From: Nikolai Grigoriev <nikolai@grigr.xyz>
To: Ondrej Kozina <okozina@redhat.com>
Cc: Cryptsetup <cryptsetup@lists.linux.dev>
Subject: Re: OPAL setup for a new drive without sedutil initial setup
Date: Mon, 18 Mar 2024 14:13:53 +0100 (CET) [thread overview]
Message-ID: <NtGgb5H--3-9@grigr.xyz> (raw)
In-Reply-To: <c238a50b-e382-4dec-9b4b-9c33e420b541@redhat.com-NtFh9t5--7-9>
I tried to enter a password expecting it to become my new Admin1 password. That did not work. The message was something like "Invalid Admin1 password or permission denied". I ran it with "--hw-opal-only" against /dev/nvme0n1p3. The drive us brand-new Crucial T500 2Tb. Never used sedutil on it. I will try sedutil now to see what is going on and to set my password.
--
Nikolai Grigoriev
Mar 18, 2024, 04:36 by okozina@redhat.com:
> On 18/03/2024 03:21, Nikolai Grigoriev wrote:
>
>> Hello,
>>
>> I was about to set up a new machine and I was about to use OPAL the "old" way. And then I discovered that cryptsetup now supports OPAL! Thanks :)
>>
>> However, something is not clear to me from the documentation. When I tried "luksFormat", I was prompted for both passphrase and OPAL Admin password. For the former it is clear, this is the passphrase for LUKS2 itself. However, I never configured OPAL on this drive, thus, it does not have an Admin1 password (and SID) set at all.
>>
>> Does it mean I still need to use "sedutil-cli --initialsetup" before using cryptsetup or...or I do not understand what is expected :) The documentation seems to suggest that this password needs to be provided only when initial setup was done. Should I enter an empty one then? And if so, what my actual Admin1 password will be after setup is complete?
>>
>
> Cryptsetup does the initial setup automatically provided the device report itself as yet uninitialized.
>
> IOW, it should work on SED OPAL devices in both states. Either, you have to provide existing Admin1 PIN or you are setting a new one during luksFormat command.
>
> Kind regards
> Ondrej
>
next prev parent reply other threads:[~2024-03-18 13:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-18 2:21 OPAL setup for a new drive without sedutil initial setup Nikolai Grigoriev
2024-03-18 8:36 ` Ondrej Kozina
[not found] ` <c238a50b-e382-4dec-9b4b-9c33e420b541@redhat.com-NtFh9t5--7-9>
2024-03-18 13:13 ` Nikolai Grigoriev [this message]
2024-03-18 13:45 ` Ondrej Kozina
2024-03-19 0:14 ` Nikolai Grigoriev
[not found] ` <NtJ2omI--3-9@grigr.xyz-NtJ2rJc--N-9>
2024-03-21 21:55 ` Nikolai Grigoriev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=NtGgb5H--3-9@grigr.xyz \
--to=nikolai@grigr.xyz \
--cc=cryptsetup@lists.linux.dev \
--cc=okozina@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.