From: Nikolai Grigoriev <nikolai@grigr.xyz>
To: Ondrej Kozina <okozina@redhat.com>
Cc: Cryptsetup <cryptsetup@lists.linux.dev>
Subject: Re: OPAL setup for a new drive without sedutil initial setup
Date: Mon, 18 Mar 2024 14:13:53 +0100 (CET) [thread overview]
Message-ID: <NtGgb5H--3-9@grigr.xyz> (raw)
In-Reply-To: <c238a50b-e382-4dec-9b4b-9c33e420b541@redhat.com-NtFh9t5--7-9>
I tried to enter a password expecting it to become my new Admin1 password. That did not work. The message was something like "Invalid Admin1 password or permission denied". I ran it with "--hw-opal-only" against /dev/nvme0n1p3. The drive us brand-new Crucial T500 2Tb. Never used sedutil on it. I will try sedutil now to see what is going on and to set my password.
--
Nikolai Grigoriev
Mar 18, 2024, 04:36 by okozina@redhat.com:
> On 18/03/2024 03:21, Nikolai Grigoriev wrote:
>
>> Hello,
>>
>> I was about to set up a new machine and I was about to use OPAL the "old" way. And then I discovered that cryptsetup now supports OPAL! Thanks :)
>>
>> However, something is not clear to me from the documentation. When I tried "luksFormat", I was prompted for both passphrase and OPAL Admin password. For the former it is clear, this is the passphrase for LUKS2 itself. However, I never configured OPAL on this drive, thus, it does not have an Admin1 password (and SID) set at all.
>>
>> Does it mean I still need to use "sedutil-cli --initialsetup" before using cryptsetup or...or I do not understand what is expected :) The documentation seems to suggest that this password needs to be provided only when initial setup was done. Should I enter an empty one then? And if so, what my actual Admin1 password will be after setup is complete?
>>
>
> Cryptsetup does the initial setup automatically provided the device report itself as yet uninitialized.
>
> IOW, it should work on SED OPAL devices in both states. Either, you have to provide existing Admin1 PIN or you are setting a new one during luksFormat command.
>
> Kind regards
> Ondrej
>
next prev parent reply other threads:[~2024-03-18 13:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-18 2:21 OPAL setup for a new drive without sedutil initial setup Nikolai Grigoriev
2024-03-18 8:36 ` Ondrej Kozina
[not found] ` <c238a50b-e382-4dec-9b4b-9c33e420b541@redhat.com-NtFh9t5--7-9>
2024-03-18 13:13 ` Nikolai Grigoriev [this message]
2024-03-18 13:45 ` Ondrej Kozina
2024-03-19 0:14 ` Nikolai Grigoriev
[not found] ` <NtJ2omI--3-9@grigr.xyz-NtJ2rJc--N-9>
2024-03-21 21:55 ` Nikolai Grigoriev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=NtGgb5H--3-9@grigr.xyz \
--to=nikolai@grigr.xyz \
--cc=cryptsetup@lists.linux.dev \
--cc=okozina@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox