Summary: OPAL Cryptoerase Tool is a utility to easily cryptoerase an OPAL drive prior to re-imaging. It is a utility that is network-aware and leverages the same ability that the client has to be able to communicate with SDConnex - specifically so that it can obtain the HWE data it needs to perform a cryptoerase.
Issues: The issue is that when an opal drive is managed, it cannot be reimaged when locked, and if it is unlocked and then reimaged, we no longer have access to the preboot authentication, as our client is unable to "reconnect".
Requirements:
A device must be equipped with minimum 2 SED drives (OPAL, OPAL Ruby, TCGe).
Boot SED has to be OPAL drive.
A device must have Windows 10 installed.
Enable "Crypto-erase device" remote command in global option
Limitations SDConnexCryptoErase tool for Windows cannot crypto-erase NVMe drives encrypted (enrolled) by WinMagic software for Linux (such as USB based OSA Installer). NVMe drives enrolled by OSA Installer for Linux, or newly added SED drives and enrolled by OSA pre-boot (PBL working in OSA mode) will be registered on SES with native drive models and serial numbers whereas Windows-based software will use artificial drive models and serial numbers generated by Windows. So, this limitation can be overcome using the Tool for Linux.
Setup/Installation The tool does not require installation.
Preparation (Creation of SDConnex.ini file) First of all the ability to work with the tool has to be enabled on SES: So use SQL DB Management Studio to set the feature enabled. Table Settings must have "IDNLW_GET_CRYPTOERASE_INFO_ENABLED" ValNum: 1 To create (or update) SDConnex.ini configuration file uses the following command: SDConnexCryptoErase.exe -create-ini [<config file path>] -host <SES IP addr> -user <user name> -pwd <user password> Example: Command-lineOpalCryptoErase.exe -ses -create-ini -host 192.168.0.40 -user Dell5590 -pwd passw List existing drive(s)OpalCryptoErase.exe -l <== comment: the option is lower case /ɛl/
-create-ini - requires the tool to create/update SDConnex.ini file at optional (<config file path>) location. If the file location is omitted, the tool will create/update the file next to the tool executable one.
-host - specifies SES host IP address. This parameter is not mandatory. If you omit this setting, the tool will remind you to update "Winsocket_Address_List" setting manually.
-user - specifies user name. The setting is mandatory. The user with specified name will be used to authenticate to SES to get HWE info. Specified user has to be registered on SES and have admin rights.
-pwd - specifies user password. The password will be stored in the tool's configuration file in encrypted form.
Steps:
Create a new folder at the arbitrary location (e.g. on Windows desktop or on drive c: wherever) and copy the following files to it:
OpalCryptoErase.exe
SDConnex.cer (taken from SES)
Open "CMD" as administrator and change the current directory to the folder with the tool.
Create SDConnex.ini file as specified above (see "Preparation").
Using the following command to cryptoerase managed (still encrypted) drive(s):