cancel
Showing results for 
Search instead for 
Did you mean: 
frl
Constellation

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

JUMP TO SOLUTION

Hi Ricky,

 

Thanks for your answer - I agree it might be complex and take time for industry to converge - but the question is what can you do as Samsung support to help speed up the whole thing? 

 

Even though Gigabyte have their contacts (told me they are working with AMI) - what needs to be done may not be general knowledge and it would help to point exactly at what would need to be fixed so that it can receive attention (otherwise people will park it as "unknown issues which we are going to waste time to investigate as the whole thing immature...).

 

Now we know it is fixable as someone posted here they got it to work with Lenovo T480S - so someone should know exactly what has to be done to make it work today and it would help out the ecosystem if you could let know what BIOS support should have specifically so people in this community can relay to the various vendors. Once BIOS vendors would receive very pointed request from multiple motherboard makers they are more likely to prioritize this fix in their next mainstream release train.

 

BR,

 

Francois

Reply
Loading...
user0lp4cs2lC3
Constellation

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

JUMP TO SOLUTION

As an alternative have you tried the TCG Opal software vendors listed here: https://trustedcomputinggroup.org/wp-content/uploads/tcg_devicelist-20120108.pdf

 

In Samsung Magician > Data Security > TCG Opal it says you need specific software to activate (as above). 

 

I installed SecureDoc standalone and it automatically enabled TCG Opal hardware encryption. Yes you need to buy the software but it's worth it. SecureDoc seems good value for money compared to other vendors and also it's easier to use. 

 

I have enabled TCG Opal hardware encryption on my Samsung 960 EVO. 

Reply
Loading...
userHYlOw6oTN6
Astronaut

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

JUMP TO SOLUTION

Hardware encryption worked on a Lenovo T470s containing a Samsung PM981, both with latest BIOS and Windows 10 Bitlocker. 

Reply
Loading...
userqW8vNpR3Zm
Asteroid

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

JUMP TO SOLUTION

@userHYlOw6oTN6 wrote:

Hardware encryption worked on a Lenovo T470s containing a Samsung PM981, both with latest BIOS and Windows 10 Bitlocker. 


Can you please a bit more precise? Your Samsung PM981 with enabled eDrive works as boot drive under Windows 10 Bitlocker?

If that is the case, then it would be the first NVMe drive I've heard that is working that way.

Can you tell which BIOS you have on the Lenovo?

 

My ASUS Mainboard has now got the third BIOS update since the problem was "marked as solved" but still not working.

Reply
Loading...
Highlighted
usercvKgsWZDed
Asteroid

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

JUMP TO SOLUTION

Hardware bitlocker confirmed working on 970 Pro installed in Lenovo ThinkPad X1 Carbon 5th Gen:

 

DISKPART> select disk 0

Disk 0 is now the selected disk.

DISKPART> detail disk

Samsung SSD 970 PRO 1TB
Disk ID: {C8E77EA5-CDA8-465D-AC77-574FCD974D13}
Type   : NVMe
Status : Online
Path   : 0
Target : 0
LUN ID : 0
Location Path : PCIROOT(0)#PCI(1C04)#PCI(0000)#NVME(P00T00L00)
Current Read-only State : No
Read-only  : No
aBoot Disk  : Yes
Pagefile Disk  : Yes
Hibernation File Disk  : No
Crashdump Disk  : Yes
Clustered Disk  : No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0         Recovery     NTFS   Partition    499 MB  Healthy
  Volume 1     C                NTFS   Partition    953 GB  Healthy    Boot
  Volume 2                      FAT32  Partition     99 MB  Healthy    System

DISKPART> exit

Leaving DiskPart...

C:\>manage-bde -status c:
BitLocker Drive Encryption: Configuration Tool version 10.0.17134
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: []
[OS Volume]

    Size:                 953.27 GB
    BitLocker Version:    2.0
    Conversion Status:    Fully Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method:    Hardware Encryption - 1.3.111.2.1619.0.1.2
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Identification Field: Unknown
    Key Protectors:
        TPM
        Numerical Password

 

Procedure was enabled encrypted drive in Magician, created secure erase USB, changed BIOS settings to enable boot from secure erase USB, erased SSD and then installed Windows 1803 from USB.

 

Software Bitlocker was automatically enabled during Windows install. Installed Samsung NVMe driver and Magician. Checked encrypted drive satus in Magician (= Enabled). Decrypted drive and then renabled Bitlocker.  Rebooted to allow compatibility check (or whatever it's called). Once rebooted, ran manage-bde and confirmed hardware encryption now in use. Smiley Happy

 

Reply
Loading...
userC7eWFjd0vl
Constellation

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

JUMP TO SOLUTION

Thank you for the info. I took a look through the BIOS file for the Lenovo laptop and it looks like they are just using the standard nvmexpress.dxe for NVMe support.  I dug a little deeper, and there is a securitystub.dxe that makes reference to NVMe in it.  It would sure help if someone from Samsung could be more specific on exactly where the problem is.  I'm assuming that it has something to do with lack of support of IEEE1667 for NVMe drives since opal seems to work fine.  If I get some time, I'll try to dig a little deeper and see if I can figure anything out.  If someone here has more experience in BIOS modding, I'd love some input.   I already contacted my motherboard manufacturer about a BIOS update and their response was that they don't support it. so no help there.  I think if we want this to work, we're going to have to do it ourselves.  It's sad that Samsung treats their longtime customers like this.  

Reply
Loading...
Anonymous
Not applicable

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

JUMP TO SOLUTION

Hello userC7eWFjd0vl,

 

As mentioned previously, Samsung cannot provide assistance with an issue that is BIOS related. We are the drive manufacturer, not the BIOS manufacturer. There are companies that are aware of the situation, but will only provide support or updates for the BIOS versions or systems that they deem as neccessary or when they are ready to roll out updates. Samsung cannot control this, as most users have seen, there are systems on the market that can use encryption with NVME drives. Consumers, that require a BIOS updates, must wait until there system manufacturer provides an update if possible, or they must find another system that already comes with encryption support for NVME drives. NVME is still a technology that has not yet been fully adopted in the market or made the standard or storage, like SATA for example. 

Reply
Loading...
GoNz0
Asteroid

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

JUMP TO SOLUTION

As per usual absolutely no help whatsoever despite Samsung knowing what needs doing. You fail to listen that we have BIOS modders who are more than capable of implementing this but you offer no help just excuses.

 

On a side note has anyone tried a clean install with the new Dell XPS 9560 BIOS 1.10.1 releases last Friday to see if the PCIe enhancement has anything to do with this?

Doubtful I know.

Reply
Loading...
Anonymous
Not applicable

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

JUMP TO SOLUTION

Hello GoNz0,

 

We are aware that there are consumers who are willing to modify their system BIOSes. However, it seems you do not understand that we do not provide assistance with products that are not ours. The BIOS manufacturer of your system maybe able to provide assistance. All BIOSes are different and may require different modifications for different systems and BIOS versions. Samsung is not responsible for your BIOS. You must contact your system manufacturer or you must modify your own BIOS on your own terms, as we do not recommend modifying your BIOS yourself or without the assistance and guidance of your system manufacturer.

Reply
Loading...
userysQp40iejl
Asteroid

Re: HOW TO MANAGE ENCRYPTION OF 960 PRO

JUMP TO SOLUTION

I just experienced first hand how the lack of proper support of NVMe eDrive/HW encryption by motherboard BIOS effectively ruins the ability to use HW encryption on a 970 PRO bootable partition:

 

Tested setup:

Motherboard: ASUS Maximus VIII Hero

BIOS rev: 3802 (latest as of 7/16/2018)

CPU: Intel Core i7-6700K

Memory: 16GB DDR4-2133

SSD: Samsung 970 PRO 512GB

OS: Microsoft Windows 10 Pro revision 1083 (build 17134, "RS5" / "April 2018 Update")

 

* Attached fresh 970 PRO SSD to motherboard M.2 2280 slot

* Attached 850 PRO SATA SSD with bootable Win10 OS to motherboard SATA port

* Booted up system to Win10 with SATA SSD

* Launched Samsung Magician 5.2.1

* Selected 970 PRO SSD and enabled eDrive

* Shut down & disconnected 850 PRO SSD

* Attached bootable USB flash drive (with Win10 OS install files)

* Booted system to Win10 installation first screen

* Selected 970 PRO SSD as OS target drive and completed OS installation

* Booted to Win10 Pro OS from 970 PRO SSD

* Attempted to enable BitLocker encryption for C:

* BitLocker encryption check returns "cannot encrypt C:" error message after system reboot

* 2nd attempt to enable BitLocker encryption for C:, with the encryption check bypassed

* C: got HW encryption:

    "open lock" appears in C: icon

    manage-bde -status C: reports Encryption Method: Hardware Encryption - 1.3.111.2.1619.0.1.2

* KILLER: After restarting OS just a single time, C: is no longer bootable!  Windows bootloader returns "cannot find winload.efi" fatal error.  This installation of Win10 OS into the 970 PRO SSD is completely wasted!

 

My observation of what's going on:

 

The 970 PRO SSD can actually support HW encryption (eDrive) when properly enabled, and Win10 BitLocker can actually do it.  BUT: motherboard BIOS lacks the support to unlock encrypted C: at bootup!

 

So I believe BIOS support is the last critical missing piece to enable 970 PRO SSD to carry bootable & encrypted C: for Win10.

 

Remember for SATA SSDs to be used as encrypted OS startup drive for Windows, there is a UEFI 2.3.1 "EFI_STORAGE_SECURITY_COMMAND_PROTOCOL" requirements on the BIOS, among other requirements.  I suspect there may be something similar for PCIe NVMe SSDs.  Also, any lack of total compliance to IEEE 1667 and specific TCG protocols will also break eDrive support.  However, since I did succeed in getting 970 PRO to enable HW encryption (just cannot restart the OS afterwards!!) while running Win10, I'd guess it is rather unlikely the issue is related with IEEE 1667 or TCG protocol compliance, which leaves just the piece for the BIOS, needed specifically during system startups.

 

Reply
Loading...