[SOLVED] Does Lenovo Legion Y540 support Hardware Encryption (BitLocker, eDrive)

[Zaporro]

Hello,
I was wondering if Lenovo Legion Y540-17IHR (the one with i7 CPU and GTX1060ti on board) laptops support Hardware Encryption with BitLocker and eDrive? I'm talking about procedure that is described in here https://helgeklein.com/blog/2015/01/how-to-enable-bitlocker-hardware-encryption-with-ssd/ which in order to fork requires four things:

• Microsoft Windows 10 Professional operating system installed in UEFI mode (and from few recent Windows updates, group policy tweak for it to work)
• brand new SSD with hardware encryption features (Class 0 (AES 256), TCG/Opal v2.0, MS eDrive (IEEE1667)) (such as Samsung EVO970 NVME or Samsung EVO860 SATA) (it does not have to be brand new but requires specific type of "reset" that wipes all data in order to make it ready for encryption again)
• laptop with UEFI based bios 2.3.1 with EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined
• TPM module

1st and 2nd thing is no-brainer. For the 4th thing i was able to verify that Lenovo Legion Y540 latpops use firmware TPM 2.0 (for Windows it doesen't matter if its hardware or software module). The dead end is trying to verify if the computer/laptop bios supports eDrive features - nobody knows that, from laptop resellers to distributors and sometimes even the official manufacturer technical support.

So, here is a question to you all, have anyone ever managed to turn on eDrive hardware encryption with BitLocker on a Lenovo Legion Y540? Please keep in mind I'm not asking about the default BitLocker "software" encryption but about the "hardware" encryption. The main difference is that when setting it up, if you ever encountered in BitLocker a progress bar showing you how much of drive was encrypted, it means its software - hardware encryption happens "instantaneously".

From my own experience I know that other Lenovo laptops (such as ThinkPad T450 and T480) support such feature (BitLocker Hardware Encryption with eDrive) when equipped with supported SSD/NVME drive and I wanted to know If its the same for the Lenovo Legion Y540 series laptops.

 

[Zaporro]

If anybody wonders the same. It works.

Pulled the trigger, bought laptop and tested it myself. As long as you make sure of all the needed precautions about the SSD (it has to be either brand new in "ready to enable" encryption state or you have to perform an PSID revert procedure on it) and you install Windows 10 Pro in UEFI mode, you will be able to perform hardware encryption after enabling it in group policies (for newest Win 10 builds).

 

[xx7Ahmed7xx]

Can you please explain the concept and why it is needed?

 

[Zaporro]

Can you please explain the concept and why it is needed?

Ok, first of all its an encryption. Data security is something that every computer user should be aware of, especially when they are laptop/mobile device user. Im pretty confident that every person has on their laptop something they would want others to see, be it personal documents, photos etc. Laptops are prone to theft, for PC's break-ins are still thing in some parts of world/country. That's why even personal stuff should have some sort of protection in case it ends up in wrong hands.

It's an hardware encryption. When it comes to encryption it can be either software or hardware. The first one is done by a program and requires processing power meaning that every time we boot up computer or open a file it has to be decrypted before we can access it and because its done by software it uses CPU - in short, slows down whatever we are doing (by how much depends 100% on the technical specs of the computer).
Hardware encryption on the other hand is done inside the SSD drive by a specialised chip present there. This means that the encryption/decryption process does not put any demand on the host computer (CPU) and it happens a lot faster.

Last but not least, this specific form of hardware encryption (with bitlocker) does not require to remember long and complicated password. It has an option to turn any pendrive into an access key - your computer/laptop wont boot up unless you plug it in. If you ask me It's pretty cool, you can keep such drive always with you in a wallet or on keychain and this means, as long as you are not near laptop, nobody gonna turn it on (it works even if someone physically removes drive and plugs it in to other computer).

These are the reasons why I've been pursuing this particular feature. To be honest, there's been some controversies around eDrive and bitlocker technology and at this moment Microsoft turned this feature off by default (requires some tinkering to turn it on). The reason for that was that this hardware encryption was extremely dependant on the implementation done inside the SSD, meaning if SSD manufacturer lied or messed something up it could lead to situation where user would thing their data is secure but in reality it was not (whereas software encryption, as long as the encryption tool is open sourced and properly audited is more reliable). Well, i was aware of that. That's why I'm always picking most reliable and renowned SSD's for my computer, usually the Samsung /PRO line that's been on marked for long time.