Enable standby on TCG OPAL 2.0 ciphered devices on Linux|FraYoshi

Enable standby on TCG OPAL 2.0 ciphered devices on Linux

If you have a system with a Full Disk Encryption that makes use of the TCG OPAL 2.0, you’ll probably be resigned to keep your system running or shut it down completely and powering it up again. This is unacceptable but here I’ve a solution for you.

This guide is working on the Linux Kernel 5.11.2-arch1-1.
The following steps are tested and working but not for systemctl suspend, at least for me… only with other suspension methods listed below.

If you do not run Arch as a distro, these steps could slightly differ i.e. the AUR thing needs to be approached differently. Visit the ladar/sedutil GitHub page for a generic installation guide.

¡ WARNING !
This solution introduces some security holes, it’s up to you to decide if it is something you can accept or not.

Here the how to:

if using drives linked via SATA which need to be opal decrypted, edit /etc/default/grub adding libata.allow_tpm=1 somewhere at the end of the GRUB_CMDLINE_LINUX_DEFAULT line.
[I added it even if not having SATA drives encrypted with OPAL 2.0]
update grub
# grub-mkconfig -o /path/to/your/grub.cfg
reboot;
install sedutil-sleep-git (TCG OPAL 2.00 SED Management Program - including S3 support) from the AUR.
This is needed because of the mainline sedutil not including the suspend functionality
i.e. $ yay -Syu --devel sedutil-sleep-git
find and note your encryption key with
# sedutil-sleep --printPasswordHash <Admin1password> </dev/drive>
including the namespace if NVME M.2
i.e. # sedutil-sleep --printPasswordHash superSecretPassw0rd /dev/nvme0n1
repeat for every drive, even if the password is the same! the hash is not.
create a systemd service to execute
# sedutil-cli -n -x --prepareForS3Sleep 0 <Admin1password hash> </dev/drive>
where:

0: global
-x: sends password in hex format
-n: sends the password in clear text

i.e. create a file named /etc/systemd/system/OPALsuspend.service

[Service]
Type=oneshot
ExecStart=-+/usr/bin/sedutil-sleep -n -x --prepareForS3Sleep 0 fdbe142fa3e103c43444a7334f735b15ed4a43cb0f71511f5047eb505244421f /dev/nvme0n1
ExecStart=-+/usr/bin/sedutil-sleep -n -x --prepareForS3Sleep 0 a454341a07f157febbe373a45577734de81334de8452ae034f3a7f0340ea87fb /dev/sda

[Install]
WantedBy=multi-user.target

enable and start the service
# systemctl enable OPALsuspend.service --now
try the suspension but be aware that for me, systemctl suspend results in the system hanging at resume time.
tested and working solutions on XFCE4:

if using a Desktop Environment just use your standard DE suspension, if you are via CLI and using XFCE4 use xfce4-session-logout -s
if using a lock screen manager like betterlockscreen use betterlockscreen -s this suspension method needs preventive configuration in order to work or it will only lock the desktop.

press a key and hopefully enjoy your computer waking up from suspension :)

partially referenced from ladar/sedutil Issue #4

Help the author to continue publishing,
donate now or use an affiliate link.

⭐ Click here to choose ✨

You can also become an Affiliate for my content at this Link

Sponsor block

I earn a commission when you buy though this link or image.

I have used Contabo services for a long time and highly suggest them! Check them out!

Francesco Yoshi Gobbo [ AboutMe ] [ HomePage ] [ Socials ]
self-taught freelancer.
Mar 9, 2021

build with hosted on the amazing Contabo and Vultr VPS

privacy policy | cookie policy