sedutil-cli - util to manage TCG Opal 2.0 self encrypting
drives
sedutil-cli <-v> <-n> <action> <options>
<device>
sedutil-cli is a utility to manage self encrypting drives that
conform to the Trusted Computing Group (TCG) OPAL 2.0 SSC specification.
In Linux libata.allow_tpm must be set to 1. Either via adding
libata.allow_tpm=1 to the kernel flags at boot time or changing the contents
of /sys/module/libata/parameters/allow_tpm to a from a "0" to a
"1" on a running system.
- --scan
- Scans the devices on the system identifying Opal compliant devices
- --query
<device>
- Display the Discovery 0 response of a device
- --isValidSED
<device>
- Verify whether the given device is SED or not
- --listLockingRanges
<password> <device>
- List all Locking Ranges
- --listLockingRange
<0...n> <password> <device>
- List all Locking Ranges, 0 = GLobal 1..n = LRn
- --eraseLockingRange
<0...n> <password> <device>
- Erase a Locking Range, 0 = GLobal 1..n = LRn
- --setupLockingRange
<0...n> <RangeStart> <RangeLength> <password>
<device>
- Setup a new Locking Range, 0 = GLobal 1..n = LRn
- --initialSetup
<SIDpassword> <device>
- Setup the device for use with sedutil, <SIDpassword> is new SID and
Admin1 password
- --setSIDPassword
<SIDpassword> <newSIDpassword> <device>
- Change the SID password
- --setAdmin1Pwd
<Admin1password> <newAdmin1password> <device>
- Change the Admin1 password
- --setPassword
<oldpassword, " for MSID> <userid> <newpassword>
<device>
- Change the Enterprise password for userid, "EraseMaster" or
"BandMaster<n>", 0 <= n <= 1023
- --setLockingRange
<0...n> <RW|RO|LK> <Admin1password>
<device>
- Set the status of a Locking Range, 0 = GLobal 1..n = LRn
- --enableLockingRange
<0...n> <Admin1password> <device>
- Enable a Locking Range, 0 = GLobal 1..n = LRn
- --disableLockingRange
<0...n> <Admin1password> <device>
- Disable a Locking Range, 0 = GLobal 1..n = LRn
- --setMBREnable
<on|off> <Admin1password> <device>
- Enable|Disable MBR shadowing
- --setMBRDone
<on|off> <Admin1password> <device>
- set|unset MBRDone
- --loadPBAimage
<Admin1password> <file> <device>
- Write <file> to MBR Shadow area
- --revertTPer
<SIDpassword> <device>
- set the device back to factory defaults. This **ERASES ALL
DATA**
- --revertNoErase
<Admin1password> <device>
- deactivate the Locking SP without erasing the data on GLOBAL RANGE
*ONLY*
- ----yesIreallywanttoERASEALLmydatausingthePSID
<PSID> <device>
- revert the device using the PSID. *ERASING* *ALL* the data
- --printDefaultPassword
<device>
- print MSID
sedutil-cli --scan
sedutil-cli --query /dev/sdc
sedutil-cli --yesIreallywanttoERASEALLmydatausingthePSID <PSIDALLCAPSNODASHED> /dev/sdc
sedutil-cli --initialSetup <newSIDpassword> /dev/sdc
Sleep (S3) is not supported.
The tool was developed by Bright Plaza Inc.
<drivetrust@drivetrust.com>. This man page was written by Jan Luca
Naumann <j.naumann@fu-berlin.de>.