XPost: alt.comp.os.windows-11   
   From: mariasophia@comprehension.com   
      
   Paul wrote:   
   > On Sat, 1/24/2026 6:39 PM, CrudeSausage wrote:   
   >> On Sat, 24 Jan 2026 19:56:25 -0000, Bill Brownley wrote:   
   >>   
   >>> Alan K. wrote:   
   >>>   
   >>>> And ....   
   >>>> Is there a substitute for Bitlocker?   What if I don't want to use it,   
   >>>> but still want encryption?   
   >>>   
   >>> Yes, lots.   
   >>>    
   >>>   
   >>>   
   >>> [Removed 张文尉's crosspost to alt.conspiracy]   
   >>   
   >> It seems that just about every solution there would be safer than   
   >> Microsoft's, but I imagine that VeraCrypt remains the most popular   
   >> alternative. Does VeraCrypt work if you intend to use a storage device's   
   >> OPAL hardware encryption?   
   >>   
   >   
   > There is no mention of that topic here.   
   >   
   > https://en.wikipedia.org/wiki/VeraCrypt   
   >   
   > You will find in the software world, a general distrust of "punting"   
   > to someone elses implementation :-) "What would Linux Torvalds say?" :-)   
   >   
   > https://en.wikipedia.org/wiki/Opal_Storage_Specification   
   >   
   >    "Radboud University researchers indicated in November 2018 that some   
   >     hardware-encrypted SSDs, including some Opal implementations,   
   >     had security vulnerabilities.[5]   
   >   
   >     [5] Meijer, Carlo; van Gastel, Bernard (19–23 May 2019).   
   >         Self-Encrypting Deception: Weaknesses in the Encryption of   
   >         Solid State Drives. 2019 IEEE Symposium on Security and Privacy (SP).   
   >         San Francisco, CA, USA: IEEE. pp. 72–87.   
   >    "   
   >   
   > The advantage of software based methods, is that, as they are   
   > cracked, you can just toss them out of the crypto-suite. There   
   > is fast turnaround for correcting a situation.   
   >   
   > Just as right now, SHA-512 is being popularized, as quantum computer chill   
   > appears on the horizon. Like MD5, the warnings appear ahead of the actual   
   > attack. And while you sit there sipping a coffee, there are people   
   > beavering away on hardened algorithms to withstand quantum attack.   
      
   Drat. I had to look up what the heck OPAL is. OPAL is a standard from the   
   Trusted Computing Group for self encrypting drives. An OPAL capable SSD   
   encrypts all data internally and stores the encryption keys inside the   
   drive firmware.   
      
   The idea is that the drive can lock itself and only unlock after a   
   hardware based authentication step. In practice some OPAL implementations   
   have had serious weaknesses, so many people prefer software encryption   
   where the user controls the keys instead of the drive firmware.   
      
   However, VeraCrypt does not integrate with OPAL hardware encryption.   
      
   If OPAL is enabled, then the SSD is already encrypting itself at the   
   hardware layer and VeraCrypt only sees an already encrypted block device.   
      
   In that setup VeraCrypt cannot manage the OPAL keys or verify how the   
   hardware encryption is implemented.   
      
   Most people who use VeraCrypt with an OPAL capable SSD simply disable OPAL   
   in the drive firmware and let VeraCrypt handle all encryption in software.   
      
   This avoids the known weaknesses in some OPAL implementations and keeps the   
   threat model simple because the only keys that matter are the ones   
   VeraCrypt controls.   
      
   So the short summary, from what I've been able to ascertain, is that   
   VeraCrypt works on OPAL-capable drives, but not with OPAL. We pick one   
   system or the other, where most security guides I've seen recommend   
   software encryption unless we fully trust the hardware vendor.   
   --   
   On Usenet, shared knowledge keeps the confusion to a minimum.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)