sedutil-cli - Man Page
util to manage TCG Opal 2.0 self encrypting drives
Synopsis
Description
sedutil-cli is a utility to manage self encrypting drives that conform to the Trusted Computing Group (TCG) OPAL 2.0 SSC specification.
In Linux libata.allow_tpm must be set to 1. Either via adding libata.allow_tpm=1 to the kernel flags at boot time or changing the contents of /sys/module/libata/parameters/allow_tpm to a from a "0" to a "1" on a running system.
Options
General Options
- -v (optional)
increase verbosity, one to five v's
- -n (optional)
no password hashing. Passwords will be sent in clear text!
Actions
- --scan
Scans the devices on the system identifying Opal compliant devices
- --query <device>
Display the Discovery 0 response of a device
- --isValidSED <device>
Verify whether the given device is SED or not
- --listLockingRanges <password> <device>
List all Locking Ranges
- --listLockingRange <0...n> <password> <device>
List all Locking Ranges, 0 = GLobal 1..n = LRn
- --eraseLockingRange <0...n> <password> <device>
Erase a Locking Range, 0 = GLobal 1..n = LRn
- --setupLockingRange <0...n> <RangeStart> <RangeLength> <password> <device>
Setup a new Locking Range, 0 = GLobal 1..n = LRn
- --initialSetup <SIDpassword> <device>
Setup the device for use with sedutil, <SIDpassword> is new SID and Admin1 password
- --setSIDPassword <SIDpassword> <newSIDpassword> <device>
Change the SID password
- --setAdmin1Pwd <Admin1password> <newAdmin1password> <device>
Change the Admin1 password
- --setPassword <oldpassword, " for MSID> <userid> <newpassword> <device>
Change the Enterprise password for userid, "EraseMaster" or "BandMaster<n>", 0 <= n <= 1023
- --setLockingRange <0...n> <RW|RO|LK> <Admin1password> <device>
Set the status of a Locking Range, 0 = GLobal 1..n = LRn
- --enableLockingRange <0...n> <Admin1password> <device>
Enable a Locking Range, 0 = GLobal 1..n = LRn
- --disableLockingRange <0...n> <Admin1password> <device>
Disable a Locking Range, 0 = GLobal 1..n = LRn
- --setMBREnable <on|off> <Admin1password> <device>
Enable|Disable MBR shadowing
- --setMBRDone <on|off> <Admin1password> <device>
set|unset MBRDone
- --loadPBAimage <Admin1password> <file> <device>
Write <file> to MBR Shadow area
- --revertTPer <SIDpassword> <device>
set the device back to factory defaults. This **ERASES ALL DATA**
- --revertNoErase <Admin1password> <device>
deactivate the Locking SP without erasing the data on GLOBAL RANGE *ONLY*
- ----yesIreallywanttoERASEALLmydatausingthePSID <PSID> <device>
revert the device using the PSID. *ERASING* *ALL* the data
- --printDefaultPassword <device>
print MSID
Examples
sedutil-cli --scan
sedutil-cli --query /dev/sdc
sedutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSIDALLCAPSNODASHED> /dev/sdc
sedutil-cli --initialSetup <newSIDpassword> /dev/sdc
Bugs
Sleep (S3) is not supported.
Author
The tool was developed by Bright Plaza Inc. <drivetrust@drivetrust.com>. This man page was written by Jan Luca Naumann <j.naumann@fu-berlin.de>.