OPAL encryption?

[pgoelz]

In my search for the right X1C, I am finding some that state that the SSD is OPAL or TCG OPAL. Finding clear and concise information on what the ramifications are has proven extremely difficult. So I thought I'd ask here.

I assume a hardware encrypted SSD is locked and non-functional until it handshakes with the laptop and gets the correct handshake during boot? That raises some questions.....

1. If an SSD in a used X1C is stated to be OPAL compliant, what is the likelihood that it will in fact be encrypted? Does the X1C contain whatever is required to enable OPAL hardware encryption, or is this a non-issue in the X1C?

2. If the SSD in a used X1C is in fact encrypted as received what is the impact to me, a new user? I assume the machine will continue to function? When would I need to supply the password?

3. If I remove an OPAL encrypted SSD and put it in a different laptop or perhaps an adapter for imaging, will I need to disable encryption before it will function?

Paul

[w0qj]

Think very few fellow users on this Forum have any experience with OPAL encryption on Thinkpads.
Suggest you search for "OPAL" in the [Search] function on this Forum page.

Mainly OPAL needs proper OS (Win10 Pro, Win8.1 Pro, Win7 Ultimate and above) in order to work.
Thinkpads in general are OPAL ready, with security chip already embedded.

Need someone else to help out here; I'm skating on thin ice

[pgoelz]

Well, I have done more reading and I am almost as confused as I was before I started. Why oh WHY is it so hard for manufacturers to provide this kind of information!!!

What I have found is that OPAL2 encryption is entirely a function within the SSD and does not involve the laptop. However, to enable encryption you set a password in BIOS. I think this password tells the HD to decrypt the contents and then the SSD operates normally. You can move the SSD from one machine to another and (I think) if you supply the HD password all still works normally. However, the HD cannot be accessed externally with (for example) a USB adapter and cannot be read by another machine if it does not support OPAL2 AND supply the HD password.

I am assuming that used corporate lease turn-ins may well have the HD password set, which would certainly be an issue if the HD was moved to another machine. Unclear if it would be an issue if the HD was left in the original machine.

I see Lenovo has a password removal tool that removes the password and also wipes the SSD. So if reinstalling or reimaging is acceptable, this would seem to deal with the issue of a machine received with a HD password. I think.

Anyone else? Again, I am assuming this is at least a potential issue on any used X1C since I assume most are corporate lease turn-ins. I just bought one on Ebay and am waiting for it to arrive. I noticed that he showed it booted to BIOS but not into an OS.... not sure if that was intentional or not. There was no statement in the listing about a BIOS or HD password so I'm hoping my fears are groundless

Paul

[w0qj]

Hi pgoelz,

Seems you know more than the average forum poster on OPAL already

1. Anyways, since we presume you have just ordered a X1 Carbon Generation 3 (X1C3), here is a link that may be useful:

http://psref.lenovo.com/Product/ThinkPa ... en?ch=opal
http://psref.lenovo.com/Product/ThinkPa ... on_3rd_Gen

The first link already did a search for you which X1C3 models support OPAL.
***You will note under the "Storage" Column it listed exactly the model number with the SSD size which supported OPAL2 (but unfortunately did not list the SSD maker).

The 2nd link is the main landing page for X1C3.

Good luck!

[w0qj]

We did briefly look into full disk encryption in the past, and obviously this stuff flew right over our heads

Here are some tips to get you started.
(We will revisit this topic again in the year 2020, when Windows 7 support expires).

1. You can use Full Disk Encryption if you use Windows 10 Pro (which inclcudes with BitLocker), and this requires you use a Microsoft Account (Win10 Pro will upload a copy of your BitLocker encryption key to Microsoft Servers for their information). Same situation for Win8.1 Pro, and Windows 7 Ultimate.
I THINK in this case, you do not need an OPAL2 compliant SSD.
http://www.howtogeek.com/234826/how-to- ... windows-10

2. If you do not have have Win 10 Pro, you can also enable full disk encryption if you (A) have OPAL2 compliant SSD, and (B) have suitable disk encryption software such as BitLocker or VeraCrypt.
(Hidden gotcha: VeraCrypt does not support UEFI).
http://security.stackexchange.com/quest ... -bitlocker

3. And yes, we also had concerns about data recovery should an encrypted SSD fail, and whether or not to encrypt data backup.
Also like you, we also had great concerns that should we need to transfer the encrypted SSD to another similar Thinkpad Laptop, can it read the encrypted SSD at all ?

4. Should you succeed in implementing this partial or full disk encryption, would appreciate your feedback advice on how you achieved this!

Good luck!

[pgoelz]

The fact that I seem to know more about this than the average forum poster is scary to say the least... I know FOR SURE I don't have it right yet

To be clear, my concern was not that I wanted to enable encryption.... I do NOT. I was concerned about the ramifications of purchasing a used machine that had encryption enabled but where the password was not supplied or known. Since most used machines are corporate lease returns, it would seem this is a very likely scenario?

I have since communicated with the seller of my (currently in transit) used X1C3 and he stated that it does not have an OS, BIOS or HD password of any sort, so I think I'm good in this particular case.

What I find lacking in my research is any sort of concise "this is what OPA2 is, this is how it works and this is how you interface with it". In particular, how does the SSD know that it is OK to decrypt. Is this something that is set during boot? I assume there is a password involved somewhere. Can one be assured that a used system is NOT encrypted if it can successfully boot to the OS without supplying any password or is there a hidden "gotcha" lurking somewhere?

I did read that an OPAL2 encrypted SSD CAN be transferred to another Thinkpad, but it did not say how. In the end, I felt better after I found that Lenovo has a downloadable password removal tool.... OK by me that it also wipes the SSD.

Paul

[w0qj]

If your X1C3 had 512 GB SSD, then you definitely DO NOT have OPAL2 compliant SSD.
(This 512 GB SSD is Samsung SM951 ACHI, which explicitly stated it is not OPAL/OPAL2 compliant).

Any other size SSD may or may be OPAL2 compliant (180 GB, 240 GB, 256 GB, 320 GB may be OPAL2 compliant).
ie: there are SSD versions which are not OPAL2 compliant, and there are other same sized SSD which are OPAL2 compliant.

Anyways, if you are extremely concerned about (unlikely) accidentally doing full disk encryption on your X1C3 SSD, you can:

1) Perform a Product Recovery on your SSD for a fresh Windows install, and/or

2) Backup your X1C3 data to an external Hard Drive or SSD, then use another computer to read the data to ensure that the backup is not encrypted.

Good luck!

[pgoelz]

If your X1C3 had 512 GB SSD, then you definitely DO NOT have OPAL2 compliant SSD.
(This 512 GB SSD is Samsung SM951 ACHI, which explicitly stated it is not OPAL/OPAL2 compliant).

Any other size SSD may or may be OPAL2 compliant (180 GB, 240 GB, 256 GB, 320 GB may be OPAL2 compliant).
ie: there are SSD versions which are not OPAL2 compliant, and there are other same sized SSD which are OPAL2 compliant.

Anyways, if you are extremely concerned about (unlikely) accidentally doing full disk encryption on your X1C3 SSD, you can:

1) Perform a Product Recovery on your SSD for a fresh Windows install, and/or

2) Backup your X1C3 data to an external Hard Drive or SSD, then use another computer to read the data to ensure that the backup is not encrypted.

Good luck!

Again, I AM NOT concerned about doing an accidental full disk encryption. I assume that if I encrypt it, I can unencrypt it. And I'm very comfortable with backups and drive imaging. What I WAS concerned about was purchasing a USED machine with OPAL2 full disk encryption ENABLED AS RECEIVED but with an unknown password. The used machine I purchased and have not yet received was listed as containing a 256GB OPAL2 SSD. I noticed the OPAL2 part after I purchased it from an Ebay seller and momentarily panicked since OPAL2 is so far a big black unknown to me. In subsequent communication with the seller, he assures me there are no passwords in use and for now I will assume that means OPAL2 FDE is NOT active.

Paul

[RealBlackStuff]

Simple really: if your X1C comes with a Supervisor and/or a HDD/SSD password in the BIOS, and you do not also receive the password(s), you are screwed.
Regardless of OPAL, any other encryption or no encryption.
Those password(s) can be removed, but the how is not to be discussed on the Forum.