NDU 0 Posted June 27 Posted June 27 Hello, I am trying to set up hardware level encryption using ESET Full Encryption however I did not find a lot of documentation about the process. ESET FDE software based encryption works however the performance impact is pretty significant so we would like to try hardware based encryption on our NVMe SSDs. We have multiple machines using NVMe drives with specified support for OPAL / SED from multiple vendors, however these machines are shown as "hardware encryption not supported" in ESET PROTECT. Is there a list of supported harware ? Is there a process requiered to use hardware encryption else than enabling the correct option in the encryption policy ? Using hardware encryption with bitlocker requires specific steps such as a Windows reinstall, specific BIOS settings, a GPO to allow it in Windows, sometimes an activation in the SSD manufacturer's software etc. ; with ESET FDE I can't find any documentation describing the required steps to enable it and encryption falls back to software mode or simply does not starts if OPAL is set as mandatory. Can you help us please ? Thank-you, Regards
ESET Staff AAndrejko 14 Posted June 27 ESET Staff Posted June 27 Hi @NDU In ESET Full Disk Encryption the process of setting up OPAL encryption is the exact same as software encryption, you simply enable it in your policy and your system will perform some pre checks before safe start is initialized, that will run, once you're back into Windows, we have a splash screen that will enable OPAL locking if everything is ok. If your systems are failing to encrypt with OPAL encryption it may be done to a few things. Here is an FAQ on our OPAL encryption which you may find useful - https://support.eset.com/en/kb7974-opal-disk-encryption-faq . Typically an OPAL disk would fail to start encryption due to something else owning the drive, mainly Windows in my experience, or the drive is OPAL compatible, but not TCG OPAL 2.0 compatible. Please ignore the warning at the top saying it's not for EFDE, it does indeed relate to EFDE in many aspects. There's also a small list of our OPAL tested drives we've tried. I would like to go back to your reasoning for OPAL encryption, the speed. Is there any noticeable difference with software encryption such as Windows loading noticeably slower with encryption in place compared to it not being in place? Or are you benchmarking the drives after encryption is complete? Please be aware the drive isn't able to compress encrypted data therefore the true read and write speeds of a drive without compression are shown when FDE is in place. However OPAL encryption should allow the drive to function at stated speeds. If you're still experiencing issues with setting up OPAL, I would urge you to grab a UEFI diagnostic log from the system (Link to this is avaliable on the FAQ) and submit a support ticket with it attached. We should be able to see what is causing the issue. Kind regards, Ashley Kstainton and Aryeh Goretsky 2
Recommended Posts