The Intel SSD Pro 2500 Series Guide for Microsoft edrive* Activation

Similar documents
Intel Cache Acceleration Software for Windows* Workstation

How to Create a.cibd File from Mentor Xpedition for HLDRC

How to Create a.cibd/.cce File from Mentor Xpedition for HLDRC

Intel Atom Processor E3800 Product Family Development Kit Based on Intel Intelligent System Extended (ISX) Form Factor Reference Design

Drive Recovery Panel

Intel RealSense Depth Module D400 Series Software Calibration Tool

Theory and Practice of the Low-Power SATA Spec DevSleep

OpenCL* and Microsoft DirectX* Video Acceleration Surface Sharing

Intel Cache Acceleration Software - Workstation

Intel RealSense D400 Series Calibration Tools and API Release Notes

Customizing an Android* OS with Intel Build Tool Suite for Android* v1.1 Process Guide

Intel Atom Processor E6xx Series Embedded Application Power Guideline Addendum January 2012

Intel Open Source HD Graphics, Intel Iris Graphics, and Intel Iris Pro Graphics

Intel Galileo Firmware Updater Tool

Intel USB 3.0 extensible Host Controller Driver

Intel Open Source HD Graphics Programmers' Reference Manual (PRM)

Intel Atom Processor D2000 Series and N2000 Series Embedded Application Power Guideline Addendum January 2012

Intel Manageability Commander User Guide

2013 Intel Corporation

Intel Manycore Platform Software Stack (Intel MPSS)

Intel Dynamic Platform and Thermal Framework (Intel DPTF), Client Version 8.X

Intel Core TM Processor i C Embedded Application Power Guideline Addendum

True Scale Fabric Switches Series

Intel Embedded Media and Graphics Driver v1.12 for Intel Atom Processor N2000 and D2000 Series

Intel Desktop Board DZ68DB

Bitonic Sorting. Intel SDK for OpenCL* Applications Sample Documentation. Copyright Intel Corporation. All Rights Reserved

Product Change Notification

Reference Boot Loader from Intel

Product Change Notification

Product Change Notification

Intel Integrated Native Developer Experience 2015 (OS X* host)

Intel Cache Acceleration Software (Intel CAS) for Linux* v2.9 (GA)

LED Manager for Intel NUC

Krzysztof Laskowski, Intel Pavan K Lanka, Intel

Intel Core TM i7-4702ec Processor for Communications Infrastructure

Product Change Notification

Product Change Notification

Product Change Notification

Product Change Notification

INTEL PERCEPTUAL COMPUTING SDK. How To Use the Privacy Notification Tool

Understanding Windows To Go

Product Change Notification

Product Change Notification

Product Change Notification

Configuring Intel Compute Stick STK2MV64CC/L for Intel AMT

Intel Open Source HD Graphics. Programmer's Reference Manual

Product Change Notification

Intel Graphics Virtualization Technology. Kevin Tian Graphics Virtualization Architect

Data Plane Development Kit

Product Change Notification

Desktop 4th Generation Intel Core, Intel Pentium, and Intel Celeron Processor Families and Intel Xeon Processor E3-1268L v3

Data Center Efficiency Workshop Commentary-Intel

Intel Desktop Board D945GCLF2

Intel SDK for OpenCL* - Sample for OpenCL* and Intel Media SDK Interoperability

Product Change Notification

Product Change Notification

Product Change Notification

Product Change Notification

Product Change Notification

Product Change Notification

Lustre Beyond HPC. Presented to the Lustre* User Group Beijing October 2013

Intel 945(GM/GME)/915(GM/GME)/ 855(GM/GME)/852(GM/GME) Chipsets VGA Port Always Enabled Hardware Workaround

Product Change Notification

Product Change Notification

Intel Desktop Board DG31PR

Intel vpro Technology Virtual Seminar 2010

Intel vpro Technology Virtual Seminar 2010

Intel Desktop Board DG41CN

Product Change Notification

Intel Ethernet Controller I350 Frequently Asked Questions (FAQs)

Intel Desktop Board DH61CR

MICHAL MROZEK ZBIGNIEW ZDANOWICZ

Using the Intel VTune Amplifier 2013 on Embedded Platforms

Product Change Notification

Product Change Notification

Software Evaluation Guide for WinZip* esources-performance-documents.html

Product Change Notification

Device Firmware Update (DFU) for Windows

Product Change Notification

Intel Desktop Board DP67DE

Product Change Notification

Sample for OpenCL* and DirectX* Video Acceleration Surface Sharing

Product Change Notification

Product Change Notification

Product Change Notification

Intel Desktop Board D945GCCR

Intel Desktop Board DH61SA

Intel Desktop Board D946GZAB

Intel Desktop Board D975XBX2

Product Change Notification

Intel Desktop Board D945GCLF

Intel Stereo 3D SDK Developer s Guide. Alpha Release

Product Change Notification

Product Change Notification

OMNI-PATH FABRIC TOPOLOGIES AND ROUTING

Product Change Notification

Product Change Notification

Ernesto Su, Hideki Saito, Xinmin Tian Intel Corporation. OpenMPCon 2017 September 18, 2017

Product Change Notification

Specification Update. January 2014

Transcription:

The Intel SSD Pro 2500 Series Guide for Microsoft edrive* Activation Solutions Blueprint January 2015 Order Number: 330880-002US

INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and other countries. *Other names and brands may be claimed as the property of others. Copyright 2015 Intel Corporation. All rights reserved. edrive Solutions Blueprint January 2015 2 330880-002US

Contents 1 Introduction... 5 1.1 Terminology... 5 1.2 Reference Documents... 5 2 Blueprint Elements... 6 2.1 Intel SSD Pro 2500 Series... 6 2.2 TCG* Opal* SSC version 2.0... 6 2.3 Microsoft edrive*... 6 2.4 Intel SSD Pro Administrator Tool... 6 3 The Solution... 7 3.1 System Requirements... 7 3.1.1 Hardware... 7 3.1.2 Software... 7 3.2 Enabling edrive on the Intel SSD Pro 2500 Series... 8 3.2.1 Check the current configuration... 8 3.2.2 Enable edrive support... 8 3.3 edrive Activation... 9 3.4 Security Feature Set Interactions... 9 4 Drive Revert... 10 4.1 PSID* Revert Using Intel SSD Pro Administrator Tool.... 10 4.2 Secure Erase... 10 January 2015 edrive Solutions Blueprint 330880-002US 3

Revision History Revision Number Description Revision Date 001 Initial release. August 2014 002 Added NOTE in Section 2.3 January 2015 edrive Solutions Blueprint January 2015 4 330880-002US

1 Introduction With security breaches continually on the rise, data protection is more essential than ever. At Intel, we realize how important it is to provide security capabilities for PC storage devices. We build the Intel SSD Professional Family with data protection in mind delivering security and manageability features designed to help protect important data. With the growing use of Microsoft s edrive* solution Intel has built edrive support into our Intel SSD Pro 2500 Series. In order to effectively utilize any collaborative solution between the host platform, software and SSD, it is important to understand how the components work together. In this blueprint, we define: How to enable edrive support on the Intel SSD Pro 2500 Series (Pro 2500 Series) using Intel SSD Pro Administrator Tool How to activate edrive on the Pro 2500 Series with Windows OS* How to recover if something does not work properly with edrive activation 1.1 Terminology Term Description SED Self-Encrypting Drive BitLocker* Microsoft s security software included in Windows 7* and Windows 8* PBA Opal* edrive MBAM* PSID PSID Revert Pre-Boot Authentication environment setup by system security software that requires a user to authenticate, typically with a passphrase or password, to start the OS boot process. A Trusted Computing Group* (TCG) standard that defines an interface for managing a Self-Encrypting Drive (SED). Microsoft specification for a drive that complies with the TCG* Opal 2.0 and IEEE 1667* standards Microsoft BitLocker Administration and Monitoring Physical presence Security ID Opal Revert using PSID value printed on drive label used in the event all Opal passwords have been lost. 1.2 Reference Documents Document Trusted Computing Group Opal Storage Security Subsystem Class Specification, Version 2.0 Microsoft TechNet site on edrive Requirements Document No./Location www.trustedcomputinggroup.com http://technet.microsoft.com/enus/library/hh831627.aspx January 2015 edrive Solutions Blueprint 330880-002US 5

2 Blueprint Elements 2.1 Intel SSD Pro 2500 Series The Pro 2500 Series is a self-encrypting drive (hardware encryption) and provides security and manageability features, including support for TCG* Opal SSC* version 2.0 and Microsoft edrive requirements. 2.2 TCG Opal SSC Version 2.0 TCG s Opal security standard is designed to secure at rest data, primarily in the business computing environment. Opal helps protect data stored on a computer s primary storage drive in the event the machine is lost or stolen. Access to stored data is protected using robust authentication methods and data encryption algorithms. Access control is managed with passwords or alternate authentication methods, depending on the software that manages the drive and the policies implemented by the administrator. The Opal solution addresses threats by combining a Professional Family Opal-enabled drive with a management software solution from a third party vendor. For more information on Opal, go to www.trustedcomputinggroup.com. 2.3 Microsoft edrive The Pro 2500 Series also adds Microsoft edrive support. edrive builds on the Opal 2.0 security features and has additional security protocol based on IEEE 1667 to enable drive locking and provisioning. For more information, start with http://technet.microsoft.com/en-us/library/hh831627.aspx. Microsoft edrive works in conjunction with the familiar Windows BitLocker application to manage the security policies and keys of the drive s secure partitions. With edrive compatibility, BitLocker will offload the data encryption from the host to the storage drive referred to as hardware encryption freeing up the processor for other tasks. NOTE: The Intel SSD Pro 2500 Series supports four locking ranges with hardware-based 256-bit AES encryption. Additional ranges are encrypted using BitLocker* software encryption. Because the default installation of Windows 8.1 uses three of the locking ranges for system partitions, only a single locking range remains available to be used as a hardware-based encrypted partition for the user, i.e. C:. For the case where additional user partitions are defined, i.e. D:, BitLocker software encryption will be automatically applied to those additional partitions. 2.4 Intel SSD Pro Administrator Tool Intel SSD Pro Administrator Tool (Pro Admin Tool) is a command line based tool that allows the user to check the security status and manage Intel Professional Family of SSDs. Pro Admin Tool contains functions that support the user enabling edrive, perform PSID Revert, Secure Erase an Intel SSD, and view drive information on Pro 2500 Series drives. edrive Solutions Blueprint January 2015 6 330880-002US

3 The Solution Enabling edrive support on the Pro 2500 Series is simple with the new Intel SSD Pro Admin Tool. Once edrive support is enabled on the Pro 2500 Series, Windows 8 makes the activation of edrive simple with automatic provisioning during the OS install process. Support flow: 3.1 System Requirements 3.1.1 Hardware The Pro 2500 Series is an SED and supports the TCG Opal 2.0 and IEEE 1667 specifications. NOTE: The Pro 2500 Series supports various configurations of security features. By default, the Pro 2500 Series ships with edrive support disabled. Please make sure to check supported features on the Pro 2500 Series drive you are working with. TPM and UEFI support as required by Microsoft BitLocker. See http://technet.microsoft.com/en-us/library/hh831713.aspx for more info. 3.1.2 Software Windows 8 or Windows 8.1* Pro and Enterprise versions ATA Security must not be enabled no drive password (ATA user password) should be set Intel RST storage driver does not support edrive at this time January 2015 edrive Solutions Blueprint 330880-002US 7

3.2 Enabling edrive on the Pro 2500 Series If edrive requirements are met, Windows automatically performs the secure provisioning for edrive during the OS installation. To meet edrive requirements you ll want to verfiy and enable edrive support prior to OS install. Note: At this time, Intel SSD Pro Admin Tool only supports enabling edrive. Users should enable edrive if the support is needed for hardware encryption with Windows BitLocker. Enabling edrive cannot be accomplished with ATA Security enabled (ATA user password set). Disable user password prior to running Intel SSD Pro Admin Tool to enable edrive support. 3.2.1 Check the Current Configuration Plug the drive into a system that supports the Intel SSD Pro Admin Tool. Version 1.1.0 supports edrive enabling on the Pro 2500 Series. Download the Pro Admin Tool from www.intel.com/ssd under the Tools pull-down. Pro Admin Tool is a stand-alone command line executable, so all you need to do is place the executable in a familiar folder for execution. 1. Pro Admin Tool can only be run as administrator, so open an elevated command prompt. 2. Execute Pro Admin Tool with -drive_list option to see what drives are on the system and what index is assigned to each. C:\> SSDProAdminTool_1.1.0_win64.exe drive_list 3. Once drive index is known, then execute tool with -drive_index X (where X is drive index number) option to make sure Opal support is enabled on the Pro 2500 Series drive. The -drive_index info shows Opal and edrive status. (See below.) Opal is supported if status is Opal Ready. C:\> SSDProAdminTool_1.1.0_win64.exe drive_index 1 3.2.2 Enable edrive support If Opal is supported and edrive support is False, then enable edrive. 1. Execute the tool by using the -drive_index X -enable_edrive option to turn on support for edrive. User will be prompted to determine if enabling edrive is desired; type Y to proceed. C:\> SSDProAdminTool_1.1.0_win64.exe drive_index 1 enable_edrive 2. To confirm edrive is enabled, use the -drive_index X option again to check status. Status should be True. C:\> SSDProAdminTool_1.1.0_win64.exe drive_index 1 edrive Solutions Blueprint January 2015 8 330880-002US

3.3 edrive Activation Now that edrive is enabled on the Pro 2500 Series drive, the next step is to install Windows and activate security capabilities with edrive. 1. On Windows Install, the OS recognizes the drive supports edrive features and sets up the admin authority to take control of the drive s security. edrive requires secure partitioning at the time of the OS install to allow BitLocker to make use of drive s HW encryption. Note: At this point using ATA security is no longer an option because Opal activation does not support ATA security functions; all authentication (passwords) is managed by Microsoft and BitLocker. 2. BitLocker can now be enabled to enforce PBA. (Even with BitLocker enabled and allowing HW encryption, there is no PBA if user does not have password set.) BitLocker can now be quickly enabled for a volume on the drive without the long wait for software encryption. 3. Depending on how the IT administrator has set policies on the system, the password credentials (keys) may be managed with a secondary secure device connected to system, or may be remotely managed by way of an enterprise IT database like Microsoft s MBAM*. 4. Confirm that edrive is activated by using the Pro Admin Tool -drive_index option. Opal State will show Opal Activated since admin authority is now setup. C:\> SSDProAdminTool_1.1.0_win64.exe drive_index 0 5. Microsoft also provides a tool to check status of BitLocker. From command prompt, execute: C:\> manage-bde status If BitLocker is configured appropriately to work with HW encryption on the Pro 2500 SSD, then the Encryption Method will be shown as Hardware Encryption. 3.4 Security Feature Set Interactions When edrive is activated on the Pro 2500 Series drive, several ATA security features will not be available. ATA Security and Santize Device Features are not supported as the Opal feature set is activated. Be aware that an ATA password cannot be set, Secure Erase cannot be performed and the Sanitize Device features will not work. January 2015 edrive Solutions Blueprint 330880-002US 9

4 Drive Revert If problems occur during installation, or if edrive isn t setup correctly, the system should be returned to the pre-install state and the install process repeated. 4.1 PSID Revert Using Intel SSD Pro Admin Tool. During operating system installation, on edrive capable systems, Windows sets up and activates secure partitions on the drive. Microsoft only allows the drive to be returned to the pre-activated state by performing a hardened physical (or presence) revert. To return the drive to the pre-activated state, execute the PSID Revert function. 1. The PSID Revert function removes all secure partitions activated on the drive and removes any admin authorities set on the drive. The function also erases and resets the encryption keys, so all user data is inaccessible. 2. To perform the PSID Revert function, the PSID value that is printed on the label of the drive is required. For this reason, and because the operating system will be destroyed, PSID Revert must be performed with the drive plugged into a secondary port of a computer. This will allow the PSID value to be read from the label and the Pro Admin tool to execute the function. 3. Intel provides the Intel SSD Pro Admin Tool which performs the PSID Revert function on the Intel SSD Professional Family of drives. To perform the PSID Revert, execute the Pro Admin Tool with the -drive_index X -psid_revert option and follow instructions on the screen. As edrive no longer owns drive security, ATA security will again be supported following the PSID Revert. 4.2 Secure Erase The PSID Revert function performs a cryptographic erase of user data, meaning it erases and resets the encryption keys on the drive. If the user wants to perform a block erase of data in the drive, then an additional Secure Erase step must be performed using the Pro Admin Tool. Simply execute the tool with the -secure_erase option. edrive Solutions Blueprint January 2015 10 330880-002US

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback