TCG Opal stands for Trusted Computing Group OPAL. The Trusted Computing Group is an organisation that develops open standards for trusted computing platforms. It is run by leading companies from the computer industry.
According to its website, its goal is to “develop and promote open, vendor-neutral, industry standard specifications for trusted computing building blocks and software interfaces across multiple platforms.” According to its goal, the term ‘trust’ means that a device, product or software will act in a previously defined way for a certain purpose.
The Opal Storage Specification is a set of specifications for features of data storage devices (such as disk drives) that enhance their security.
The latest Opal Storage Specification is currently available in version 2.0 and it features and demands encryption for the stored data so that an unauthorised person will not be able to see or access the data even if possession of a drive was gained.
This is due to the fact that disk and data encryption is a protection mechanism to provide protection after a drive is lost, stolen or seized.
Opal SSC (Security Subsystem Class) v.2.0 makes hardware encryption manageable. The specification standard stipulates that the hardware encryption is permanently active („always on“). That means that Opal 2.0 is one of the main standards for the so-called SED self-encrypting drives. However, that does not mean that every SED drive is Opal-compliant. Some are, some are not.
What are SEDs?
SEDs are self-encrypting drives which are based on hardware encryption. SEDs can be both SSD as well as HDDs. HDDs however, which are also based on hardware encryption, are mostly named full encryption disks (FED).
Anyway, the main benefit of SED drives is that the CPU is freed from the encryption or decryption calculation a software encryption tool needs, and therefore the overall performance is increased. Another benefit is that the CPU and the RAM are not possible attack targets for hackers.
SEDs which rely on the Opal 2.0 standard implement an advanced key management via both an authentification key (AK) and a second-level data encryption key (DEK). The key management takes place within the disk controller chip. The encryption keys are either 128 or 256 bit AED (Advanced Encryption Standard).
Since the encryption is always on, the disk controller will decrypt the content of the disk automatically after the computer has booted. If the user wants more security, they can set an additional ATA password. But if this password is lost by the user, neither the administrator nor a data recovery expert can get access to the disk or data ever again.
Many SED producers provide the user with additional software tools to create their additional user password. Even though it is not necessary, as said before, since the data itself is already encrypted, it provides an additional layer of security.