I have been asked several times what the difference between a TCG Opal and TCG Enterprise SED (Self-Encrypting Drive) is. From a specification perspective they are both outputs of the TCG Storage Work Group and both have their roots in the Trusted Storage Architecture Core Specification developed in the Storage Work Group.

The “Core” specification is pretty broad and comprehensive. Not all the features of the core spec are applicable to all use cases so we have the concept of a Security Subsystem Class (SSC). Basically an SSC contains the subset of core functionality that is required for a particular application.

Opal and Enterprise are SSCs:

  • The Opal SSC is intended for mobile devices such as tablets, notebooks and desktops. It can be any bus type (SATA, PCIe, etc.) and any media type (HDD, SSD, etc.), but is generally targeted as the secure storage for these types of devices.
  • The Enterprise SSC is for fixed media storage devices in high performance storage systems i.e. servers that need high capacity, high speed, very reliable, fixed storage. Unlike an Opal drive an Enterprise drive is more likely to be physically larger (3 ½ “) and support the higher performing SAS bus type.

There are lots of similarities between the Opal and Enterprise interface specifications and some differences. The primary difference that matters to us is that Opal drives have an MBR shadow and Enterprise drives don’t. The MBR shadow is an area where we can store our pre-boot authentication application (PBA), which is off the map and hidden from the native OS. The native OS on the laptop or server doesn’t even know of its existence. When the computer boots the PBA application runs from the MBR Shadow, authenticates, unlocks the drive and then boots into the original OS.

Recently we came across an application that required the features of both Opal and Enterprise drives. The customer has servers running in remote locations with the following requirements:

  • they must boot without an operator present,
  • the OS running on the servers can be any flavor of Linux or Windows Server,
  • the data must protected with FIPS 140 certified AES encryption,
  • and the servers must authenticate before booting in case the whole server is stolen

It’s a tall order.

The solution:

Start with SecureDoc for OSA (OS Agnostic) and a FIPS 140 certified Opal drive for the boot disk. OSA runs from the MBR shadow so that any native OS can be supported on the server.

Configure PBConnex Autoboot so that the server can boot unattended by obtaining the required authentication keys over the network from a centralized SES key manager to unlock the drives

Add as many FIPS certified TCG Enterprise drives as you need to get the storage capacity, through-put and reliability and enhance OSA to be able to obtain the Enterprise drive authentication keys from the SES key manager as well

We call the solution SecureDoc OSA for Servers.

If you would like to see the solution in action, Seagate and WinMagic are showing OSA for Servers managing Seagate Enterprise and Opal drives in the Demonstration Showcase at TCG’s annual workshop during RSA Conference 2014 on Monday February 24, 2014 in San Francisco.

References: Opal and Enterprise FAQ


Leave a Comment


Garry McCracken

About Garry McCracken /

Garry, a CISSP, has more than 30 years of experience in data communications and information security. He has contributed to the development of WinMagic's full-disk encryption solutions for desktops, laptops, and other mobile devices. When he is not saving the world of data encryption, he takes off his cape to relax and enjoy life at the cottage. Garry writes from a position of technical expertise since we first started SecureSpeak, making him the longest running blogger at WinMagic.
Garry McCracken