Compatible Opal v2-compliant drives for Symantec Endpoint Encryption (SEE) Drive Encryption

Compatible Opal v2-compliant drives for Symantec Endpoint Encryption (SEE) Drive Encryption

book

Article ID: 172490

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

This article lists the Opal drives that are compatible with Symantec Endpoint Encryption Drive Encryption 11

  • Opal v2-compliant drives
  • Microsoft eDrive support – Opal v2-compliant drives

Note: All systems must be running Windows 8 or greater and boot in UEFI mode.

Update History

Update Version Release date

Added compatibility with the following Opal v2-compliant drives on Dell and Lenovo systems:

  • Kingston SUV500/240G
  • Kingston SUV500MS/240G
  • Kingston SUV500M8/240G
11.2.1 MP1 March 29, 2019

Added compatibility with the following OEM vendor and computer model for supported Opal v2-compliant drives:

  • HP EliteBook 850 G4

Added compatibility with the following Opal v2-compliant drives:

  • Micron MTFDDAV256TBN-1AR15ABHA
  • Sandisk SD9TN8W-256G-1006
11.2.0 MP1 September 21, 2018

 

 

Manually adding Opal drives certified as compatible between releases of Symantec Endpoint Encryption Drive Encryption

Drive Encryption software uses registry entries to identify which drives are whitelisted. When Symantec releases a new version of Endpoint Encryption, Symantec updates the whitelist and populates the registry entries as part of the release. If Symantec tests and approves Opal drives between releases, Symantec updates the whitelist in this KB, but you must populate the new registry entries. You only need to do this if you are interested in using one or more of those drives. 

To learn how to create the registry entries that identify an Opal drive as whitelisted, see the following article:

163518 - How to add computers and drives to the Opal whitelist

 

 

Environment

Symantec Endpoint Encryption 11.2, 11.3, and 11.4.

Resolution

SEE Native Drive Encryption is the preferred method of Drive Encryption over Opal.  Although the SEE Client can manage Opal for Drive Encryption, Opal comes with some limitations:

*Opal drives must be decrypted prior to installing any Windows Feature Updates.
*NVMe Opal are not supported (Contact Symantec Encryption Support to be added to this functionality).
*Opal Recovery Keys must be sent to the server.
*No SEE Client Administrators can be used to manage these drives.
*No connectionless recovery.

When using SEE Native Drive Encryption, the type of drives are agnostic, but most importantly, have SEE Client Administrators for granular access control.

SEE Native Drive Encryption also includes connectionless recovery which means the SEE Client never needs to talk to the server for recovery to occur.

SEE Native Drive Encryption includes the ability to upgrade Windows Feature Updates without the need to decrypt drives. 

 

For any further guidance if you should choose SEE Native Drive Encryption over Opal, reach out to Symantec Encryption Support for further guidance. 

 

 

Symantec Endpoint Encryption 11 Compatible Opal Drives

Whitelist for Opal v2-compliant drives

The following two tables comprise the whitelist for Opal v2-compliant drives for Symantec Endpoint Encryption Drive Encryption, which have been certified with SEE versions 11.2 and above.  At the time of this writing, the current version is Symantec Endpoint Encryption 12):

  • Table 1: Supported OEM vendors and computer models
  • Table 2: Supported disk vendors and drives models
OEM vendor Computer model

Table 1: Supported OEM vendors and computer models

Dell All laptop models                                     
HP EliteBook 850 G2
  EliteBook 850 G4
  EliteBook 8570p
  EliteBook Folio 1040 G1
  EliteBook Folio 1040 G2
  EliteBook Revolve 810 G3
  ProBook 4540s
Lenovo All laptop models

In addition to the computers listed in the table, any computer is supported that has these required protocols:

  • ATA_Passthru
  • Secure Storage

Table 2: Supported drive vendors and models

Vendor

Drive model

Firmware

Intel

SSDSC2BF

LTVI

SSDSC2BF

LUDI

SSDSC2BF

TG20

SSDSC2BF120A5

TG20

SSDSC2BF180A5L

LTVI

SSDSC2BF180A5L

LUDI

Kingston

SKC300S

600ABBF0

SUV500/240G

003056RA

SUV500MS/240G

003056RA

SUV500M8/240G

003056RA

Micron

M600_MTFD

LN01

M600_MTFD

MU03

MTFDDAV

M1T4

MTFDDAV256MAZ

*

MTFDDAV256TBN-1AR15ABHA

*

MT (Micron)


 

 

M600_MTFD

LN01

M600_MTFD

MU03

MTFDDAV

 

MTFDDAV256MAZ

*

Samsung

SSD_840_EVO_120GB_mSATA

EXT41B6Q

SSD_840_EVO

EXT0

SSD_840_EVO

EXT41B6Q

SSD_850_EVO

EMT01B6Q

SSD_850_EVO

EMT21B6Q

SSD_850_EVO

EMT4

SSD_850_EVO_250G

EMT01B6Q

SSD_850_EVO_M.2

EMT21B6Q

SSD_850_PRO_256G

EXM02B6Q

SanDisk

SanDisk_SD7UB3Q128G1122

*

SanDisk_SD7UB3Q256G1122

*

SD7TB3Q

*

SD7TB3Q-256G-100

*

SD7TN3Q-256-100

*

SD7UB3Q

*

SD8TB8U-512G-100

*

SD8TB8U256G1001

*

SD8TB8U-256G100

*

SD8TB8U512G1001

*

SD8TN8U-512G-100

*

SD8TN8U512G1001

*

SD8TN8U-256G-100

*

SD8TN8U256G1001

*

SD9TN8W-256G-1006

*

SK

hynix_SC300_SED

2002

hynix_SC300_HFS2

2010

ST (Seagate)

ST500LM020-1G116

SM73

ST500LM020-1G1162

SM73

* = any firmware

 

For an Opal v2-compliant drive to be hardware encrypted:

  • The drive must appear on the whitelist, and
  • Drive Encryption must be able to provision the drive in Global Range Mode, if it is not in Single User Mode.

Otherwise, the drive is software encrypted.

Whitelist for Microsoft eDrive-support Opal v2-compliant drives

The following two tables comprise the whitelist for Microsoft eDrive support - Opal v2-compliant drives for Symantec Endpoint Encryption Drive Encryption 11:

  • Table 3: Supported OEM vendors and computer models
  • Table 4: Supported disk vendors and drive models

Table 3: Supported OEM vendors and computer models

Dell All laptop models                                     
HP EliteBook 850 G2
  EliteBook 8570p
  EliteBook Folio 1040 G1
  EliteBook Folio 1040 G2
  EliteBook Revolve 810 G3
  ProBook 4540s
Lenovo All laptop models

 

Table 4: Supported disk vendors and drive models

Disk vendor Drive model Firmware
Intel SSD_Pro_2500 *
Samsung SSD_840_EVO_mSATA *
*All firmware is automatically supported for
Microsoft eDrive support - Opal v2-compliant drive
   

For a Microsoft eDrive-support Opal v2-compliant drive to be hardware encrypted:

  • The drive must appear on the whitelist, and
  • Default partitions must be created during a default Microsoft Windows installation. when multiple partitions exist on a drive, the number of ranges must be properly mapped with the number of partitions.

Otherwise, the drive is software encrypted.

Symantec Endpoint Encryption Drive Encryption provides software-based encryption on unsupported laptops or if provisioning fails.

Client administrators can encrypt Opal v2-compliant drives using the Drive Encryption Administrator Command Line. The status command output for a hardware-encrypted drive differs, depending on how the drive was provisioned:

  • A hardware-encrypted Opal v2-compliant drive shows that the whole disk is encrypted.
  • A hardware-encrypted Microsoft eDrive support - Opal v2-compliant drive shows that only the C drive is encrypted.

Hardware Encryption characteristics/behavior

For unsupported laptops, or if provisioning fails, Symantec Endpoint Encryption Drive Encryption provides software-based encryption.

Client administrators can encrypt Opal v2-compliant drives using the Drive Encryption Administrator Command Line. The status command output for a hardware-encrypted drive differs, depending on how the drive was provisioned:

  • A hardware encrypted Opal v2-compliant drive shows that the whole disk is encrypted.
  • A hardware encrypted Microsoft eDrive support - Opal v2-compliant drive shows that only the C drive is encrypted.

 

Additional Information

172490 - Compatible Opal v2-compliant drives for Symantec Endpoint Encryption Drive Encryption 11

163518 - How to add computers and drives to the Opal whitelist in Symantec Endpoint Encryption (SEE)

161498 - Compatible Opal v2-compliant drives for Symantec Endpoint Encryption Drive Encryption 11.1.x