SSD to support hardware based full disk encryption via BitLocker?

Page 3 of 3 FirstFirst 123

  1. Posts : 12,799
    Windows 11 Pro
       #21

    Atto is very good as well as Crystal Disk Mark.
      My Computer


  2. Posts : 3,272
    Win10
       #22

    Also an overall System Performance benchmarking tool such as Cinebench would be really useful (or for a quick look even cpu-z's benchmark may be useful).
      My Computers


  3. Posts : 186
    Xp, Vista, 7, 8.1, 10
    Thread Starter
       #23

    OK. Guys. I think I'm done playing with it. Here's the results of my research.

    TL;DR: I failed to enable hardware encryption on those two NVMe drives. But succeeded on the older 860 EVO SATA III drive. (I'll give the steps at the end.) And at this stage I'll start migrating my files. So no more drive erasing. :)


    First off, I'm done dealing with the Samsung and Gigabyte tech support. The Samsung fella stopped responding when I informed him that his idea to wipe my C: drive and re-install the OS did not produce the desired results. (Just as I suspected.)

    As for the Gigabyte tech support (or, the motherboard maker) then, I tell ya, it is quite something. Let me give you a screenshot. (I think if I emailed this same question to my grandmother, I'd get a better answer.)






    OK, here's what I did. I plugged in that 970 PRO drive into another computer. Then removed partitions with DISKPART, then LIST DISK, SELECT DISK <n>, CLEAN. Then booted up from Magician created USB and securely erased it. Then plugged it back to this PC and installed Win10 Pro on it. Then went to activate Bitlocker on drive C: and .... what would you know, it again defaulted to the software encryption like 3 times before. So I gave up and just went with it.

    Then did the same thing with the 970 EVO drive, except this time I did it on the same machine as it was a data drive. It too defaulted to the software encryption.

    Lastly, remembering reading that older SATA III drives were allowing hardware encryption, I tried the following steps and IT WORKED!

    So here it is if anyone else wants to enable hardware encryption on an older SATA III drive:

    I did it with the "Samsung SSD 860 EVO 250GB -- SATA III" drive.


    • If you're planning to use it as a boot drive. (I'm assuming) you will need to enable "Secure boot" and disable CSM (or "Compatibility Support Module") in UEFI/BIOS. That also means that if you had previously installed Windows 10 on that drive, it will have to be re-installed.
    • (I'm also assuming that) you don't need a TPM (or "Trusted platform module") chip. In my case I had it, so I don't know. I personally prefer to encrypt the boot drive and keep the key on a USB thumb drive instead of a TPM. (I keep the USB stick in a safe, separate from the computer itself. That way if someone takes the computer they will not be able to get the data. Also with a key on a separate USB stick, physically separated from the encrypted data, all kinds of boot and TPM shenanigans/hacks will not be effective. Additionally, following the recent security news, if your data has an utmost importance to you, make sure to disable sleep and hibernation in BIOS and in Windows. There are recent attacks on Bitlocker encryption key stored in RAM that utilize a "sleeping" system.)
    • Run PowerShell as admin, and do the following to remove partitions from the disk. (WARNING: It will erase ALL data from the drive without any warnings!)

      diskpart
      list disk
      select disk n
      clean
      exit

      (in the sequence above n is the number of the disk to erase. Match it by the disk's total size.)
    • Download and run Samsung Magician. (Get it only from the Samsung website!) Then select your drive at the top of the Magician window and at the bottom, scroll that weird toolbar to the left to reveal "Data security" button. Click it. Then click "Ready to enable" in the "Encrypted drive" section.
    • Then click the refresh button on the top, or reload Magician. Again using that bottom scrolling toolbar pick "Secure Erase" and then "Run secure erase."
    • Get an empty USB stick ready. Plug it in. Erase everything on it. Make sure that it's formatted as FAT32 and has a drive letter assigned. Then have Magician install it's secure erase Linux loader on it.
    • Then close Magician. (You might want to remove it from Windows autorun. Because it will, of course, put itself in there.)
    • Reboot and see if you can boot from the USB stick that was created above. If that doesn't work (if you have secure boot enabled in BIOS to boot into Windows 10) you will need to temporarily disable "secure boot" and also enable "CSM". Then you should be able to boot to that USB stick.
    • When booted up, select the right drive for secure erase. The process should take seconds. (In some circumstances, you might get a message of a "frozen drive", directing you to unplug the SATA power from the SSD drive while computer is running. Yes, I'm not kidding, Samsung "geniuses" seriously want you to do that. I had to do it today. Yikes!)
    • When secure erase is done (make sure you get a confirmation) log in back to BIOS and re-enable "secure boot" if you disabled it earlier. And then disable CSM.
    • Boot back to Windows 10.
    • (I didn't try to install OS on that drive. In my case it was a data drive. So I assume if you wanted to install Windows 10 on it, then do it now.) Otherwise, for a data drive, boot into Windows 10, go to Disk Management from the right-click menu on the Start button and initialize this erased SSD to GPT partition and give it a drive letter.
    • Open Windows Explorer and right-click on this SSD drive (that was just securely erased) and pick "Turn on Bitlocker." Follow through several windows, that will ask you some questions about where to save your recovery key. MAKE SURE to save it. Without it, your data will be gone forever! I personally save the key in my password manager. It's just a long hex string.
    • In my case, I had boot drive C: already encrypted with the Bitlocker, so I had an option to "Automatically unlock the drive on this computer" (not verbatim, but something close to it.) I picked it. This way you won't have to provide the decryption key every time after boot. The key will be daisy-chained to your encrypted drive C.
    • Then (the drum rolls) if the drive took the hardware encryption you will NOT get a window asking you whether you'd want to encrypt a used space on the drive, or do the entire drive. If you see that, then it wants to do the software encryption. (You can cancel and start over, possibly undoing some previous steps.) For the hardware encryption, there'll be a window asking to reboot. (Or just to set it, for a data drive.) And the encryption itself will be instantaneous.



    (By the way, @lx07, the steps you gave in one of your last replies were in the wrong order.)

    Lastly, to check that you have everything encrypted. For instance, for the following drives:



    Here's what I did in the admin PowerShell:






    If you see "Hardware Encryption ...." in the Encryption Method, then you're golden! Otherwise, it's either unencrypted or it's a method for the software encryption, such as XTS-AES 128.


    -------------------------------------------------------------------------------------------------

    Lastly, I promised some benchmark tests. Here's my compilation for each of those 3 drives before and after encryption:


    Samsung SSD 970 PRO 512GB -- M.2 NVMe (boot drive)








    Samsung SSD 970 EVO 1TB -- M.2 NVMe







    Samsung SSD 860 EVO 250GB -- SATA III








    As you see, my results with and without software based encryption are somewhat close. The reads and writes of larger data chunks are almost the same. The difference comes out on smaller random I/O (which is most of what disks are used for.)

    Still, the small difference in tests proves that I can probably live with just the software encryption. It's sad, that a brand new (faster) drives can't support something that an older drive can. Sounds like someone rushed a product to the market without ironing out all the kinks.

    So going back to my tests, I'm not sure why I didn't get more of a discrepancy in timing. Maybe it's because I chose to encrypt only the used space on the drives (and both are pretty much empty at this stage) so the encryption is not performed on that part of the disks where those benchmark tests were running, or maybe my beefier CPU and RAM smoothed it all out.

    BTW, here's the (relevant) stats on the system that I ran it on:

    CPU: Intel i9-7940X

    RAM: 64GB DDR4 at 3200MHz

    That CPU can do built-in AES instructions, so it can too handle encryption on its own hardware level. So maybe that's why I got those results.

    (I didn't includ suggested Cinebench tests since those mostly measure CPU performance.)


    I was also somewhat surprised to learn that a cheaper EVO drive outperformed a more expensive PRO drive. In my book something named "PROfessional" should have a better performance. But, of well.


    Lastly if someone wants to follow a more detailed account, here's the source where I was taking most of the steps for encrypting the drives from.

    All in all, thanks everyone, who contributed!
    Hope you have a better luck with it.
      My Computer


  4. Posts : 3,272
    Win10
       #24

    Thank you for taking the time to do a thorough investigation and posting back the results of the tests.

    Just one more question, do you use Macrium Reflect or any other Imaging Program, and do you know whether restoring an image to the Hardware encrypted disk maintains the "Hardware Encryption" status or does it revert to "Software Encryption" for some reason ? ( I only ask because I recall reading somebody having problems restoring to that Hardware encryption status, although I can't find that article anywhere ).

    Kind regards.
      My Computers


  5. Posts : 186
    Xp, Vista, 7, 8.1, 10
    Thread Starter
       #25

    das10 said:
    Just one more question, do you use Macrium Reflect or any other Imaging Program, and do you know whether restoring an image to the Hardware encrypted disk maintains the "Hardware Encryption" status or does it revert to "Software Encryption" for some reason ? ( I only ask because I recall reading somebody having problems restoring to that Hardware encryption status, although I can't find that article anywhere ).
    You know I haven't imaged anything for a while, so I can't answer that.

    My guess is that an image is created off of decrypted data. But that's just a guess.The thing about imaging for me is that it kinda defeats the purpose of the full disk encryption. I mean, if you create an image of your data that is not encrypted, what's the purpose of the full disk encryption in the first place, since you just copied it to an unencrypted medium? Well, maybe if you keep the image in the safe then it would be OK. Anyway, that's the reason why I stopped imaging. (That, and also buggy and unreliable software ... cough, Acronis.)

    Here's what I do for my backups.

    I separate the OS and the data. As soon as I install Windows, I move Desktop, Documents, Pictures, Videos, Downloads, etc. to another disk. Usually D:. (In my case I also use Virtual Machines, so those get their own designated drives.)

    I do three types of backups:

    1. Automatic Windows File History backup (akin to the Time Machine on a Mac) goes to an external 2TB drive that is also protected with a full-disk encryption with the Bitlocker. I do this for most data folders only. Folders that I use daily.

    2. Then Veeam Agent for Windows (free edition) does automatic (nightly) versioning backups of all drives (except C) onto my Synology DS918+ NAS that is physically located at my friend's house (same town). It's a 4TB RAID setup. That is for an "offsite" backup. (My friend has his NAS at my house that he uses to back up his files to.) The NAS's root folder is encrypted. Plus all logins to the NAS require 2FA.

    3. The most important files (of a relatively small size up to 500MB) also go to my Google Drive, another copy to Microsoft's One Drive, and then a copy to Mega.nz. All encrypted with a password using WinRar 5 format before uploading.

    This way if something happens, (mostly if I delete some file that I shouldn't have deleted) I can restore it form the File History backup (that is local and fast.)

    Otherwise in case of a more serious malfunction, I would wipe the drive C and reinstall Windows. It's pretty easy since I know that it doesn't have any of my data. Just the OS. I would then install a new copy of the OS and plug in my data drives, configure everything, etc. It still takes several hours to complete, though.
      My Computer


  6. Posts : 3,272
    Win10
       #26

    Ok, thanks for your explanation.
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 17:33.
Find Us




Windows 10 Forums