Help required in selecting the right encryption option for C drive


  1. Posts : 6
    Windows 10 Pro x64
       #1

    Help required in selecting the right encryption option for C drive


    I'm running Windows 10 Pro x64 desktop PC with a Samsung Pro 850 256 as my main C drive. Other specs are 3770k and 16GB of DDR3. I also have a TPM chip installed on my mainboard. I've already encrypted all my secondary HDD's with BitLocker, but I'm still undecided which option I should take with C drive encryption? I was strongly leaning toward regular BitLocker with TPM enabled, but then I read about TrueCrypt, which apparently goes recommended by many. But by looking from Samsung Magician my SSD seems to support three types of hardware data security modes: Class 0, TCG Opal and generally named option "Encrypted Drive", which says its based on BitLocker. I like the idea of hardware encryption without any kind of performance hit, as well as best possible protection for my data in case my system gets lost to wrong hands.

    I'd love to hear an opinion of an expert which way I should go? If one of those SSD hardware encryptions is a good choice, how do I enable it?
      My Computer


  2. Posts : 5,478
    2004
       #2

    I'd use bitlocker and set it up using the hardware encryption as you are offloading the encryption from the CPU to the SSD. You can only do this on a clean install though How to Enable BitLocker Hardware Encryption with SSDs Helge Klein

    Make sure you follow the bit about RST drivers (see here Bitlocker turned itself off, Samsung Magician Says Encryption enabled - Windows 10 Forums )

    Failing that (if you don't want to do a clean install and are willing to take the small performance hit) software based bitlocker would be preferable to TrueCrpyt as it isn't developed any more. Even TrueCrypt advise migrating to bitlocker TrueCrypt

    There is an active branch of TrueCrypt called VeraCrypt. but as it doesn't support TPM I'd stick with bitlocker personally.

    I use software based bitlocker (as my SSD doesn't support hardware based) and without TPM (as I don't have one) and I don't notice the performance overhead. MS says it "imposes a single-digit percentage performance overhead" whatever that means. Source
      My Computer


  3. Posts : 6
    Windows 10 Pro x64
    Thread Starter
       #3

    @lx07 Many thanks! What do you think should I use BitLocker with or without the TPM chip for C drive?*


    *Gigabyte GA-Z77X-D3H (rev. 1.1) motherboard with Gigabyte GC-TPM rev. 1.0 TPM module
      My Computer


  4. Posts : 5,478
    2004
       #4

    nitelife said:
    @lx07 Many thanks! What do you think should I use BitLocker with or without the TPM chip for C drive?*


    *Gigabyte GA-Z77X-D3H (rev. 1.1) motherboard with Gigabyte GC-TPM rev. 1.0 TPM module
    With TPM. I can't think of a reason not to use it and it is what MS recommend. I just don't as I don't have one.

    I'm not sure but I think TPM 1.2 is required. Would have to hunt for some documentation on that though.

    Edit: Yes, 1,2 is required - TPM recommendations (Windows 10)

    You can check your TPM version by running tpm.msc and it will tell you if your chip is compatible.
      My Computer


  5. Posts : 6
    Windows 10 Pro x64
    Thread Starter
       #5

    lx07 said:
    With TPM. I can't think of a reason not to use it and it is what MS recommend. I just don't as I don't have one.

    I'm not sure but I think TPM 1.2 is required. Would have to hunt for some documentation on that though.

    Edit: Yes, 1,2 is required - TPM recommendations (Windows 10)

    You can check your TPM version by running tpm.msc and it will tell you if your chip is compatible.
    I believe the chip should be TPM rev. 1.2. I think that rev. 1.0 is a Gigabyte internal revision for the chip.
    *edit: Yep, Device Manager says it's a 1.2 chip. I actually have two chips. The first one (apparently TPM2.0) chip didn't work with my mobo (on the left) and Gigabyte send me a new compatible one (see here).

    There's no way around that clean install? A possibility that comes to my mind is cloning the unencrypted drive to a file and then enabling the encryption and secure erasing the drive. After that you'd tag the USB mounted drive with the clone on a second system. Not possible?
      My Computer


  6. Posts : 5,478
    2004
       #6

    nitelife said:
    There's no way around that clean install? A possibility that comes to my mind is cloning the unencrypted drive to a file and then enabling the encryption and secure erasing the drive. After that you'd tag the USB mounted drive with the clone on a second system. Not possible?
    I really don't know, sorry. It sounds as it would work but one of the comments in that guide above says this:

    According to the Samsung Tooltip, to get hardware encryption of an OS drive, you have to install a NEW Operating System on it.
    Basically, the steps required would be:
    1. Plug the OS drive into A DIFFERENT MACHINE (or the same machine if you’re planning to wipe it, but you can’t boot off of the drive yet…)
    2. Do the DISKPART cleaning of the SSD.
    3. Run Samsung Magician and “Secure Erase” the drive.
    4. Change the drive to “Ready to Enable”.
    5. Shut down the computer and install the new OS to the drive.
    6. After OS comes up, enable BitLocker on the SSD.
    7. Done!
    Don't know if replacing step 5 with "restore image" would work or not. You could try it - it wouldn't take long. If it didn't work you could perhaps clean install, then restore your image then activate bitlocker.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 17:16.
Find Us




Windows 10 Forums