necessary steps to enable the native locking mechanism of the Opal drive and install the preboot environment. Once the drive is locked, the preboot environment is required to unlock the drive before the Operating System can start its boot process. Without a preboot environment, nothing would be present to unlock the drive and allow the operating system to boot.
When a locked drive is unlocked, how long does it stay unlocked?
The Opal drive will remain unlocked until the next power cycle. That means that once you unlock an Opal drive it will remain unlocked until you turn off the device, or move to another power state where the Opal drive loses power. However, in DE, to ensure the same user experience as with DE software encryption, the drive will be explicitly locked on a restart as well.
Can I take a disk image of the drive and decrypt it using a tool such as EnCase?
No. The key is created on the drive and it never leaves the drive. It is not possible for applications or other pieces of hardware to ask the drive for its key(s), and therefore the key is not available for use in tools such as EnCase.
What do I do if the Opal drive is locked and I forgot my password?
DE has a recovery mechanisms to assist.
Can you restore an Opal drive to its default factory state?
There is one TCG ratified mechanism for a revert process to occur, but the drive master credential must be known. Some drive manufacturers include an additional non-TCG revert process where the master credential is not known (known as a PSID revert). If the drive does not support a PSID revert and you are locked out (and for some reason DE’s normal recovery functions do not work or the drive fails to respond), the drive is now unusable, your data is lost, and you need to purchase a new Opal drive. If the drive does support a PSID revert, then you can return it to a default factory state even without unlocking the drive first, but all of the data on the drive will be lost. Tools are available to do this (it is not a supported use case in DE).
What happens if there is a physical hardware failure and the Opal drive stops responding to Unlock requests?
In this situation the drive is now completely non-functional. There is nothing you can do to access the data. Consider the data lost and purchase a new Opal drive. This is because DE does not know the actual disk encryption key; the disk encryption key cannot be read from the drive.
Is the preboot for Opal different to the preboot for software encryption?
Yes and no. The preboot will need to know how to unlock an Opal drive to allow the Operating System to boot, however the rest of the preboot looks and behaves the same as with software encryption. In fact, much of the preboot code is shared between software and Opal preboot applications.
Are there multiple versions of the Opal Standard?
Yes. What is currently implemented is Version 1.0. The TCG has also published 2.0. Support for TCG’s Opal v2.0 specification is being considered for possible inclusion in a future release.
Does an Opal drive have a concept of users?
Yes. Once the drive is locked, a username and PIN is required to unlock the drive.
Where are the users maintained?
Each user is specific and local to each Opal drive. The application managing the Opal drive will need to also manage the Opal Users.
Is an Opal User the same as an DE User or a Windows Domain User?
No. All three are completely separate entities.
Is there a maximum number of Opal Users?
Yes. Only a small number of Opal Users can be assigned to a single Opal drive. Opal drives from different manufacturers vary as to the maximum number of users they can support.
What happens if I want to assign more DE Users to a device than are available as Opal Users?
The DE architecture allows you to assign as many users as needed to the Opal drive, regardless of the technical limitation of Opal Users on the device. This complexity is hidden from the administrator and allows them to assign users to the device in the same manner as if it was a normal HDD. The recommendation and limitations for the number of users assigned to a device remains constant regardless of the type of hard disk drive used.
Can an Opal drive have more than one disk encryption key?
Yes. There is a section of the Opal specification which deals with Logical Block Addressing (LBA) but can also be referred to as Local Ranges.
What is the Global Range?
The Global Range contains all sectors of the disk that are not in a defined Local Range (see below).
What is a Local Range?
A Local Range is a contiguous range of sectors that will each have a different encryption key. These ranges can be Locked, or can remain Unlocked. As an example, a Local Range may be applied to a partition, but a range does not have to map exactly to a partition.
Why would someone use Local Ranges?
If they want a specific part of the disk to always be available and accessible regardless of whether the disk is in a Locked or Unlocked state.
If a Local Range is a contiguous range of sectors, what happens when I define a new Range?
A new encryption key is automatically generated for the new range. If the Opal drive supports re-encryption, then the data is decrypted with the old key and re-encrypted with the new key. Re-encryption is an optional part of the standard, and at present we believe that no drives support it. If the drive does not support re-encryption you have now lost all of the data that was previously in that range since it has been cryptographically erased.
If I use a partition tool, could I lose all my data if I use Local Ranges?
Yes, that is a possibility.
How many Local Ranges can there be?
The Opal Standard specifies at least five (including the Global Range).
Does DE support Local Ranges for specifying whether partitions are locked or not?
No.
Does DE support S3 with Opal drives?
Yes. S3 is a power state, commonly known as Standby, Sleep, or Suspend to RAM. A system in an S3 state appears to be turned off. The CPU has no power, the RAM is in a slow refresh mode and the power supply is in a reduced power mode.
Opal drives lock when they have no power, is that a problem?
Yes. It is hard to restart Windows when the drive is locked and Windows does not have a way to unlock it. The TCG does not have a common and agreed solution to the S3 issue.
Because S3 works with DE, is it a proprietary implementation of S3 Support?
Yes.
Does DE support a mixed-mode?
Yes. A mixed-mode is defined as a situation where a computer has more than one physical HDD drive and also has a combination of Opal drives and Normal HDD. The lowest common denominator is always software encryption. If in doubt the software encryption functionality will be used to encrypt both the Opal drive and the Normal HDD.
What happens if I have an Opal and a normal HDD inside the one computer? Will DE use the native Opal functionality on the Opal drive and software encryption for the normal HDD?
No. This is what is described as a mix-mode environment. DE needs to make a decision as to how it is going to enforce the encryption policy on the computer. By default software encryption will be chosen automatically if you have Opal and non-Opal drives in the same computer.
Can you use software encryption on an Opal drive?
Yes. Until the native locking mechanism of an Opal drive has been enabled, an Opal drive responds and behaves exactly like a normal HDD. Nothing stops an administrator from encrypting the drive using Software Encryption instead of using the native functionality of the Opal drive. Technically speaking, the data will then be encrypted twice: once by software encryption and secondly by the Opal drive, but since the drive will not be locked, the Opal encryption is transparent.