cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Asteroid

970 EVO+ BitLocker OS Drive - Not Working

JUMP TO SOLUTION

Ok so I installed two brand new 970 EVO+ M.2 SSD in my system.  The 1 TB model is used as my OS drive and the 2 TB is used as a secondary drive.

 

I am trying to enable hardware based encryption using BitLocker on Windows 10 Pro.  Here are the steps I have taken and the results:

 

1)  Used Samsung Magician software to enable "Encrypted Drive" on both of the drives.

2)  Booted to the Secure Erase Utility and performed a secure erase on both drives

3)  Performed a fresh installation of Windows 10 Pro

4)  Checked Samsung Magician software and both drives show "Enabled" as the status under "Encrypted Drive"

5)  I updated the group policy setting on the system to prevent Bitlocker from reverting to software based encryption when hardware based encryption is unavailable.  I also enabled "additional authentication at startup" because I do not have a TPM.

6)  I am unable to encrypt the OS drive using hardware encryption.  I of course get an error stating that it failed because it couldn't revert to software based encryption.

7)  Strangely enough the hardware based encryption works on the secondary 2 TB drive.  Bitlocker comes right to the screen asking me to setup a password and USB drive (I have no TPM)

 

They are the exact same drives just in different sizes.  The only difference here is that one is an OS drive and the other a fixed data drive.  The board is an ASUS ROG STRIX Z270E with the latest available BIOS.

 

I don't want to use software based encryption due to the IO performance cost.  Any advice greatly appreciated.

1 SOLUTION

Accepted Solutions
Asteroid

Re: 970 EVO+ BitLocker OS Drive - Not Working

JUMP TO SOLUTION

I'm going to answer my own question here. I have done extensive research on this issue and found the following:

1) The BIOS manufacturer has to support bitlocker hardware encryption for the NVME boot drive. In my case the Asus motherboard does not appear to support this.
2) You can use hardware encryption with something called SEDutil. This installs as a bootloader and uses the hardware encryption to encrypt the drive. This is not an easy thing to install (see below). I have not tried this solution.
3) You can use bitlocker with software encryption. This is going to add overhead and reduce IO performance.

I like bitlocker because I can use my USB drive to unlock and boot the device instead of entering a password. It's also dead simple to setup and easy to recover with the recovery key.

So for those of you that have a BIOS that does not support hardware Bitlocker encryption of NVME boot drives these appear to be your options:

SEDutil (Hardware):

Pros:

  • better IO performance using hardware encryption (only in theory as I did not test)

Cons:

  • Difficult and time consuming install requires user to be very tech savvy
  • concerns over ability to recover data in the event the drive is not bootable
  • slightly shorter drive life due to the requirement to use hibernation vs sleep
  • Secure boot not supported
  • You must enter a boot password (no USB drive option)
  • Project seems inactive for quite some time

Personal opinion that I just don't trust it on a production system.

Bitlocker (Software):

Pros:

  • Secure boot supported
  • password or USB drive supported
  • no issues with sleep
  • easy to recover using recovery keys
  • generally much easier to use

Cons:

  • Reduced IO performance. In my setup I observed that sequential read/write stayed about the same but random read/write took a 50% hit.

Conclusion for me: While bitlocker results in reduced IO performance it makes up for this in all other areas. I am going to run Bitlocker in software mode for the boot drive in my device. At the lowest performing benchmark (Random read/write) the drive is still about 80% faster than my unencrypted SATA SSD it replaced.

 

No EncryptionNo EncryptionBitlocker Software EncryptionBitlocker Software Encryption

View solution in original post

Reply
Loading...
1 REPLY 1
Asteroid

Re: 970 EVO+ BitLocker OS Drive - Not Working

JUMP TO SOLUTION

I'm going to answer my own question here. I have done extensive research on this issue and found the following:

1) The BIOS manufacturer has to support bitlocker hardware encryption for the NVME boot drive. In my case the Asus motherboard does not appear to support this.
2) You can use hardware encryption with something called SEDutil. This installs as a bootloader and uses the hardware encryption to encrypt the drive. This is not an easy thing to install (see below). I have not tried this solution.
3) You can use bitlocker with software encryption. This is going to add overhead and reduce IO performance.

I like bitlocker because I can use my USB drive to unlock and boot the device instead of entering a password. It's also dead simple to setup and easy to recover with the recovery key.

So for those of you that have a BIOS that does not support hardware Bitlocker encryption of NVME boot drives these appear to be your options:

SEDutil (Hardware):

Pros:

  • better IO performance using hardware encryption (only in theory as I did not test)

Cons:

  • Difficult and time consuming install requires user to be very tech savvy
  • concerns over ability to recover data in the event the drive is not bootable
  • slightly shorter drive life due to the requirement to use hibernation vs sleep
  • Secure boot not supported
  • You must enter a boot password (no USB drive option)
  • Project seems inactive for quite some time

Personal opinion that I just don't trust it on a production system.

Bitlocker (Software):

Pros:

  • Secure boot supported
  • password or USB drive supported
  • no issues with sleep
  • easy to recover using recovery keys
  • generally much easier to use

Cons:

  • Reduced IO performance. In my setup I observed that sequential read/write stayed about the same but random read/write took a 50% hit.

Conclusion for me: While bitlocker results in reduced IO performance it makes up for this in all other areas. I am going to run Bitlocker in software mode for the boot drive in my device. At the lowest performing benchmark (Random read/write) the drive is still about 80% faster than my unencrypted SATA SSD it replaced.

 

No EncryptionNo EncryptionBitlocker Software EncryptionBitlocker Software Encryption

View solution in original post

Reply
Loading...