Compatible Opal v2-compliant drives for Symantec Endpoint Encryption (SEE) Drive Encryption
Article ID: 172490
Updated On:
Products
Issue/Introduction
This article lists the Opal drives that are compatible with Symantec Endpoint Encryption Drive Encryption 11
- Opal v2-compliant drives
- Microsoft eDrive support – Opal v2-compliant drives
Note: All systems must be running Windows 8 or greater and boot in UEFI mode.
Update History
| Update | Version | Release date |
|
Added compatibility with the following Opal v2-compliant drives on Dell and Lenovo systems:
|
11.2.1 MP1 | March 29, 2019 |
|
Added compatibility with the following OEM vendor and computer model for supported Opal v2-compliant drives:
Added compatibility with the following Opal v2-compliant drives:
|
11.2.0 MP1 | September 21, 2018 |
Manually adding Opal drives certified as compatible between releases of Symantec Endpoint Encryption Drive Encryption
Drive Encryption software uses registry entries to identify which drives are whitelisted. When Symantec releases a new version of Endpoint Encryption, Symantec updates the whitelist and populates the registry entries as part of the release. If Symantec tests and approves Opal drives between releases, Symantec updates the whitelist in this KB, but you must populate the new registry entries. You only need to do this if you are interested in using one or more of those drives.
To learn how to create the registry entries that identify an Opal drive as whitelisted, see the following article:
163518 - How to add computers and drives to the Opal whitelist
Environment
Symantec Endpoint Encryption 11.2, 11.3, and 11.4.
Resolution
SEE Native Drive Encryption is the preferred method of Drive Encryption over Opal. Although the SEE Client can manage Opal for Drive Encryption, Opal comes with some limitations:
*Opal drives must be decrypted prior to installing any Windows Feature Updates.
*NVMe Opal are not supported (Contact Symantec Encryption Support to be added to this functionality).
*Opal Recovery Keys must be sent to the server.
*No SEE Client Administrators can be used to manage these drives.
*No connectionless recovery.
When using SEE Native Drive Encryption, the type of drives are agnostic, but most importantly, have SEE Client Administrators for granular access control.
SEE Native Drive Encryption also includes connectionless recovery which means the SEE Client never needs to talk to the server for recovery to occur.
SEE Native Drive Encryption includes the ability to upgrade Windows Feature Updates without the need to decrypt drives.
For any further guidance if you should choose SEE Native Drive Encryption over Opal, reach out to Symantec Encryption Support for further guidance.
Symantec Endpoint Encryption 11 Compatible Opal Drives
Whitelist for Opal v2-compliant drives
The following two tables comprise the whitelist for Opal v2-compliant drives for Symantec Endpoint Encryption Drive Encryption, which have been certified with SEE versions 11.2 and above. At the time of this writing, the current version is Symantec Endpoint Encryption 12):
- Table 1: Supported OEM vendors and computer models
- Table 2: Supported disk vendors and drives models
| OEM vendor | Computer model |
|---|---|
| Dell | All laptop models |
| HP | EliteBook 850 G2 |
| EliteBook 850 G4 | |
| EliteBook 8570p | |
| EliteBook Folio 1040 G1 | |
| EliteBook Folio 1040 G2 | |
| EliteBook Revolve 810 G3 | |
| ProBook 4540s | |
| Lenovo | All laptop models |
In addition to the computers listed in the table, any computer is supported that has these required protocols:
- ATA_Passthru
- Secure Storage
Table 2: Supported drive vendors and models
|
Vendor |
Drive model |
Firmware |
|
Intel |
SSDSC2BF |
LTVI |
|
SSDSC2BF |
LUDI |
|
|
SSDSC2BF |
TG20 |
|
|
SSDSC2BF120A5 |
TG20 |
|
|
SSDSC2BF180A5L |
LTVI |
|
|
SSDSC2BF180A5L |
LUDI |
|
|
Kingston |
SKC300S |
600ABBF0 |
|
SUV500/240G |
003056RA | |
|
SUV500MS/240G |
003056RA | |
|
SUV500M8/240G |
003056RA | |
|
Micron |
M600_MTFD |
LN01 |
|
M600_MTFD |
MU03 |
|
|
MTFDDAV |
M1T4 |
|
|
MTFDDAV256MAZ |
* |
|
|
MTFDDAV256TBN-1AR15ABHA |
* | |
|
MT (Micron)
|
M600_MTFD |
LN01 |
|
M600_MTFD |
MU03 |
|
|
MTFDDAV |
|
|
|
MTFDDAV256MAZ |
* |
|
|
Samsung |
SSD_840_EVO_120GB_mSATA |
EXT41B6Q |
|
SSD_840_EVO |
EXT0 |
|
|
SSD_840_EVO |
EXT41B6Q |
|
|
SSD_850_EVO |
EMT01B6Q |
|
|
SSD_850_EVO |
EMT21B6Q |
|
|
SSD_850_EVO |
EMT4 |
|
|
SSD_850_EVO_250G |
EMT01B6Q |
|
|
SSD_850_EVO_M.2 |
EMT21B6Q |
|
|
SSD_850_PRO_256G |
EXM02B6Q |
|
|
SanDisk |
SanDisk_SD7UB3Q128G1122 |
* |
|
SanDisk_SD7UB3Q256G1122 |
* |
|
|
SD7TB3Q |
* |
|
|
SD7TB3Q-256G-100 |
* |
|
|
SD7TN3Q-256-100 |
* |
|
|
SD7UB3Q |
* |
|
|
SD8TB8U-512G-100 |
* |
|
|
SD8TB8U256G1001 |
* |
|
|
SD8TB8U-256G100 |
* |
|
|
SD8TB8U512G1001 |
* |
|
|
SD8TN8U-512G-100 |
* |
|
|
SD8TN8U512G1001 |
* |
|
|
SD8TN8U-256G-100 |
* |
|
|
SD8TN8U256G1001 |
* |
|
|
SD9TN8W-256G-1006 |
* | |
|
SK |
hynix_SC300_SED |
2002 |
|
hynix_SC300_HFS2 |
2010 |
|
|
ST (Seagate) |
ST500LM020-1G116 |
SM73 |
|
ST500LM020-1G1162 |
SM73 |
|
|
* = any firmware |
||
For an Opal v2-compliant drive to be hardware encrypted:
- The drive must appear on the whitelist, and
- Drive Encryption must be able to provision the drive in Global Range Mode, if it is not in Single User Mode.
Otherwise, the drive is software encrypted.
Whitelist for Microsoft eDrive-support Opal v2-compliant drives
The following two tables comprise the whitelist for Microsoft eDrive support - Opal v2-compliant drives for Symantec Endpoint Encryption Drive Encryption 11:
- Table 3: Supported OEM vendors and computer models
- Table 4: Supported disk vendors and drive models
| Dell | All laptop models |
| HP | EliteBook 850 G2 |
| EliteBook 8570p | |
| EliteBook Folio 1040 G1 | |
| EliteBook Folio 1040 G2 | |
| EliteBook Revolve 810 G3 | |
| ProBook 4540s | |
| Lenovo | All laptop models |
| Disk vendor | Drive model | Firmware |
| Intel | SSD_Pro_2500 | * |
| Samsung | SSD_840_EVO_mSATA | * |
| *All firmware is automatically supported for Microsoft eDrive support - Opal v2-compliant drive |
For a Microsoft eDrive-support Opal v2-compliant drive to be hardware encrypted:
- The drive must appear on the whitelist, and
- Default partitions must be created during a default Microsoft Windows installation. when multiple partitions exist on a drive, the number of ranges must be properly mapped with the number of partitions.
Otherwise, the drive is software encrypted.
Symantec Endpoint Encryption Drive Encryption provides software-based encryption on unsupported laptops or if provisioning fails.
Client administrators can encrypt Opal v2-compliant drives using the Drive Encryption Administrator Command Line. The status command output for a hardware-encrypted drive differs, depending on how the drive was provisioned:
- A hardware-encrypted Opal v2-compliant drive shows that the whole disk is encrypted.
- A hardware-encrypted Microsoft eDrive support - Opal v2-compliant drive shows that only the C drive is encrypted.
Hardware Encryption characteristics/behavior
For unsupported laptops, or if provisioning fails, Symantec Endpoint Encryption Drive Encryption provides software-based encryption.
Client administrators can encrypt Opal v2-compliant drives using the Drive Encryption Administrator Command Line. The status command output for a hardware-encrypted drive differs, depending on how the drive was provisioned:
- A hardware encrypted Opal v2-compliant drive shows that the whole disk is encrypted.
- A hardware encrypted Microsoft eDrive support - Opal v2-compliant drive shows that only the C drive is encrypted.
Additional Information
Feedback
