ZENworks Full Disk Encryption supports self-encrypting hard drives that are compliant with the Trusted Computing Group OPAL 2.0 specification. The two modes of support are:
Pre-boot authentication with software-based encryption: This mode is supported on ALL OPAL 2.0 compliant drives.
Pre-boot authentication is the process of authenticating a user to a device before the device boots to the primary operating system. Using ZENworks pre-boot authentication (ZENworks PBA) in conjunction with Windows login greatly enhances drive security. Software-based encryption adds a second layer of encryption to the drive’s native hardware encryption.
Pre-boot authentication with drive locking: This mode is supported on SOME OPAL 2.0 compliant drives. Support is limited because of variations in the way drive manufacturers implement the OPAL 2.0 specification related to drive locking.
When using this mode, drive locking is initiated during ZENworks PBA initialization. After user authentication occurs through the ZENworks PBA, the drive is unlocked until it is powered off. Only the native hardware encryption is used; ZENworks does not apply software-based encryption in this mode.
The self-encrypting drives that are known to be compatible with ZENworks Full Disk Encryption for drive locking are listed below in Self-Encrypting Drives Compatible with Drive Locking. Likewise, the drives that are known to be incompatible are listed below in Self-Encrypting Drives Incompatible with Drive Locking. If you have a drive that is not listed in either section, you can test the drive for drive-locking compatibility. See ZENworks 11 SP4 Full Disk Encryption Self-Encrypting Drive Compatibility Testing.
With self-encrypting drives, ZENworks Full Disk Encryption provides a pre-boot authentication mechanism (the ZENworks PBA) that interfaces with OPAL to support drive locking. Self-encrypting drives for which the ZENworks PBA can perform this pre-boot operation are considered drive-locking compatible.
Novell testing has shown the following self-encrypting drives to be drive-locking compatible with ZENworks Full Disk Encryption.
|
Manufacturer |
Model Name |
Model Number |
Test Date |
|---|---|---|---|
|
Micron/Crucial |
M500 SSD |
CTxxxM500SSD1 |
May 2014 |
|
Samsung |
Samsung SSD 840EVO |
MZ-7TExxx |
November 2014 |
|
Seagate |
Momentus Thin |
STxxxLT014 |
May 2014 |
|
Seagate |
Momentus Thin |
STxxxLT025 |
May 2014 |
|
Seagate |
Laptop Ultrathin |
STxxxLT033 |
May 2014 |
* An xxx in a model number indicates support for all drive sizes available for that model.
Because of differences in the way that drive manufacturers implement the OPAL specification, the ZENworks PBA is not able to interface with the drive locking of some self-encrypting drives.Self-encrypting drives for with the ZENworks PBA cannot perform this pre-boot operation are considered drive-locking incompatible.
Novell testing has shown the following self-encrypting drives to be drive-locking incompatible with ZENworks Full Disk Encryption.
|
Manufacturer |
Model Name |
Model Number |
Test Date |
|---|---|---|---|
|
Hitachi |
Hitachi |
HTS725050A7E635 |
May 2014 |
|
SanDisk |
X300s SSD |
SD7UB3Q-xxxG-1122 |
November 2014 |
* An xxx in a model number indicates all drive sizes available for that model.
You can still configure ZENworks Full Disk Encryption to support incompatible self-encrypting drives. In this case, the ZENworks PBA does not implement drive locking; the drive remains unlocked (but hardware encrypted) at all times. To compensate for the drive being unlocked, ZENworks Full Disk Encryption applies software encryption to the drive, adding a second layer of encryption to the drive’s native hardware encryption.
If you have an OPAL 2.0 compliant self-encrypting drive that is not on the Novell list of known compatible or incompatible drives and you want to use drive-locking if possible, you should test ZENworks Full Disk Encryption on one device with the drive before rolling it out to other devices with the same drive.
For testing instructions, see ZENworks 11 SP4 Full Disk Encryption Self-Encrypting Drive Compatibility Testing.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.novell.com/company/legal/.
Copyright © 2016 Novell, Inc. All Rights Reserved.
All third-party trademarks are the property of their respective owners.