OPAL Self-Encrypting Drives (SED) encryption fails to be activated by FDE
When reimaging or reinstalling the Windows OS on an OPAL disk, it is possible that some third party software or Windows OS itself on the then erased, original, Windows installation has taken ownership of the OPAL disk. In this scenario, the encryption keys used to administrate and configure the OPAL disk are lost, and it will not be possible for Full Disk Encryption (FDE) to utilize the OPAL hardware encryption. In order for the OPAL hardware to become useable again, the disk must be reset to its original state.
A reset can be performed using the Check Point OPAL tool (see sk92970) to issue a, so-called, PSID revert, or by using third party software specific to the disk in question to perform the reset.
The following describes some common scenarios, where Full Disk Encryption (FDE) may fail to activate hardware encryption due to previous software having taken ownership of the disk:
- If an OPAL disk where Windows has taken ownership of the disk is reimaged or reinstalled with a new Windows installation, a subsequent installation of FDE with OPAL support will fail to activate the hardware encryption and fall back to using software encryption. Note that Windows will take ownership of the disk regardless of Bitlocker use (for more details, see sk92970).
- If an OPAL disk with Check Point Full Disk Encryption (FDE) installed is reimaged without uninstalling FDE, a subsequent installation of FDE with OPAL support will fail to activate the hardware encryption and fall back to using software encryption.
Using the Check Point OPAL tool (see sk92970), issue a PSID revert of the OPAL disk (SED) prior to re-imaging/reinstallation.
Important Note: Resetting the OPAL state will irrevocably erase all data on the disk.
For machines that have FDE installed (allow SED enabled), FDE must be uninstalled or a PSID revert performed prior to reimage. The hardware encryption cannot be overwritten with a re-image, and the attempt to reimage may fail.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.