I'm pleased to report that I got eDrive HW encryption working with my Samsung 970 PRO 512GB SSD paired with my ASRock Z390 Phantom Gaming-ITX/AC motherboard! I reused the same 970 PRO stick for my previous report posted a few months ago. This SSD was already properly enabled for eDrive using Samsung Magician utility, and has a working copy of Windows 10 Pro 1803 installed. I just installed this SSD into the ASRock Z390 motherboard topside M.2 slot, booted to Windows 10, and immediately got BitLocker to enable eDrive encryption for C:. I've tested warm boot and cold boot of this system after BitLocker got enabled and there are no bootup issues. Manage-bde confirmed hardware encryption in effect with C:. This ASRock Z390 motherboard has the latest BIOS (P1.20) installed, and TPM 2.0 is enabled.
... View more
I just experienced first hand how the lack of proper support of NVMe eDrive/HW encryption by motherboard BIOS effectively ruins the ability to use HW encryption on a 970 PRO bootable partition: Tested setup: Motherboard: ASUS Maximus VIII Hero BIOS rev: 3802 (latest as of 7/16/2018) CPU: Intel Core i7-6700K Memory: 16GB DDR4-2133 SSD: Samsung 970 PRO 512GB OS: Microsoft Windows 10 Pro revision 1083 (build 17134, "RS5" / "April 2018 Update") * Attached fresh 970 PRO SSD to motherboard M.2 2280 slot * Attached 850 PRO SATA SSD with bootable Win10 OS to motherboard SATA port * Booted up system to Win10 with SATA SSD * Launched Samsung Magician 5.2.1 * Selected 970 PRO SSD and enabled eDrive * Shut down & disconnected 850 PRO SSD * Attached bootable USB flash drive (with Win10 OS install files) * Booted system to Win10 installation first screen * Selected 970 PRO SSD as OS target drive and completed OS installation * Booted to Win10 Pro OS from 970 PRO SSD * Attempted to enable BitLocker encryption for C: * BitLocker encryption check returns "cannot encrypt C:" error message after system reboot * 2nd attempt to enable BitLocker encryption for C:, with the encryption check bypassed * C: got HW encryption: "open lock" appears in C: icon manage-bde -status C: reports Encryption Method: Hardware Encryption - 188.8.131.52.16184.108.40.206 * KILLER: After restarting OS just a single time, C: is no longer bootable! Windows bootloader returns "cannot find winload.efi" fatal error. This installation of Win10 OS into the 970 PRO SSD is completely wasted! My observation of what's going on: The 970 PRO SSD can actually support HW encryption (eDrive) when properly enabled, and Win10 BitLocker can actually do it. BUT: motherboard BIOS lacks the support to unlock encrypted C: at bootup! So I believe BIOS support is the last critical missing piece to enable 970 PRO SSD to carry bootable & encrypted C: for Win10. Remember for SATA SSDs to be used as encrypted OS startup drive for Windows, there is a UEFI 2.3.1 "EFI_STORAGE_SECURITY_COMMAND_PROTOCOL" requirements on the BIOS, among other requirements. I suspect there may be something similar for PCIe NVMe SSDs. Also, any lack of total compliance to IEEE 1667 and specific TCG protocols will also break eDrive support. However, since I did succeed in getting 970 PRO to enable HW encryption (just cannot restart the OS afterwards!!) while running Win10, I'd guess it is rather unlikely the issue is related with IEEE 1667 or TCG protocol compliance, which leaves just the piece for the BIOS, needed specifically during system startups.
... View more