sedutil-cli man page

sedutil-cli — util to manage TCG Opal 2.0 self encrypting drives


sedutil-cli <-v> <-n> <action> <options> <device>


sedutil-cli is a utility to manage self encrypting drives that conform to the Trusted Computing Group (TCG) OPAL 2.0 SSC specification.

In Linux libata.allow_tpm must be set to 1. Either via adding libata.allow_tpm=1 to the kernel flags at boot time or changing the contents of /sys/module/libata/parameters/allow_tpm to a from a "0" to a "1" on a running system.


General Options

-v (optional)

increase verbosity, one to five v's

-n (optional)

no password hashing. Passwords will be sent in clear text!



Scans the devices on the system identifying Opal compliant devices

--query <device>

Display the Discovery 0 response of a device

--isValidSED <device>

Verify whether the given device is SED or not

--listLockingRanges <password> <device>

List all Locking Ranges

--listLockingRange <0...n> <password> <device>

List all Locking Ranges, 0 = GLobal 1..n  = LRn

--eraseLockingRange <0...n> <password> <device>

Erase a Locking Range, 0 = GLobal 1..n  = LRn

--setupLockingRange <0...n> <RangeStart> <RangeLength> <password> <device>

Setup a new Locking Range, 0 = GLobal 1..n  = LRn

--initialSetup <SIDpassword> <device>

Setup the device for use with sedutil, <SIDpassword> is new SID and Admin1 password

--setSIDPassword <SIDpassword> <newSIDpassword> <device>

Change the SID password

--setAdmin1Pwd <Admin1password> <newAdmin1password> <device>

Change the Admin1 password

--setPassword <oldpassword, " for MSID> <userid> <newpassword> <device>

Change the Enterprise password for userid, "EraseMaster" or "BandMaster<n>", 0 <= n <= 1023

--setLockingRange <0...n> <RW|RO|LK> <Admin1password> <device>

Set the status of a Locking Range, 0 = GLobal 1..n  = LRn

--enableLockingRange <0...n> <Admin1password> <device>

Enable a Locking Range, 0 = GLobal 1..n  = LRn

--disableLockingRange <0...n> <Admin1password> <device>

Disable a Locking Range, 0 = GLobal 1..n  = LRn

--setMBREnable <on|off> <Admin1password> <device>

Enable|Disable MBR shadowing

--setMBRDone <on|off> <Admin1password> <device>

set|unset MBRDone

--loadPBAimage <Admin1password> <file> <device>

Write <file> to MBR Shadow area

--revertTPer <SIDpassword> <device>

set the device back to factory defaults. This **ERASES ALL DATA**

--revertNoErase <Admin1password> <device>

deactivate the Locking SP without erasing the data on GLOBAL RANGE *ONLY*

----yesIreallywanttoERASEALLmydatausingthePSID <PSID> <device>

revert the device using the PSID. *ERASING* *ALL* the data

--printDefaultPassword <device>

print MSID


sedutil-cli --scan
sedutil-cli --query /dev/sdc
sedutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSIDALLCAPSNODASHED> /dev/sdc
sedutil-cli --initialSetup <newSIDpassword> /dev/sdc


Sleep (S3) is not supported.


The tool was developed by Bright Plaza Inc. <>. This man page was written by Jan Luca Naumann <>.


18 Feb 2016 0.12 sedutil-cli man page