08-16-2017 01:06 AM
I can't find the inverted check mark to indicate that this 'solution' is unacceptable.
Why will Samsung not make the 960 series drives E-Drive compatible as they implied they would at time of launch? I have purchased 3 Samsung NVME drives with the expectation of being able to use them with drive level hardware encryption managed via Bitlocker. Laptop manufacturers are NOT at all concerned about data security so it's unacceptable for Samsung to 'pass the buck' by mentioning BIOS level drive encryption - especially as Samsung spoke repeatedly of 'future firmware upgrades' for EDrive IEEE 1667.
Is Samsung concerned about data security for it's users? Are they concerned about their professional reputation?
It seems not.
08-16-2017 06:56 AM
Its pretty sad that the edrive support that was promised to be added at a later date via a firmware update is suddenly being swept under the rug. But the same promise was made for the 950 as well, and in the end nothing came of that either so its not like we should of seriously expected anything of it.
08-16-2017 07:05 AM
Unfortunately there are no current plans for adding E-drive support to the 960 drives. The IEEE 1667 Standard for E-drive does not support NVME, so until Microsoft addresses this, Samsung cannot go about preparing E-drive for our NVME drives.
E-drive was not announced for the 960 drives. Some reviewers misreported that.
"Samsung spoke repeatedly of 'future firmware upgrades' for EDrive IEEE 1667" That was only for the 950 Pro and due to the above reason, the message was changed to "The plan to provide a firmware update to enable TCG/OPAL and IEEE1667 has been put on hold".
Be sure to click " ✓ Accept as Solution" when you find an answer that works for you.
08-16-2017 07:22 AM - edited 08-16-2017 07:23 AM
This is not Samsung's fault. The IEEE 1667 standard does not support NVMe yet.
> IEEE 1667 TCG Transport Silo is a requirement for “eDrive” support >> eDrive in 30 seconds: >>> Starting with Windows 8, MS BitLocker is able to manage SEDs that implement Opal 2.00, Single User Mode Feature Set, and the IEEE 1667 TCG Transport Silo > IEEE 1667 has begun working on a IEEE 1667 transport technical proposal for NVMe >> Enables general access to IEEE 1667 silos over NVMe, including 1667 TCG Transport Silo >>> TCG Transport Silo – alternate transport for TCG Opal commands >>Enables management of Windows eDrive for NVMe Opal SEDs which use Opal 2.00
08-16-2017 10:33 AM - edited 08-16-2017 10:35 AM
Ahh so edrive is not supported at all on NVMe huh, that explains that then.
As far as the other 2 encryption methods go, how is Class 0? My Thinkpad supports it via a bios set hard drive password. It can even be set to use your saved fingerprint data to swipe once at preboot and it will unlock your drive and log into the windows account for that fingerprint. Magician registers that Class 0 is enabled as well.
Is this currently the best option for NVMe on a Windows 10 Pro machine if it supports it (not all machines do)?
From my understanding all Samsung drives are all self encrypting, but the key is kept on the drive (making it useless from a security standpoint) and Class 0 simply shifts the password from the drive to the computers TPM chip.
When I went to read about it I came across conflicting information on how secure it is. Ive read someone say that it can be bypassed by pluging the hard drive into another system that supports TPM based hard drive passwords and that it would unlock with that systems password. This sounds like it would be an absoloutly absurd security loophole, is there any validity to it?
08-16-2017 12:04 PM
I believe Class 0 is supported though ATA over NVMe, a mechanism which lets you send legacy ATA commands to NVMe drives. AFAIK the only BIOS which supports this is on the ThinkPad, but it only works with one model of Lenovo's OEM drives (probably a whitelist).
Class 0 is a blackbox implementation. In older drives it was nothing more than security through obscurity. Even on early SEDs it was insecure. Drives usually had hardcoded recovery keys or stored the password on the disk. On later drives it's presmably secure. The DEK > AEK > Password chain can only be derived with the correct password, which is never stored on the disk. It's still possible for a secret recovery key to exist which can decrypt the DEK.
IIRC the TCG OPAL specification requires that drives which also support Class 0 must implement it securely like above. So the Samsung 850 Pro etc. are probably equally secure in either Class 0, e-Drive or TCG Opal mode.
09-28-2017 09:08 PM - edited 09-28-2017 09:18 PM
Bitlocker performance comparison on my new Samsung 960 Pro 512GB:
The results are consistent with those of this 960 EVO user: https://www.tenforums.com/drivers-hardware/81852-does-my-bitlocker-use-hardware-acceleration.html
No complaints about those figures from me. Based on the information in previous posts, I assume Bitlocker is not using the drive's self-encryption hardware, but in my configuration there doesn't appear to be a huge amount of overhead to the 'software' mode (perhaps it's less power-efficient, which might be significant for laptop users). Speed was my main worry, because experience with VeraCypt is of major performance hit even if the CPU can do AES at 5GB/s, and I'd read Bitlocker had the same issue, though to a lesser extent.
My main question is whether software Bitlocker will undermine the drive's 'garbage collection' ability, or whatever it is SSDs do to maintain their performance.
10-31-2017 05:33 PM - edited 10-31-2017 06:16 PM
I've tried driver 2.3 which has in the release notes: "Support encrypted drive"
I cannot get Magician to enable Encrypted Drive on my 960 EVO after installing this driver and Magician on a temporary Windows volume on another drive. Do I have to secure erase first, or wait for a firmware update?