The University of Texas at Austin

Enterprise Whole Disk Encryption

Self-encrypting Drive Recovery - PC

Creating your Linux bootable USB

  1. Insert a USB stick into your device.

  2. Extract the downloaded ZIP file and run dskimg.exe.

  3. Browse to the sdemrdsk.bin file (included in the ZIP) and then click WRITE. This will write our Linux image to your USB.

  4. Upon completion, you can now copy any device’s hardware encryption data to the USB from SES.

    Note: Hardware Encryption Data is unique for each SED. You can obtain it by right-clicking the specific device in your SES, clicking Export Hardware Encryption Data, and browsing to the USB.

Using the HWEMngr tool:

Upon booting from the USB, the following commands are available:

  • ./hwemngr -h (prints help)
  • ./hwemngr -l (prints list of devices)
  • ./hwemngr -i (prints information for default device 0)
  • ./hwemngr n -i (prints information for device n)
  • ./hwemngr n -k XXXX.DBK -p XXXX.ENC -u (unlocks the device n)
  • ./hwemngr n -k XXXX.DBK -p XXXX.ENC -e (enable HFDE feature on the device n)
  • ./hwemngr n -k XXXX.DBK -p XXXX.ENC -d (disable HFDE feature on the device n)
  • ./hwemngr n -k XXXX.DBK -p XXXX.ENC -r (removes HFDE card from the device n)

Key

  • n – zero based integer index of a device, by default n == 0 (the first drive)
  • XXXX.DBK – login key file path (since the file is located on USB you have to specify /mnt/emrdsk/filepath)
  • XXXX.ENC – encrypted password file path. If you don't have a .enc file, you just leave off the -p switch and it will prompt for a password. This should be the password set on the file from the SecureDoc Enterprise Console.

Examples

  1. To unlock a drive for one session (after shutdown the drive will be locked again)
    ./hwemngr 0 -k /mnt/emrdsk/HWEkeyfile.dbk -p /mnt/emrdsk/sdhwe.enc -u

  2. To reset the drive to factory state, execute only the remove HFDE card command
    ./hwemngr 0 -k /mnt/emrdsk/HWEkeyfile.dbk -p /mnt/emrdsk/sdhwe.enc -r

  3. After executing the above command run the following command to check the status of the drive and verify that the above command was executed successfully.
    ./hwemngr -l (Status : 0x0 -- drive is clean (factory state))

You can now re-image this drive.

Status Legend:

  • Status : 0x0 – drive is clean (factory state)

  • Status : 0x4 – HFDE card was issued

  • Status : 0x6 – HFDE card was issued and HFDE feature was enabled (drive will be locked after power cycle)

  • Status : 0x7 – HFDE card was issued and HFDE feature was enabled, drive is locked now.

Crypto-Erase Program

Download the OpalCryptoErase files from https://webdav.austin.utexas.edu/ewde/! SecureDoc Tools.

This utility can Crypto-Erase a TCG Opal Drive issued by any version of SecureDoc without needing any DBK or ENC files.

Warning: Crypto-Erasing an Opal drive deletes all of its data and returns the drive to factory condition.

  • Unpack the OpalCryptoErase.zip file and copy its contents to the USB tool /mnt/emrdsk directory to use this plugin boot to the USB tool, navigate to /mnt/emrdsk then run commands as indicated by the code below:

    Note: This program must be run with root privileges and requires libsduser.so be installed. If you are running a Linux-based SecureDoc Emergency Disk, then you can skip this step, otherwise run libsduser_install.sh to install the library.

Usage

  • Using Crypt-Erase.
    ./OpalCryptoErase -h
    WinMagic OPAL Crypto Erase Utility Version 3.0
    Usage: OpalCryptoErase <integer> [-hilw]
    <integer> Zero based device number
    -h Display help
    -i Display device information
    -l List all devices
    -w Crypto erase HFDE drive

Examples

  • Run this command to list all drives.
    ./OpalCryptoErase -l
    WinMagic OPAL Crypto Erase Utility Version 3.0

    Device 0
    Device path: /dev/sda
    Model : ST320LT002
    Serial : Q02002QY
    Firmware : 0001SDM7
    Status : 0x6
    HWE type : OPAL drive

    Device 1
    Device path: /dev/sdb
    Model :
    Serial :
    Firmware :
    Status : 0x0
    HWE type : Software only

  • Run this command to list information on one drive, drive 0 in this case. ./OpalCryptoErase 0 -i
    WinMagic OPAL Crypto Erase Utility Version 3.0
    Device path: /dev/sda
    Model : ST320LT002
    Serial : Q02002QY
    Firmware : 0001SDM7
    Status : 0x6
    HWE type : OPAL drive

  • Run this command to Crypto Erase the drive, drive 0 in this case. ./OpalCryptoErase 0 -w
    WinMagic OPAL Crypto Erase Utility Version 3.0
    All data on the disk will be destroyed. If you wish to proceed type 'yes': no
    Crypto erase canceled.
    Device path: /dev/sda
    Model : ST320LT002
    Serial : Q02002QY
    Firmware : 0001SDM7
    Status : 0x6
    HWE type : OPAL drive

Last updated July 3, 2013 @ 10:27 am

We Can Help

Get help from an expert at the ITS Help Desk!

* Call us at 512-475-9400

* Submit a help request online

We also have a walk-in service in the first floor lobby of the Flawn Academic Center (FAC). Stop by and let us help you!