How to enable hardware encryption on Samsung SSD 850 EVO w/o UEFI?

ahmd · 28 Jan 2017

I have an older Dell Inspiron 1750 laptop. I replaced its original spinning HDD with a brand new Samsung SSD 850 EVO drive, that was advertised as supporting hardware encryption. So now I'm trying to enable it.

Here's what I did:

1. Installed Windows 10 Pro from OEM disk, no crapware, just Microsoft stuff.

2. Installed Samsung Magician software from the disc that came with the SSD drive.

3. (Tried to) enable encryption. (The UI is kinda weird to understand.) I set it to "Encrypted Drive" which for some reason says "ready to enable":

4. I then ran the BitLocker on drive C:. This laptop doesn't have TPM chip and I had to use a USB stick to unlock it. It took several reboots, but now the drive shows as encrypted:

5. But now the question is -- does it use hardware or software encryption?

The Windows Explorer UI doesn't seem to tell me that. So I ran the manage-bde -status c: command and got this:

Which kinda looks like the hardware encryption is NOT enabled.

So what am I missing here?

PS. I keep finding some scarce references online that for the hardware encryption to work, it requires a UEFI (instead of BIOS) which this laptop does not have. It just has an older BIOS. But can I still use hardware encryption without UEFI?

EDIT: After a suggestion I tried to disable BitLocker and then ran the following command:

manage-bde -on c: -fet Hardware -startupkey d:

and got this result:

Code:
C:\Windows\system32>manage-bde -on c: -fet Hardware -startupkey d:
BitLocker Drive Encryption: Configuration Tool version 10.0.14393
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: [Windows]
[OS Volume]
ERROR: An error occurred (code 0x803100b2):
The drive specified does not support hardware-based encryption.

NOTE: If the -on switch has failed to add key protectors or start encryption,
you may need to call "manage-bde -off" before attempting -on again.

Caledon Ken · 29 Jan 2017

According to this article to use E-Drive, which after reading equates to Encrypted drive, you must be UEFI based. Read what should I watch out for when using e-Drive.

The article within reason explains their different options.

Access Denied

ahmd · 29 Jan 2017

Thanks. And yes, I guess I'm stuck with the software-based encryption since the BIOS I have does not support UEFI and Windows 10 BitLocker won't use hardware based encryption because of that, even if the SSD supports it. I just wish they had it documented better -- both in Samsung manual and in their sales page (Amazon) before you buy it.

But you know, after watching this presentation, I'm kinda thinking that maybe software based encryption is somewhat safer:
Bypassing of Self-Encrypting Drives – Techniques for Hackers and Forensic Investigators - YouTube

Caledon Ken · 30 Jan 2017

I'm a big believer in encryption but with that said I also know the risks. Had two people on these forums in the last two weeks that had lost access to their data.

I encrypted data when I take it out of my house and for files on my computer I ensure I have an unencrypted copy safely tucked away.

It's really important to keep copies of keys outside encryption so you can access. It also important to test your ability to decrypt your data on a alternate machine should your machine meet an untimely demise, like fried motherboard.

ahmd · 30 Jan 2017

Yes, all you need to save (with BitLocker) is Identifier and Recovery Key. The former is used to ID the drive if you have several, and the latter is a form of your private key for decryption. Both can be easily tucked away into your favorite password manager. I personally use LastPass.

Also make sure to watch the video I linked to above. It proves that even a full disk encryption can be bypassed in some cases. Pretty unnerving stuff though.

Caledon Ken · 30 Jan 2017

I use password safe and as I don't use cloud I keep a copy outside my encrypted data when its offsite.