SSD to support hardware based full disk encryption via BitLocker?

Hi everyone:

I'm trying to build a new desktop PC and I'm wondering if you can
suggest which SSD (and motherboard) do I need to purchase to have it
support hardware based full disk encryption with Windows 10 via
BitLocker?

I'm currently settling on Intel Core i9-7900X Skylake-X 10-Core 3.3
GHz CPU that has to go into the Intel X299 Chipset motherboard.

So I was checking, for instance "Samsung 970 PRO 512GB - NVMe PCIe M.2 2280 SSD".

But will it support hardware based full disk encryption? And if no, which one will? I'm looking for faster M.2 drives.

Yes, thanks. I know. I use Bitlocker now on a Windows 8.1 machine for a full disk encryption. But because it's a software emulated (even with the use of the Intel CPU AES instructions) it slows down disk I/O. That is why I was wondering if that newer M.2 SSD module supports it.

As for Samsung, I did ask at their forums and got nothing.

If you have Windows 10 Pro, I think setting up Bitlocker with hardware assisted encryption is possible (albeit it is a long winded procedure). See if this article helps where the author used a Samsung SSD 850 Pro with the Samsung Magician Software.

How to Enable BitLocker Hardware Encryption with SSDs Helge Klein

( Personally, I would think hardware encryption only adds an extra layer of complication for a not very large gain in performance, but that is only my opinion ).

das10 said:

If you have Windows 10 Pro, I think setting up Bitlocker with hardware assisted encryption is possible (albeit it is a long winded procedure). See if this article helps where the author used a Samsung SSD 850 Pro with the Samsung Magician Software.

How to Enable BitLocker Hardware Encryption with SSDs Helge Klein

( Personally, I would think hardware encryption only adds an extra layer of complication for a not very large gain in performance, but that is only my opinion ).

Oh, thanks for the link! I'll read through it.

Just from curiosity though, why do you think that hardware based full disk encryption will not significantly speed up disk I/O?

PS. You know that Samsung Magician software does bring back (bad) memories when I was trying to set up hardware encryption with my current (older) SSD. I can't remember now but it just failed to set one setting. Now I'm hoping, with the Samsung 970 Pro SSD (which is 2 generations ahead) they have ironed out the kinks. (Fingers crossed.) My only concern is that it's a newer M.2 module and not the conventional one that connects via a SATA cable.

Man, why can't they make it easier!

Have you seen this article with regard to 970 Pro M2
Solved: 970 Pro M2: cannot do hardware encrypt - Samsung Community - 330809

"Just from curiosity though, why do you think that hardware based full disk encryption will not significantly speed up disk I/O?"

That is just an opinion in the context of the added complexity of setting it up, that's all.

A quick update.

I already re-installed Windows 10 three times, and I still can't make this hardware based encryption to work.

To recap.

I have two SSD drives:

- C: boot drive: Samsung SSD 970 PRO 512GB
- D: drive: Samsung SSD 970 EVO 1TB

So to avoid wasting time on re-installing Windows, I decided to try to enable it on drive D: first.

I followed these steps:

1. Bring disk D: to uninitialized state first. From Windows PowerShell (admin):

diskpart
list disk
select disk 1
clean
exit

2. Start up Samsung Magician (btw, it doesn't look like anything that I see in screenshots here or here)

Then select my drive "Samsung SSD 970 EVO 1TB"

At the bottom I have to hit the > chevron to scroll the bottom menu to the left and then pick "Data Security".



In "Encrypted Drive" section, click "Ready to enable".













The screen changes to this:







Then switch to "Secure Erase" and Run Secure Erase. Insert a blank USB and write into it.

Exit Sumsung Magician.



3. Reboot computer, mash Del key to enter UEFI/BIOS. Then enable Compatibility Support Module (CSM) and disable Secure Boot. Restart.

4. Mash F12 to get to the boot menu. Then boot from the USB thumb drive created above.

5. Accept the warning and select disk 2 to securely erase it. Receive confirmation of success.

6. Reboot and mash Del to enter BIOS again. Then disable Compatibility Support Module (CSM) and enable Secure Boot. (Have to reboot twice to satisfy this dumb BIOS that wants to know that my video card supports secure boot.)

7. Reboot and load up Windows 10 pro. Log in with my account.8. Start up Magician again. This time, if I go back to Data Security it still shows "Ready to enable" instead of "Encrypted drive enabled" as suggested here:








9. OK, f' it. I close magician and go to Disk Management in Windows. Give that drive a GPT partition and then assign it a driver letter D:

10. Go to it in Windows Explorer, right click it, select "turn on Bitlocker" -> automatically unlock this drive -> save key to a file -> and then it shows this dreaded software encryption window:




ARGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH!!!!!!!!



So what am I doing wrong??????

Caledon Ken said:

What date is your BIOS?

I just updated it before installing Win10. msinfo32 says:

American Megatrends Inc. F3e, 6/25/2018

Caledon Ken said:

Have you requested Samsung support on this? (Sorry, I didn't read back on this thread)

Yes. Contacted both "Samsung Memory Services" and then Gigabyte. (The motherboard is GIGABYTE X299 AORUS GAMING 7 PRO).

All I'm getting so far is a run-around from Samsung and nothing from Gigabyte (today is day 2 as I sent them an email. Their website was quite janky and didn't even acknowledge that my message was sent. If someone knows a better way to contact them, please let me know.)

Here's the first generic message that I received from Samsung:

Does your system specifically provide hardware encryption for NVME drives? A lot of modern system do not provide support for encrypting NVME drives as of yet. If your system supports hardware encryption you must find out what types of drive can the BIOS encrypt.

Very helpful, right? It sure doesn't say this on their sale page for those NVMe SSDs.

I then gave them the exact model of the motherboard and asked for clarification. Here's what I received this morning:

To enable the E-Drive encryption on the drive it needs to be installed as the primary drive in the system.

Well, as I mentioned in this thread above, I have two drives. And I tried several times with the 970 PRO drive as a boot C drive. It just takes much longer to reinstall Windows and then encrypt it. It still didn't work. That is why I switched to trying it with the D drive.

Crap! So where do I go from here?