You are here

Debian on self-encrypting drive using cryptsetup OPAL support


For a long time, I have been using a hard drive with cryptsetup LUKS software encryption for my desktop. However, I recently decided to purchase a new hard disk and this time went for SSD instead of HDD. Interestingly, the SSD came with built-in support for hardware encryption. What this meant was that instead of having the CPU waste cycles on encryption / decryption, the SSD would take care of it, thereby freeing up CPU resources. The challenge? Setting up disk encryption is complicated. Until Aug 2023! Because that is when crypsetup, the tool that I have been using for software encryption, introduced support for hardware OPAL disk encryption. And this is what I have used to set up disk encryption for my Debian OS. I have documented the steps that I followed (mostly for self-reference), but I hope others find it useful.

Some caveats before you start:
1. Support for hard disk OPAL encryption landed in cryptsetup 2.7.0. Debian stable (bookworm) still has cryptsetup 2.6.0. If you want to use this, you will either have to use Debian testing (trixie) or if you intend to use Debian stable, upgrade cryptsetup from the testing repo (which is what I did)
2. I have not installed Debian but instead, once disk encryption along with LUKS encrypted LVM was set up, I just copied all files from my existing OS to this. If you want to do a fresh installation, I believe you can do it, once you create the all partitions. The LVM is purely optional, and I prefer to use it for convenience.
3. I also have tow additional mount points (/stuff/ and /gallery/) which are in no way required or even a standard. Again, this is just my personal preference. Feel free to ignore them.
4. I have a EFI partition as my motherboard uses the UEFI interface for booting.
5. You can set up disk encryption only or disk encryption with software encryption. As my need was to provide basic protection, I decided t go for disk only encryption.
6. The SSD was identified as /dev/sda and that is what I have used below. The device location might be different in your case.
7. Last but not the least, if you are copying over an existing OS, have a proper backup.

If you have any queries, feel free to leave a comment and if I have an answer to them, I will get back to you.


  • Fix the new disk to the laptop
  • Prepare a usb drive with Debian live
  • Boot into Debian live. While booting:
    • Pass the boot option libata.allow_tpm=1 so that sedutil-cli --scan works fine
    • Pass the boot option efi=runtime if you use EFI for booting your system

Check disk support for hardware encryption

$ sudo apt install sedutil
$ sudo sedutil-cli --scan
Scanning for Opal compliant disks
/dev/sda    2  CT2000MX500SSD1                          M3CR046 
/dev/sdb   No   
No more disks present ending scan

If you see a number in the second column, like the 2 above, your drive supports OPAL.

Reset your OPAL drive

You will need to have your PSID to reset the drive. You can mostly find the PSID on your drive, printed on a sticker. If the PSID has dashes, ignore them.

$ sudo cryptsetup luksErase --hw-opal-factory-reset /dev/sda

Create partitions

My system partitions layout with mount points
/dev/sda1 fat32 /boot/efi
/dev/sda2 ext4 /boot
/dev/sda3 luks encrypted LVM
  /dev/mapper/media-vg--root ext4 /
  /dev/mapper/media-vg--home btfs /home
  /dev/mapper/media-vg--swap_1 swap
  /dev/mapper/media-vg--stuff btrfs /stuff (optional partition that I use for storing general stuff)
  /dev/mapper/media-vg--gallery btrfs /gallery (optional partition that I use for storing images/videos)

Create partitions

$ sudo parted /dev/sda
(parted) mklabel gpt
(parted) mkpart ESP fat32 1MiB 526MiB
(parted) set 1 boot on
(parted) mkpart primary ext4 526MiB 1550MiB
(parted) mkpart primary 1550MiB 100%
(parted) print
(parted) quit

Create encrypted OPAL disk partition

As mentioned earlier, ensure that you have cryptsetup 2.70 or newer. Older versions of cryptsetup will not work.

$ sudo cryptsetup luksFormat /dev/sda3 --type luks2 --hw-opal-only

The --hw-opal-only flag tells cryptsetup to use hardware encryption only. If you want to use software encryption on top of hardware encryption, pass the --hw-opal flag instead.

Check configuration with luksDump. This output will be different if you used --hw-opal flag.

$ sudo cryptsetup luksDump /dev/sda3
LUKS header information
Version:        2
Data segments:
   0: hw-opal
     offset: 16777216 [bytes]
     length: ... [bytes]
     cipher: (no SW encryption)
     HW OPAL encryption:
           OPAL segment number: 1
           OPAL key: 256 bits
           OPAL segment length: ... [bytes]
  0: luks2
    Key:        256 bits

If you used --hw-opal flag, output will be something like this.

LUKS header information
Version:        2

Data segments:
   0: hw-opal
     offset: 16777216 [bytes]
     length: ... [bytes]
     cipher: (no SW encryption)
     HW OPAL encryption:
           OPAL segment number: 1
           OPAL key: 256 bits
           OPAL segment length: ... [bytes]
  0: luks2
    Key:        256 bits

Create LVM

Mount LUKS partition

$ sudo cryptsetup open /dev/sda3 sda3_crypt 

Create a PV

$ sudo pvcreate /dev/mapper/sda3_crypt

Create a volume group of physical volume

$ sudo vgcreate media-vg /dev/mapper/sda3_crypt

Verify VG configuration

$ sudo vgdisplay

Create logical volumes

$ sudo lvcreate -n root -L 100g media-vg
$ sudo lvcreate -n home -L 100g media-vg
$ sudo lvcreate -n swap_1 -L 20g media-vg
$ sudo lvcreate -n stuff -L 200g media-vg
$ sudo lvcreate -n gallery -l 100%FREE media-vg
$ sudo lvdisplay

Format partitions

$ sudo mkfs.fat -F32 /dev/sda1
$ sudo mkfs.ext4 /dev/sda2
$ sudo mkfs.ext4 /dev/media-vg/root
$ sudo mkfs.btrfs /dev/media-vg/home
$ sudo mkswap /dev/media-vg/swap_1
$ sudo mkfs.btrfs /dev/media-vg/stuff
$ sudo mkfs.btrfs /dev/media-vg/gallery

Mount partitions and restore data

Set up folder structure and mount partitions
$ sudo mount /dev/media-vg/root /mnt/
$ sudo mkdir /mnt/boot/ && sudo mount /dev/sda2 /mnt/boot/
$ sudo mkdir /mnt/boot/efi && sudo mount /dev/sda1 /mnt/boot/efi
$ sudo mkdir /mnt/home/ && sudo mount /dev/media-vg/home /mnt/home/
$ sudo mkdir /mnt/stuff/ && sudo mount /dev/media-vg/stuff /mnt/stuff/
$ sudo mkdir /mnt/gallery/ && sudo mount /dev/media-vg/gallery /mnt/gallery/

Now, copy over all the files from the old system to the new system.

Note: If you are installing OS freshly, then you can stop following the guide here as the next steps will no longer be relevant and proceed with the OS installation the usual way. As a matter of fact, I believe, once you created the encrypted OPAL disk partition (/dev/sda3), then itself, you could have switched to the installation tool and created LVM from it. However, I have not tried fresh installation. So can't confirm.

chroot into the system

First bind mount points

$ for i in /dev /dev/pts /proc /sys /sys/firmware/efi/efivars /run; do sudo mount -o bind $i /mnt$i; done

chroot into the system

$ sudo chroot /mnt/

Update partition and LVM related information

Update /etc/fstab. To generate UUID, use blkid command. Below is the one for my system.

# /etc/fstab: static file system information.
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/media--vg-root /               ext4    errors=remount-ro 0       1
# /boot was on /dev/sda2 during installation
UUID=e63fbce3-8e20-40ed-af1a-17b73768f853 /boot           ext4    defaults        0       2
# /boot/efi was on /dev/sda1 during installation
UUID=CDDE-67F3  /boot/efi       vfat    umask=0077      0       1
/dev/mapper/media--vg-home /home           btrfs   defaults        0       0
/dev/mapper/media--vg-swap_1 none            swap    sw              0       0
/dev/mapper/media--vg-gallery /gallery           btrfs   defaults,nofail        0       0
/dev/mapper/media--vg-stuff /stuff           btrfs   defaults,nofail        0       0

Update /mnt/etc/crypttab. To get UUID of luks partition, run cryptsetup luksUUID /dev/sda3. Below is the one for my system.

sda3_crypt UUID=42834177-2cb5-45ef-897f-af1c85f35bf1 none luks,discard

Additionally, generate LVM metadata backup

# vgcfgbackup media-vg 

Finally, update initramfs (not sure if this step is really needed)

# update-initramfs -u -k all

Reinstall grub from within chroot

Reinstall GRUB to the appropriate disk (without partition number)

# grub-install /dev/sda

Generate the GRUB configuration file:

# update-grub

Boot into system

Now, exit chroot and reboot the system, remove Debian live and boot into the new system.



Add new comment