HOW TO MANAGE ENCRYPTION OF 960 PRO

SOLVED
Constellation

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

I can't find the inverted check mark to indicate that this 'solution' is unacceptable.

 

Why will Samsung not make the 960 series drives E-Drive compatible as they implied they would at time of launch?  I have purchased 3 Samsung NVME drives with the expectation of being able to use them with drive level hardware encryption managed via Bitlocker.  Laptop manufacturers are NOT at all concerned about data security so it's unacceptable for Samsung to 'pass the buck' by mentioning BIOS level drive encryption - especially as Samsung spoke repeatedly of 'future firmware upgrades' for EDrive IEEE 1667. 

 

Is Samsung concerned about data security for it's users?  Are they concerned about their professional reputation?

 

It seems not.

Asteroid

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

Its pretty sad that the edrive support that was promised to be added at a later date via a firmware update is suddenly being swept under the rug. But the same promise was made for the 950 as well, and in the end nothing came of that either so its not like we should of seriously expected anything of it.

Nebula

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

Hello userJ3GddBfYDO and BaronKrause,

Unfortunately there are no current plans for adding E-drive support to the 960 drives. The IEEE 1667 Standard for E-drive does not support NVME, so until Microsoft addresses this, Samsung cannot go about preparing E-drive for our NVME drives.

E-drive was not announced for the 960 drives. Some reviewers misreported that.

"Samsung spoke repeatedly of 'future firmware upgrades' for EDrive IEEE 1667" That was only for the 950 Pro and due to the above reason, the message was changed to "The plan to provide a firmware update to enable TCG/OPAL and IEEE1667 has been put on hold".

 



Be sure to click " ✓ Accept as Solution" when you find an answer that works for you.

Constellation

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

[ Edited ]

This is not Samsung's fault. The IEEE 1667 standard does not support NVMe yet.

 

> IEEE 1667 TCG Transport Silo is a requirement for “eDrive” support
>> eDrive in 30 seconds:
>>> Starting with Windows 8, MS BitLocker is able to manage SEDs that implement Opal 2.00, Single User Mode Feature Set, and the IEEE 1667 TCG Transport Silo

> IEEE 1667 has begun working on a IEEE 1667 transport technical proposal for NVMe
>> Enables general access to IEEE 1667 silos over NVMe, including 1667 TCG Transport Silo
>>> TCG Transport Silo – alternate transport for TCG Opal commands
>>Enables management of Windows eDrive for NVMe Opal SEDs
which use Opal 2.00

 

Asteroid

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

[ Edited ]

Ahh so edrive is not supported at all on NVMe huh, that explains that then.

 

As far as the other 2 encryption methods go, how is Class 0? My Thinkpad supports it via a bios set hard drive password. It can even be set to use your saved fingerprint data to swipe once at preboot and it will unlock your drive and log into the windows account for that fingerprint. Magician registers that Class 0 is enabled as well.

 

Is this currently the best option for NVMe on a Windows 10 Pro machine if it supports it (not all machines do)?

 

From my understanding all Samsung drives are all self encrypting, but the key is kept on the drive (making it useless from a security standpoint) and Class 0 simply shifts the password from the drive to the computers TPM chip.

 

When I went to read about it I came across conflicting information on how secure it is. Ive read someone say that it can be bypassed by pluging the hard drive into another system that supports TPM based hard drive passwords and that it would unlock with that systems password. This sounds like it would be an absoloutly absurd security loophole, is there any validity to it?

Constellation

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

I believe Class 0 is supported though ATA over NVMe, a mechanism which lets you send legacy ATA commands to NVMe drives. AFAIK the only BIOS which supports this is on the ThinkPad, but it only works with one model of Lenovo's OEM drives (probably a whitelist).

 

 

Class 0 is a blackbox implementation. In older drives it was nothing more than security through obscurity. Even on early SEDs it was insecure. Drives usually had hardcoded recovery keys or stored the password on the disk. On later drives it's presmably secure. The DEK > AEK > Password chain can only be derived with the correct password, which is never stored on the disk. It's still possible for a secret recovery key to exist which can decrypt the DEK.

 

IIRC the TCG OPAL specification requires that drives which also support Class 0 must implement it securely like above. So the Samsung 850 Pro etc. are probably equally secure in either Class 0, e-Drive or TCG Opal mode.

Asteroid

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

[ Edited ]

That was very informitave! Thanks.

 

Just incase anyone was interested, the Thinkpad I was able to enable Class 0 on my Samsung 960 Evo was an X1 Yoga.

Constellation

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

[ Edited ]

Bitlocker performance comparison on my new Samsung 960 Pro 512GB:

bitlockeronvsoff.jpg

The results are consistent with those of this 960 EVO user: https://www.tenforums.com/drivers-hardware/81852-does-my-bitlocker-use-hardware-acceleration.html

No complaints about those figures from me. Based on the information in previous posts, I assume Bitlocker is not using the drive's self-encryption hardware, but in my configuration there doesn't appear to be a huge amount of overhead to the 'software' mode (perhaps it's less power-efficient, which might be significant for laptop users). Speed was my main worry, because experience with VeraCypt is of major performance hit even if the CPU can do AES at 5GB/s, and I'd read Bitlocker had the same issue, though to a lesser extent.

My main question is whether software Bitlocker will undermine the drive's 'garbage collection' ability, or whatever it is SSDs do to maintain their performance.

Anonymous

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

Hi Koela,

 

Bitlocker or any supported encryption used with the drive will not affect garbage collection or any maintenance feature. The maintenance features of the drive are done at the hardware level by the drive's controller.

Constellation

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

[ Edited ]

I've tried driver 2.3 which has in the release notes: "Support encrypted drive"

 

I cannot get Magician to enable Encrypted Drive on my 960 EVO after installing this driver and Magician on a temporary Windows volume on another drive. Do I have to secure erase first, or wait for a firmware update?

 

Untitled.png

Attachments