JUMP TO SOLUTION Solved

Original topic:

HOW TO MANAGE ENCRYPTION OF 960 PRO

(Topic created on: 2/6/17 5:58 PM)
GP100
Constellation
Options
Monitors and Memory

How to encrypt or link windows bitlocker to encrypted samsung ssd 960 pro? No support from company and also drive is slowing down about 30% just by the time of finishing the install and update.....
Anybody???
Is there a single person achieved the encrypton on the hardware level with these drives yet??
If the feature is not yet available, when it is expected to be available? Any links to additional encryption software etc..? 
Should I seek the replacement after 30% drop in a read speed's just after setting up my windows (i did it all on fully supported board and components - replicated it 2x) or it is a ok...not easy to accept fact after watching the fancy benchmarks internet is full with..
Any help is appreciated, Thanks!

JUMP TO SOLUTION
227 Replies
Anonymous
Not applicable
Options
Monitors and Memory

@Eaton

 

The drive is capable of using encryption, if it is available for your motherboard, depends on the manufacturer of that motherboard, not Samsung. As mentioned previously, this is just my personal input, but full encryption for NVME drives on consumer based motherboards is a feature that can be released at any point in time, it just seems to me that these features may take a little while (could be a few months) before all motherboard maufacturers start using this as a standard. Also note, that there are a quite a few manufacturers for NVME drives, that advertise they're NVME drives as eDrive capable or compatible with different levels of encryption. It is completely normal for a drive to be advirtised as a "encyption ready" drive.

0 Likes
djjuice
Cosmic Ray
Options
Monitors and Memory

agreed, doesnt look like its full ready..

 

i purchased a new dell 9570 and after secure erasing the 970 pro it says encryption was enabled. once using bitlocker I only received a software encryption. it's getting closer.. in the older 9550 with the 970 after secure erasing it was at ready but bitlocker would state it's not supported

0 Likes
NVMextreme
Constellation
Options
Monitors and Memory

@djjuice wrote:

agreed, doesnt look like its full ready..

 

i purchased a new dell 9570 and after secure erasing the 970 pro it says encryption was enabled. once using bitlocker I only received a software encryption. it's getting closer.. in the older 9550 with the 970 after secure erasing it was at ready but bitlocker would state it's not supported


Does Samsung Magician say "ready to enable" or "enabled". I was able to get a 960 Pro to go into "enabled" state and was able to activate encryption as a secondary non-boot drive on an ASUS mobo. When I repeated the same steps on a 970 Pro it remained stuck in "ready to enable" mode. I suspect that the 970 Pro has issues enabling eDrive itself, unlike the 960 Pro which works but isn't supported for boot.

Someone on Reddit claims that they were able to activate eDrive on a Dell 9570 OEM "PC401_NVME_SK_HYNIX" drive:
https://www.reddit.com/r/Dell/comments/8l7bg5/new_xps_15_appears_to_support_edrive_out_of_the/

OP did not post a "manage-bde -status", seems legit otherwise but you never know. It's possible that Dell and Hynix are doing something nonstandard, maybe AHCI over PCIe (perf would suffer though). If they're not then your 970 Pro should work in a 9570 with eDrive.

Do you by any chance have a 960 Pro on hand to test in the 9570?

0 Likes
djjuice
Cosmic Ray
Options
Monitors and Memory

sadly i already sold the 9550 with the 960 pro in it. I didnt even think about testing with the 960.

 

after the secure erase and the install of windows 10, Magician said the Encrypted Drive was enabled.

 

I went to bitlocker and enabled it and it did enable right away so I had my hopes the hardware encryption was set, in fact all it did was just auto select the "Used Space Only Encrypted" option using XTS-AES 128.

 

i started all over and did it in the UWP settings for drive encryption and it I wasnt asked to save the bitlocker key but it was the same results.

 

all in all you're not prompted in the method to use to encrypt it just finished right away like the hardware encryption does but its not.

0 Likes
NVMextreme
Constellation
Options
Monitors and Memory

@djjuice wrote:

I went to bitlocker and enabled it and it did enable right away so I had my hopes the hardware encryption was set, in fact all it did was just auto select the "Used Space Only Encrypted" option using XTS-AES 128.

Could be that Dell sets the "Enforce drive encryption type on operating system drives" GPO out of the box. Also if your machine is domain joined it could be the GPO that's pushed by your domain.

 

You got the 970 Pro to "enabled" state, that's further than I got it.

0 Likes
djjuice
Cosmic Ray
Options
Monitors and Memory

not domain joined.. just my personal laptop

 

I am in AHCI mode, thats the only way the secure erase could see the drive

0 Likes
user3EN8O0khyY
Constellation
Options
Monitors and Memory

Pretty disappointing all around. All nvme drive manufacturers are misleading the public when they imply that SED (self-encrypting drive) is at all currently useful for those drives. It just does not yet work yet with an OS (operating system) drive, hopefully they will get with motherboard/chipset peeps and make SED encryption useful, but it has been some time already. Don't hold your breath if you currently own hardware that may not get updated BIOS. Pretty frustrating for people that try to use hardware encryption and then find their drive is useless and Samsung has no PSID revert tool to use so you are sitting on a bricked drive. Moral of the story? Don't try to use hardware encryption on an nvme OS drive yet. Not going to work. Get it together, manufacturers (of drives/chipsets/mobos/OS/etc.) and stop pointing fingers. We expect and deserve better.

0 Likes
djjuice
Cosmic Ray
Options
Monitors and Memory

so.. just thought here..

 

The 970 pro is self encrypting, so after the clean wipe and install of windows samsung magician shows encrypted drive being enabled.

 

would this possibly be the self-encryption taking place?

 

bitlocker is just adding a software encryption option that technically isnt needed?

 

why would the option say enabled if it's not, i'm used to seing "ready to enable" and then bitlocker would enable the hardware encryption, this worked with the sata drives.

 

I recall the 960 was supposed to get self-encryption in a future firmware that just never happened.

 

thoughts?

0 Likes
user7oo71AwtUV
Constellation
Options
Monitors and Memory

Hi djjuice,

 

I think you misunderstood how the hardware encryption works. After all I know, the eDrive state means:

  1. Disabled: The drive uses its regular self-encryption and manages the keys itself. If you "secure erase" the drive, these keys get destroyed. This is the default state.
  2. Ready to Enable: You clicked enable, but so far, nothing has changed compared to 1. If you secure erase now and clean install Windows, you will get to the Enabled state (in theory, at least. Yet, this is how it works for the 960s.)
  3. Enabled: The drive is in the eDrive self-encryption mode, which differs from the default mode in that it is now ready to hand out its encryption keys to Windows Bitlocker. It has not done the magic part yet. As a quick proof, boot into a Linux live system on your "Enabled" machine and you will be able to see everything on the disk.

Now, the finishing touch is enabling Bitlocker: The drive hands out the encryption keys to Windows. If I uncheck "do system test" in the Bitlocker assistant, the drive does this immediately (at least mine does). If you fire your Linux live disk up now, you will see the whole SSD as one black, "unknown" block in GParted. Cool!

So much about what works - now, as you try to reboot Windows, it will fail and boot to Windows Recovery Environment instead (you can disable Bitlocker from there and regain control of your System). As I understand this, the UEFI fails the handover to a hardware-encrypted NVMe drive. This is the part where we all need a UEFI Firmware update.

 

TL;DR - Bitlocker is not trying to add software encryption in this scenario. It is instead needed to really enable the hardware encryption feature and the 960s' firmwares seem to be fine now.

0 Likes
djjuice
Cosmic Ray
Options
Monitors and Memory

i was able to see the files using linux so i tend to agree my thought was wrong.

 

in the 970 pro after the secure wipe and install of windows, magician shows the encrypted drive as enabled (yes it really says enabled)

 

but bitlocker only gives me the option of a full or used space encryption, I chose the full encryption a restart was done and encryption took place.

 

this should be an immediate encryption, it's showing the XTS-AES 128 method and currently encryptiing.

 

so while I can go through all the steps it's not a hardware encryption. Don't understand why Magician says encrypted drive is enabled

 

im too far along with my 970 pro to keep trying to get this to work so I ordered a 970 evo 250GB, i'mp pretty sure i wont get this to work, but thats a drive i dont mind formatting over and over for testing scenarios

0 Likes