Enable standby on TCG OPAL 2.0 ciphered devices on Linux

Tags: en tutorial linux

If you have a system with a Full Disk Encryption that makes use of the TCG OPAL 2.0, you’ll probably be resigned to keep your system running or shut it down completely and powering it up again. This is unacceptable but here I’ve a solution for you.

This guide is working on the Linux Kernel 5.11.2-arch1-1.
The following steps are tested and working but not for systemctl suspend, at least for me… only with other suspension methods listed below.

If you do not run Arch as a distro, these steps could slightly differ i.e. the AUR thing needs to be approached differently. Visit the ladar/sedutil GitHub page for a generic installation guide.

This solution introduces some security holes, it’s up to you to decide if it is something you can accept or not.

Here the how to:

  1. if using drives linked via SATA which need to be opal decrypted, edit /etc/default/grub adding libata.allow_tpm=1 somewhere at the end of the GRUB_CMDLINE_LINUX_DEFAULT line.
    [I added it even if not having SATA drives encrypted with OPAL 2.0]
  2. update grub
    # grub-mkconfig -o /path/to/your/grub.cfg
  3. reboot;
  4. install sedutil-sleep-git (TCG OPAL 2.00 SED Management Program - including S3 support) from the AUR.
    This is needed because of the mainline sedutil not including the suspend functionality
    i.e. $ yay -Syu --devel sedutil-sleep-git
  5. find and note your encryption key with
    # sedutil-sleep --printPasswordHash <Admin1password> </dev/drive>
    including the namespace if NVME M.2
    i.e. # sedutil-sleep --printPasswordHash superSecretPassw0rd /dev/nvme0n1
  6. repeat for every drive, even if the password is the same! the hash is not.
  7. create a systemd service to execute
    # sedutil-cli -n -x --prepareForS3Sleep 0 <Admin1password hash> </dev/drive>
  • 0: global
  • -x: sends password in hex format
  • -n: sends the password in clear text

    i.e. create a file named /etc/systemd/system/OPALsuspend.service
ExecStart=-+/usr/bin/sedutil-sleep -n -x --prepareForS3Sleep 0 fdbe142fa3e103c43444a7334f735b15ed4a43cb0f71511f5047eb505244421f /dev/nvme0n1
ExecStart=-+/usr/bin/sedutil-sleep -n -x --prepareForS3Sleep 0 a454341a07f157febbe373a45577734de81334de8452ae034f3a7f0340ea87fb /dev/sda

  1. enable and start the service
    # systemctl enable OPALsuspend.service --now
  2. try the suspension but be aware that for me, systemctl suspend results in the system hanging at resume time.
    tested and working solutions on XFCE4:
  • if using a Desktop Environment just use your standard DE suspension, if you are via CLI and using XFCE4 use xfce4-session-logout -s
  • if using a lock screen manager like betterlockscreen use betterlockscreen -s this suspension method needs preventive configuration in order to work or it will only lock the desktop.
  1. press a key and hopefully enjoy your computer waking up from suspension :)

partially referenced from ladar/sedutil Issue #4

Safe Creative

Help the author to continue publishing,
donate now or use an affiliate link.

⭐ Click here to choose ✨

You can also become an Affiliate for my content at this Link

Sponsor block

I earn a commission when you buy though this link or image.

I have used Contabo services for a long time and highly suggest them! Check them out!

  Made with Bulma   build with   Build with Hugo   hosted on the amazing Contabo and Vultr VPS

  © 2019 Francesco Yoshi Gobbo - PGP 3FC5F028E7AFF594 - ISNI 0000000502954809 - P.IVA / VAT: IT-01572520052

privacy policy | cookie policy