[KB7974] OPAL disk encryption FAQ

Issue

ESET Endpoint Encryption (EEE) Client and EEE Server are separate products from ESET Full Disk Encryption (EFDE)

The article below applies only to the EEE Client or EEE Server and not EFDE. Visit What's new in ESET Full Disk Encryption to view EFDE content.

Solution

Using OPAL hardware encryption

OPAL hardware encryption entrusts the security to the disk hardware vendor. ESET cannot verify or be liable for the strength of security in third-party devices. Confirm that the disk in use has no known security vulnerabilities.

OPAL encryption FAQ

  1. What is OPAL?

Full disk encryption (FDE) used to be a software-only solution. A hardware-based encryption standard emerged in the form of the OPAL Security Subsystem Class, commonly referred to as OPAL.

  1. What are the benefits of OPAL FDE?

    • Hardware encryption has no negative impact on the performance of systems
    • Encrypting a system with OPAL encryption is immediate and does not require waiting for it to finish
    • Hardware-based encryption is very secure
    • Easier to set up
  1. Will my system support OPAL FDE?

An OPAL 2.0+ compliant drive is expected to be supported. If you are unsure whether your system will support OPAL, obtain a UEFI diagnostic log, send a copy of this log file to ESET Technical Support for verification.

  1. What are the minimum requirements for OPAL FDE?

To perform full disk encryption on a system utilizing OPAL, the system must meet the following requirements:

    • The drive must support TCG OPAL 2.0
    • The system must boot from UEFI (UEFI 2.3 or greater).
    • The system UEFI must support EFI_STORAGE_SECURITY_COMMAND_PROTOCOL or a pass-through protocol for the appropriate bus type: EFI_ATA_PASS_THRU_PROTOCOL, EFI_SCSI_PASS_THRU_PROTOCOL, EFI_NVME_PASS_THRU_PROTOCOL.
    • The system must have ESET Endpoint Encryption version 5.0 or later installed.
    • The system must be managed by an ESET Endpoint Encryption Server, which must be version 3.0 or later.
  1. Can I use the machine's TPM as well as OPAL?

TPM is an authentication method independent of the encryption method. Therefore, you can use both OPAL and TPM.


List of tested OPAL-compatible disks

Below is a shortlist of disks that are compatible with OPAL FDE:

Make and model Bus
Samsung - MZVLW256HEHP-000L7 NVMe
Samsung - 960 EVO 256GB NVMe
Samsung - MZVPW256HEGL-000L7 NVMe
Crucial - CT250MX500SSD1  
Crucial - CT1000MX500SD4  
Crucial - MTFDDAV256TBN-1AR15ABHA  
Crucial - MTFDDAV256TBN5  
Kingston - SUV500M8/120G NVMe
Samsung - 970 EVO Plus NVMe
SKHynix - HFS001TDE9X081N NVMe
Kingston - KC600 SATA
Samsung - 860 EVO SATA
Samsung - P961 NVMe