Home > Package & System Management > sedutil-cli

sedutil-cli: Self-Encrypting Drive (SED) Management

sedutil-cli is a command-line utility for managing Self-Encrypting Drives (SEDs) that comply with the TCG Opal standard. It allows you to perform various operations such as enabling drive encryption, setting passwords, configuring locking ranges, and querying drive status.

Overview

sedutil-cli controls the security features of SEDs (Self-Encrypting Drives) that provide hardware-based encryption. This allows you to encrypt and manage the entire drive independently of the operating system.

Key Features

  • Enable and disable SEDs
  • Set/change SID (Security Identifier) and master password
  • Manage MBR (Master Boot Record) protection
  • Configure and control locking ranges
  • Query drive Opal status and information

Installation

sedutil-cli is not included by default in most Linux distributions, so it needs to be installed via a package manager.

Debian/Ubuntu

sudo apt update && sudo apt install sedutil-cli

Install using the APT package manager.

RHEL/CentOS/Fedora

sudo dnf install sedutil-cli

Install using the DNF or YUM package manager. The EPEL repository may be required.

Manual Installation

On some systems, you may need to download and compile the source code directly. Please refer to the official sedutil GitHub repository for more details.

Key Options

sedutil-cli provides several sub-commands (options) to perform various functions. Most commands require the target device path and a password.

Querying Information

Password and Authentication

Drive Initialization (Caution)

Generated command:

Try combining the commands.

Description:

`sedutil-cli` Executes the command.

Combine the above options to virtually execute commands with AI.

Usage Examples

The following are common usage examples for sedutil-cli. Replace `<device>` with the actual drive path, such as `/dev/sda` or `/dev/nvme0n1`.

Querying Drive Opal Status

sudo sedutil-cli --query /dev/nvme0n1

Checks the current Opal status and locking information for the specified drive.

Setting SID Password

sudo sedutil-cli --setSIDPassword /dev/nvme0n1 <old_password> <new_password>

Sets a new SID password. `<old_password>` is the initial password (usually 'NULL' or 'msid') or the previously set password.

Enabling MBR Protection

sudo sedutil-cli --setMBRDone /dev/nvme0n1 <password>

Enables MBR protection, causing the drive to lock upon boot. `<password>` is the SID password.

Listing Drive Opal Information

sudo sedutil-cli --listOpalInfo /dev/nvme0n1

Displays detailed information about the Opal features and versions supported by the drive.

Tips & Precautions

sedutil-cli is a powerful tool, so extreme caution is advised when using it. Incorrect usage can lead to data loss.

Important Considerations

  • **Data Backup:** Always back up your important data before performing any sedutil-cli operations.
  • **Correct Device Identification:** Use commands like `lsblk` or `fdisk -l` to verify the exact path of the drive you are working with. Executing commands on the wrong device can result in data loss.
  • **Password Management:** Keep your set passwords securely. If you lose your password, you may not be able to access the data on the drive, and recovery might be impossible.
  • **`--revertTPer` Command:** This command permanently erases all data on the drive and reverts it to its factory default state. Use with extreme caution.
  • **BIOS/UEFI Settings:** Some SED features may behave differently or require additional configuration depending on your system's BIOS/UEFI settings (e.g., Secure Boot, SATA mode).

Same category commands

acl

ACL: Access Control List Management

anacron

anacron: Run periodic commands when the system is not running

ansible

ansible: Remote Server Management and Automation

apropos

apropos: Search Manual Pages

apt

APT (Advanced Package Tool) Command Guide