the WD SN750 line of ssd's are marketed as a "gaming" ssd as such it lacks onboard hardware encryption same for the 850 line of ssd's

The term "self-encrypting drive" (SED) is now common when referring to HDDs or SSDs with built-in full-disk encryption. OPAL is a set of specifications for self-encrypting drives developed by the Trusted Computing Group

ssd'd that do support some level of hardware encryption will usually have a  "Psid" number printed on the ssd label indicating the drive has hardware based encryption however it may not be opal v2.0 so look for ssd's that state opal v2.0 (why samsung does not print the Psid amazes me!)

a example is older ssd's based on the Phison E12 SSD controller which originally could support opal, but not bitlocker

current ssd's such as the The Kingston UV500 family  are opal v2 compliant same for the crucial M500 line and many OEM labeled ssd's are opal compliant

Hi,

Thank you for your answer. The original question is how to enable SED on the HP z840. Not how to choose an NVMe drive with OPAL 2.0 support nor the definition of a Self-Encrypting Drive. For these, there are plenty of details on the internet . I already have the Samsung 970 Evo Plus which does have SED (see datasheet link in original post). And if somehow this drive doesn't support SED, I can always buy one with proper support.

But before that, I would like to know if the z840 supports NVMe Self-Encrypting Drive, and if yes, how to enable it. As stated in the original post, I can use sedutil to provision the password to lock the drive. But what I don't know is if the z840 Bios is aware of a locked NVMe SED.

the z840 does support  opal 2.0 hardware encrypted drives, but your not going to see the bios options unless a hardware encrypted drive is installed

and to enable hardware encryption on the samsung retail ssd drives you must use the samsung magician software to enable encryption and then reinstall the OS if you wish to encrypt the boot drive

the HP z840 "quickspecs state opal v1/v2 supported ssd's are a factory option however there ar some restrictions depending on the Z840's hard drive controller used with the ssd's (see link below for details)

https://support.hp.com/us-en/document/c04505606

https://h20195.www2.hp.com/v2/GetDocument.aspx?docname=4AA4-4992ENW

Super cool, thank you very much for confirming the z840 is compatible with NVMe Self Encrypting Drive.

Now I am clear to swap my current NVMe for one that have SED support. Will update this post once I complete the procedure, success ... or not.

Hi @DGroves,

Sorry I unmarked the "answer" status from your post. I have edited the original post with a section to explain why the z840 is not compatible with Self-Encrypted-Drive.

Contrary to HP own documentation (link in original post), the option "Allow OPAL Hard Drive SID Authentication" doesn't exist in the z840 BIOS v2.59a (current 2023-08-09). Even when a Self-Encrypted-Drive drive is present. I used Samsung 970 Evo plus. Which is recognized by the sedutil tool which I used to successfully provision to lock the drive with an Authorization key. The z840 simply hangs on the Pre-Boot-Authorization screen.

Unless someone can show a successful case of unlocking a locked SED drive on the z840. I think the z840 is not compatible SED.

For further clarity, this is NOT the DriveLock function for SATA, ATA drives which is merely a pwd gate to allow reading the drive. But if a drive is taken out of the machine, the content is readable.  In my scenario, this is OPAL 2.0 standard, the data is permanently hardware encrypted at rest. The lock/unlock password (called the Authorization Key in OPAL 2.0 standards) is handled outside of the BIOS.

Not that I think this will make a difference... but FYI the current 8/23 BIOS for the Z840 is 2.61, released April of this year. See below, from HP:

2.61 is current BIOS version...

the z840 IS COMPATIBLE WITH SELF ENCRYPTING DRIVES, they are listed in the HP z840 quickspecs both mechanical and ssd's are listed as options

so either you are doing something wrong or the SSD model you have is the issue,

i recommend you contact HP support next time before stating that a item that HP lists as tested/working doesn't

https://support.hp.com/us-en/document/c04505606

HP approved reseller of z840: note that under storage media they list both mech and ssd drives with self encryption

The 256GB Self-Encrypting Drive (SED) version has similar performance to the standard 256GB SSD. It is also available in Opal 1.0 and Opal 2.0 versions.

HP Z Turbo Drive:
– HP Z Turbo Drive G2 256GB SED SSD
– HP Z Turbo Drive G2 1TB TLC SSD
– HP Z Turbo Drive G2 256GB TLC SSD
– HP Z Turbo Drive G2 512GB TLC SSD

– 256GB SATA 6Gb/s SED Opal 1 SSD

I did update the HP z840 BIOS to 2.61, still not working. The HP documentation claims that the HP z840 is compatible with OPAL 2.0 is puzzling. I have spent enough time on this issue. I succeeded in provisioning the SED drive.

When power up the computer, the screen asking for the SED Authentication Key shows up. This screen is called the Pre-Boot-Authentication (PBA). After the correct password is entered, the PBA hands over the boot process to the HP BIOS,

The HP BIOS, instead of continuing reading the unlocked disk to boot to the OS, seems to get lost, did a cold start, relock the disk and was unable to read the data on the encrypted disk and ended up freezing on a random blank screen. This seems to me this is a BIOS issue. Confirmed by the fact that there is no option in the BIOS 2.61 (current Aug 2023) related to Selft-Encrypting Disk.

I have wasted almost my entire vacantion week to try to sort out this issue and I am doubtful that HP support would be able to fix. SED , OPAL 2.0 stadards is not yet mature. It depends on a long chain of tech (firmware in the SSD, the software to provision the PreBoot-Authentication image, and the BIOS of the computer). These 3 parts are indedenpent inspite of the OPAL 2.0 standards, each manufacturer seems to have their own implementations. The lack of documentation on how to provision a SED is the testimony of the immature state of the standards. And even if it works by some miracle, the SED + OPAL 2.0 still cannot work with SecureBoot enabled. Which I find as an unacceptable concession.

I gave up on hardware encryption. I factory-reset the NVMe to remove the Authentication-Key. Then I just use software-encrypted Full Disk Encryption instead. (Debian 12 with LUKS). There is a slight overhead compared to hardware encryption but it is totally negligible as I don't have any intensive disk IO on this machine. LUKS works perfect right at the first try, and with UEFI + Secure Boot enabled.

being frustrated in not getting something to work is understandable, however when you state that you who really knows very little about configuring hardware encryption states that the HP workstation does not have working encryption and that HP is unable to make it work  does make you look a bit silly

the HP workstation line is sold to major clients/businesses and if said encryption did not work there would be major lawsuits all over the place years ago

OPAL v1/2 ARE standards, and any device stating opal compliance must meet those standards and be able to provide documentation confirming this

your not wanting to talk to the HP support people who can most likely help you is your choice, but stating that they can't help you implies that the issue with that approach  appears to be with you not HP

and from the HP support document:

(note the paragraph on linux, and that nvme devices do not support Bios based ATA locking)

https://h20195.www2.hp.com/v2/GetDocument.aspx?docname=4AA4-4992ENW

SED Management software helps with the administration of SED in your specific environment. These tools
offer features like security compliance, data protection policies, reporting, data recovery, and an interface
which simplifies management. Provisioning an SED for boot (where unlocking has to precede the OS load) is
made much easier by the right tool.

There are a variety of third-party software packages available for SED management. Features vary by
manufacturer. In many cases, SED management is one function in an enterprise security solution suite. There
are many articles discussing drive encryption as part of a security solution on the world wide web. A search
string such as “TCG drive encryption software” can lead to some of the available software solutions.

The Linux community has converged on the sedutil boot image, provided by the Drive Trust Alliance, as a tool
for SED provisioning. See www.drivetrust.com/sed-util/

ATA Drive Lock (HP BIOS)
There is a method of defining an access lock for a SATA SED (or non-SED) that does not affect the DEK
management. Drive Lock is a part of the ATA standard, and restricts access to any compliant drive unless the
correct password is entered during BIOS Power-on Self-test (POST) to unlock the drive. Using ATA Drive Lock
doesn’t require any additional software. When using ATA Drive Lock, an AK is not created on the SED. This
means that the DEK is not encrypted and data is considered less secure. If possible, an SED drive should be
properly provisioned.

The specific procedure to enable ATA Drive Lock can be found in the Workstations Maintenance and Service
Guide. This guide can be found for all recent platforms at the HP Workstations Customer Support website:
hp.com/go/workstationsupport.

In Linux, a SATA drive with ATA locking enabled can be manipulated further using the hdparm command.

NVMe devices do not support the ATA Drive Lock protocol.