Francesco Yoshi Gobbo |
Mar 9, 2021
If you have a system with a Full Disk Encryption that makes use of the TCG OPAL 2.0, you’ll probably be resigned to keep your system running or shut it down completely and powering it up again. This is unacceptable but here I’ve a solution for you.
This guide is working on the Linux Kernel 5.11.2-arch1-1.
The following steps are tested and working but not for
systemctl suspend, at least for me… only with other suspension methods listed below.
If you do not run Arch as a distro, these steps could slightly differ i.e. the AUR thing needs to be approached differently. Visit the ladar/sedutil GitHub page for a generic installation guide.
¡ WARNING !
This solution introduces some security holes, it’s up to you to decide if it is something you can accept or not.
Here the how to:
- if using drives linked via SATA which need to be opal decrypted, edit
libata.allow_tpm=1somewhere at the end of the
[I added it even if not having SATA drives encrypted with OPAL 2.0]
- update grub
# grub-mkconfig -o /path/to/your/grub.cfg
sedutil-sleep-git(TCG OPAL 2.00 SED Management Program - including S3 support) from the AUR.
This is needed because of the mainline
sedutilnot including the suspend functionality
$ yay -Syu --devel sedutil-sleep-git
- find and note your encryption key with
# sedutil-sleep --printPasswordHash <Admin1password> </dev/drive>
including the namespace if NVME M.2
# sedutil-sleep --printPasswordHash superSecretPassw0rd /dev/nvme0n1
- repeat for every drive, even if the password is the same! the hash is not.
- create a
systemdservice to execute
# sedutil-cli -n -x --prepareForS3Sleep 0 <Admin1password hash> </dev/drive>
-x: sends password in hex format
-n: sends the password in clear text
i.e. create a file named
[Service] Type=oneshot ExecStart=-+/usr/bin/sedutil-sleep -n -x --prepareForS3Sleep 0 fdbe142fa3e103c43444a7334f735b15ed4a43cb0f71511f5047eb505244421f /dev/nvme0n1 ExecStart=-+/usr/bin/sedutil-sleep -n -x --prepareForS3Sleep 0 a454341a07f157febbe373a45577734de81334de8452ae034f3a7f0340ea87fb /dev/sda [Install] WantedBy=multi-user.target
- enable and start the service
# systemctl enable OPALsuspend.service --now
- try the suspension but be aware that for me,
systemctl suspendresults in the system hanging at resume time.
tested and working solutions on XFCE4:
- if using a Desktop Environment just use your standard DE suspension, if you are via CLI and using XFCE4 use
- if using a lock screen manager like betterlockscreen use
betterlockscreen -sthis suspension method needs preventive configuration in order to work or it will only lock the desktop.
- press a key and hopefully enjoy your computer waking up from suspension :)
partially referenced from ladar/sedutil Issue #4