Discussion Samsung 990 Pro doesn't support hardware encryption

[ithemask]

Just a discussion about Samsung 990 PRO support of hardware encryption, as none of the reviews mention this defect, and Samsung simply ignoring this issue in their support tickets & community

The product specification page have this drive encryption support listed as

AES 256-bit Encryption (Class 0) TCG/Opal
IEEE1667 (Encrypted drive)

Using the latest available firmware 1B2QJXD7 & switching the "Encrypted Drive" option in Samsung Magician still yield the same error upon trying to enable BitLocker with hardware encryption

> manage-bde.exe -on c: -fet hardware
BitLocker Drive Encryption: Configuration Tool version 10.0.22621
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: []
[OS Volume]
ERROR: An error occurred (code 0x803100b2):
The drive specified does not support hardware-based encryption.

NOTE: If the -on switch has failed to add key protectors or start encryption,
you may need to call "manage-bde -off" before attempting -on again.

Already tried to reach Samsung through their support ticket and I was ignored without any acknowledgement or reply, there are already open discussion in their community without any response from Samsung

 

[COLGeek]

Did you look at the notes linked under Encrypted Drive in the Help box? Note the part about a "clean install".

 

[ithemask]

Did you look at the notes linked under Encrypted Drive in the Help box? Note the part about a "clean install".

Already did "clean installation" multiple times, disabled SID blocking from motherboard & all other sort of things explained in this tutorial

View: https://youtu.be/Bqirl_Z-lwU


And I'm not the only one facing this issue based on the open thread in their community, so it's the drive itself

 

[COLGeek]

What are the specs for the rest of your system?

 

[fzabkar]

It appears that Samsung's drive does meet the requirements for hardware encrypted Bitlocker, at least in the published spec.

https://learn.microsoft.com/en-us/w...tlocker-device-encryption-overview-windows-10

SEDs have been available for years, but Microsoft couldn't support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives.

https://learn.microsoft.com/en-us/windows/security/information-protection/encrypted-hard-drive

Warning

Self-encrypting hard drives and encrypted hard drives for Windows are not the same type of devices. Encrypted hard drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-encrypting hard drives do not have these requirements. It is important to confirm that the device type is an encrypted hard drive for Windows when planning for deployment.

 

[fzabkar]

Did you look at the notes linked under Encrypted Drive in the Help box? Note the part about a "clean install".

I don't understand why a clean install should be necessary.

https://learn.microsoft.com/en-us/windows/security/information-protection/encrypted-hard-drive

ISTM that the data are always encrypted by the drive, whether or not Bitlocker is present. Bitlocker's protection involves the generation of an authentication key (AK) which can be changed by the user at any time, without having to re-encrypt the drive. Simply speaking, the drive's data encryption key (DEK) is encrypted by the user's/Bitlocker's authentication key.

Encrypted hard drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These encryption keys are the data encryption key (DEK) and the authentication key (AK).

The Data Encryption Key is the key used to encrypt all of the data on the drive. The drive generates the DEK and it never leaves the device. It's stored in an encrypted format at a random location on the drive. If the DEK is changed or erased, data encrypted using the DEK is irrecoverable.

The AK is the key used to unlock data on the drive. A hash of the key is stored on the drive and requires confirmation to decrypt the DEK.

When a computer with an encrypted hard drive is in a powered-off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the AK decrypts the DEK. Once the AK decrypts the DEK, read-write operations can take place on the device.

When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. If the AK needs to be changed or erased, the data on the drive doesn't need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK, and read-writes to the volume can continue.

 

[COLGeek]

Samsung's notes seemed rather specific on the clean install point. Same message appears on my game rig with a 990 Pro.

 

[ithemask]

It appears that Samsung's drive does meet the requirements for hardware encrypted Bitlocker, at least in the published spec.

https://learn.microsoft.com/en-us/w...tlocker-device-encryption-overview-windows-10



https://learn.microsoft.com/en-us/windows/security/information-protection/encrypted-hard-drive

Is this specific to the 990 Pro? From what I see this worked just fine on 980/970 ones

 

[ithemask]

I don't understand why a clean install should be necessary.

https://learn.microsoft.com/en-us/windows/security/information-protection/encrypted-hard-drive

ISTM that the data are always encrypted by the drive, whether or not Bitlocker is present. Bitlocker's protection involves the generation of an authentication key (AK) which can be changed by the user at any time, without having to re-encrypt the drive. Simply speaking, the drive's data encryption key (DEK) is encrypted by the user's/Bitlocker's authentication key.

From what I noticed, the brand new drive would show the in Samsung Magician as Disabled Encrypted Drive. Switching the option would make the drive "Ready to Enable", and only after fresh installation of the operating system it would be switched to "Enabled"

Now I've reached this step, but BitLocker still showing the drive as does not support hardware-based encryption

 

[fzabkar]

I read the following document in an attempt to understand Microsoft's warning, namely that "self-encrypting hard drives and encrypted hard drives for Windows are not the same type of devices".

Enterprise Self-Encrypting Drives User Guide - Part 1:
https://www.seagate.com/files/staticfiles/support/docs/manual/Interface manuals/100515636c.pdf

Unfortunately I am no closer to understanding the distinction. Perhaps Part 2 of the guide provides more insight, but it's subject to an NDA. (Why?)

This manual forms Part 1 of the Users’ Guide and will introduce and explain the subject matter using a stepped
approach to ease you into the terminology used by the data security intellectuals with as little pain and mathematical
wizardry as possible. In Part 2 of the Users’ Guide, you will find the information necessary to communicate with the
drive using the TCG protocol. In short, Part 1 tells you what you can do with the drive and Part 2 tells you how you can
do it. If you are interested in the SED User Guide Part 2, Trusted Storage Architecture-Training Manual, please request
it directly from your Seagate engineering contact. A Non-Disclosure Agreement is required for Part 2.

My Internet searches haven't really turned up any documents that drill down to the bits-and-bytes level, so I am at a loss to understand what commands are being sent to the drive by Bitlocker.

 

[cheerful_man]

There is a bug in Samsung 990 Pro. Discussed here:

990 Pro Encrypted Drive hardware BitLocker not working

I just got the 990 Pro and with the latest firmware - 0B2QJXD7 - it doesn't support Encrypted Drive / hardware based BitLocker. The same steps that work with an older 850 EVO don't work in this case, manage-bde can't write band metadata. Is this a known limitation? I bought the drive...

us.community.samsung.com