1. Joined : Feb 2016
    Posts : 6
    Windows 10 Pro x64
       13 Sep 2016 #1

    Help required in selecting the right encryption option for C drive


    I'm running Windows 10 Pro x64 desktop PC with a Samsung Pro 850 256 as my main C drive. Other specs are 3770k and 16GB of DDR3. I also have a TPM chip installed on my mainboard. I've already encrypted all my secondary HDD's with BitLocker, but I'm still undecided which option I should take with C drive encryption? I was strongly leaning toward regular BitLocker with TPM enabled, but then I read about TrueCrypt, which apparently goes recommended by many. But by looking from Samsung Magician my SSD seems to support three types of hardware data security modes: Class 0, TCG Opal and generally named option "Encrypted Drive", which says its based on BitLocker. I like the idea of hardware encryption without any kind of performance hit, as well as best possible protection for my data in case my system gets lost to wrong hands.

    I'd love to hear an opinion of an expert which way I should go? If one of those SSD hardware encryptions is a good choice, how do I enable it?
      My System SpecsSystem Spec

  2.    13 Sep 2016 #2

    I'd use bitlocker and set it up using the hardware encryption as you are offloading the encryption from the CPU to the SSD. You can only do this on a clean install though How to Enable BitLocker Hardware Encryption with SSDs Helge Klein

    Make sure you follow the bit about RST drivers (see here Bitlocker turned itself off, Samsung Magician Says Encryption enabled - Windows 10 Forums )

    Failing that (if you don't want to do a clean install and are willing to take the small performance hit) software based bitlocker would be preferable to TrueCrpyt as it isn't developed any more. Even TrueCrypt advise migrating to bitlocker TrueCrypt

    There is an active branch of TrueCrypt called VeraCrypt. but as it doesn't support TPM I'd stick with bitlocker personally.

    I use software based bitlocker (as my SSD doesn't support hardware based) and without TPM (as I don't have one) and I don't notice the performance overhead. MS says it "imposes a single-digit percentage performance overhead" whatever that means. Source
      My System SpecsSystem Spec


  3. Joined : Feb 2016
    Posts : 6
    Windows 10 Pro x64
       13 Sep 2016 #3

    @lx07 Many thanks! What do you think should I use BitLocker with or without the TPM chip for C drive?*


    *Gigabyte GA-Z77X-D3H (rev. 1.1) motherboard with Gigabyte GC-TPM rev. 1.0 TPM module
      My System SpecsSystem Spec

  4.    13 Sep 2016 #4

    nitelife said: View Post
    @lx07 Many thanks! What do you think should I use BitLocker with or without the TPM chip for C drive?*


    *Gigabyte GA-Z77X-D3H (rev. 1.1) motherboard with Gigabyte GC-TPM rev. 1.0 TPM module
    With TPM. I can't think of a reason not to use it and it is what MS recommend. I just don't as I don't have one.

    I'm not sure but I think TPM 1.2 is required. Would have to hunt for some documentation on that though.

    Edit: Yes, 1,2 is required - TPM recommendations (Windows 10)

    You can check your TPM version by running tpm.msc and it will tell you if your chip is compatible.
      My System SpecsSystem Spec


  5. Joined : Feb 2016
    Posts : 6
    Windows 10 Pro x64
       13 Sep 2016 #5

    lx07 said: View Post
    With TPM. I can't think of a reason not to use it and it is what MS recommend. I just don't as I don't have one.

    I'm not sure but I think TPM 1.2 is required. Would have to hunt for some documentation on that though.

    Edit: Yes, 1,2 is required - TPM recommendations (Windows 10)

    You can check your TPM version by running tpm.msc and it will tell you if your chip is compatible.
    I believe the chip should be TPM rev. 1.2. I think that rev. 1.0 is a Gigabyte internal revision for the chip.
    *edit: Yep, Device Manager says it's a 1.2 chip. I actually have two chips. The first one (apparently TPM2.0) chip didn't work with my mobo (on the left) and Gigabyte send me a new compatible one (see here).

    There's no way around that clean install? A possibility that comes to my mind is cloning the unencrypted drive to a file and then enabling the encryption and secure erasing the drive. After that you'd tag the USB mounted drive with the clone on a second system. Not possible?
      My System SpecsSystem Spec

  6.    13 Sep 2016 #6

    nitelife said: View Post
    There's no way around that clean install? A possibility that comes to my mind is cloning the unencrypted drive to a file and then enabling the encryption and secure erasing the drive. After that you'd tag the USB mounted drive with the clone on a second system. Not possible?
    I really don't know, sorry. It sounds as it would work but one of the comments in that guide above says this:

    According to the Samsung Tooltip, to get hardware encryption of an OS drive, you have to install a NEW Operating System on it.
    Basically, the steps required would be:
    1. Plug the OS drive into A DIFFERENT MACHINE (or the same machine if you’re planning to wipe it, but you can’t boot off of the drive yet…)
    2. Do the DISKPART cleaning of the SSD.
    3. Run Samsung Magician and “Secure Erase” the drive.
    4. Change the drive to “Ready to Enable”.
    5. Shut down the computer and install the new OS to the drive.
    6. After OS comes up, enable BitLocker on the SSD.
    7. Done!
    Don't know if replacing step 5 with "restore image" would work or not. You could try it - it wouldn't take long. If it didn't work you could perhaps clean install, then restore your image then activate bitlocker.
      My System SpecsSystem Spec


 


Similar Threads
Thread Forum
Option to set up an exact time for doing defrag on hard drive?
My friend I have another question. This doesn't have relation to the topic but I would like to know if there is some option to set up an exact time for doing Defrag in your hard drive. I mean in the options only appears " daily, weekly and monthly"...
Performance & Maintenance
Selecting Printing Size
With Windows XP, when I printed a shipping label on Ebay I could select the page size as a %. Now, with Windows 10, I cannot. The shipping label are PDFs. I can't edit their content, but I do want to be able to alter the size of the label to fit...
General Support
BitLocker Drive Encryption Shortcut - Create in Windows 10
How to Create a BitLocker Drive Encryption Shortcut in Windows 10 You can use BitLocker Drive Encryption to help protect your files on an entire drive. BitLocker can help block hackers from accessing the system files they rely on to discover...
Tutorials
BitLocker Drive Encryption Status - Check in Windows 10
How to Check Status of BitLocker Drive Encryption for Drive in Windows 10 You can use BitLocker Drive Encryption to help protect your files on an entire drive. BitLocker can help block hackers from accessing the system files they rely on to...
Tutorials
Solved Selecting a file by starting to type its name... No longer an option?
In Windows 7, and before, in Explorer, I could start to type a name of a file that I wanted and Explorer would jump down to that file, but under Windows 10, it automatically starts doing a search of the folder. As such, I am forced to scroll down...
General Support
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 10:16.
Find Us
Twitter Facebook Google+



Windows 10 Forums