SSD to support hardware based full disk encryption via BitLocker?

[dc2000]

Hi everyone:

I'm trying to build a new desktop PC and I'm wondering if you can
suggest which SSD (and motherboard) do I need to purchase to have it
support hardware based full disk encryption with Windows 10 via
BitLocker?

I'm currently settling on Intel Core i9-7900X Skylake-X 10-Core 3.3
GHz CPU that has to go into the Intel X299 Chipset motherboard.

So I was checking, for instance "Samsung 970 PRO 512GB - NVMe PCIe M.2 2280 SSD".

But will it support hardware based full disk encryption? And if no, which one will? I'm looking for faster M.2 drives.

 

[drtweak]

Almost all SSD's are encrypted all the time, just its like having a safe but its not locked. Bitlocker is the lock. Also it does support hardware encryption. Look at the boot of page 5 data specs here https://www.samsung.com/semiconductor/global.semi.static/Samsung_NVMe_SSD_970_PRO_Data_Sheet_Rev.1.0.pdf

Also looks like you posted else where too when I was looking it up lol. Samsung is a pain in the ass to setup for hardware based encryption. i have not done it on a NVMe but for a normal SATA SSD this is how you would do it.


Install the SSD and then install windows. BIG NOTE!!!!! Windows MUST BE INSTALLED AS UEFI AND NOT LEGACY! So make sure ALL Legacy/CSM BOOT options are TURNED OFF to ensure you install as UEFI. You will know because after install you will see 3 partitions on the drive and not 2 and the drive will be GPT and not MBR in disk manager.

Once windows is installed you have to install the Samsung Magician software. In the software you have to first: turn on encryption on the main screen. Second: Get a thumb and create a Secure Erase USB Drive

boot from the USB and erase the drive (For SATA it is different as you have to disconnect the SATA drive then rerun the erase software. not sure how it is done for NVMe)

Then you install windows AGAIN

Then you can enable BitLocker with Hardware support.

Also when i was reading another site with your post, a guy said it may not be worth it and you won't see a performance difference. that is BS. I see a big difference between hardware and software bitlocker. 1) Encryption time. It is instant to encrypt and decrypt the drive. Otherwise you are limited to you CPU on how long it will take.

 

[dc2000]

Thanks for your input. And yes, while waiting for a response I posted the same question on other forums. And judging by the fact that my question seems to come up on top of the Google search, strangely enough there seems to be not that many people who tried to do the same thing. (Which really puzzles me.)

And yes, that guy's response about hardware encryption not making any difference was puzzling. Sometimes I think people post answers on these forums just to engage someone without having any concrete knowledge of the subject. But oh well....

You know, I haven't gotten the drive yet. I ordered it along with the 970 EVO drive and the new motherboard. It should arrive in a week or so. I'll try all the steps and then report it back.

From what you suggested, I have two questions/comments:

1. I'm getting conflicting results on whether or not I need a TPM module on the motherboard for the hardware encryption to work. I purchased one just in case. So we'll see.

2. Why did you have to install Windows first, then enable encryption on the drive, then erase and reinstall it again? Can't you do it on an existing system by plugging this drive in as a second SSD and erase it with encryption then? Again, like you said I'm not sure how it will work with NVMe drives. I've never had one before.

The thing about BitLocker though is that it doesn't tell you whether or not it's using hardware vs. software encryption. It is only when it's all well and done one can use a command line call to get the result.

 

[drtweak]

1) A TPM Module is NOT needed to do Bit Locker. A TPM module allows you to save the encryption password in the model so you can boot without needing a USB/Password on startup. Things like Servers or PC's in corporate environments have them (My Company is a dell re-seller and all Servers/Optiplex/Latitudes which is all business all have TPM Modules for this reason). You will just be required to enter a password or a USB drive with the encryption key on it to unlock the drive. To do that though you do have to modify some settings in windows but not a big deal.

2) YES! that is actually what I do! I have the Samsung software on my PC at work, I load a drive, enable encryption, then i can toss it in the system, use the Samsung secure erase, then install. The initial install if ONLY if you don't have another system to install it as. FYI if you have a SATA drive you MUST plug it in as SATA. Can't do it using a USB dock/adapter.

The way you tell - When you encrypt it for the first time if it take anything longer than a few minutes to encrypt it is not using hardware. Software encryption will take a VERY long time depending on size and amount of data on it where as hardware, at least for me is, Enable 1 2 3 4 5 6 7 8 9 10 Encrypted.

Even though I don't have one I'll be here to help. I would also like to know the steps for it as well as I have many Tax/Health offices that need to be HIPAA and FIPS 104-2 Compliant which Bit Locker is.

 

[dc2000]

Sure, I'll post an update when I get the hardware.

Thanks for sharing the info on the encryption speed. I didn't know that. I see what you mean though. It's nice to know that if BitLocker takes forever to encrypt then it probably defaulted to the software encryption. I wish there was a window where it confirmed it first before proceeding. I'm not sure though if it's safe to interrupt/stop it in that case. D'ya know?

As for your first point, then no, I meant TPM may be required for hardware based encryption via BitLocker. (Note the emphasis is on "hardware".) Otherwise, yes, I've done it with a USB stick to store the key on multiple drives.

Which by the way brings up a point. I've never stored the decryption key in the TPM. So I'm curious to hear your take on it. Let me see if I understand the concept correctly. With TPM the encryption key for the drive can be stored in it. So when the box boots up it automatically reads it from the TPM to decrypt the drive. If so, what's the point of having it then? I mean, if someone steals that computer they can just boot it up just like you would. So the only protection would be Windows account password, which is a million times more trivial to bypass than to crack full disk encryption that's done with AES-128/256 cipher. (There's a million Windows logon screen bypasses that are available out there.)

So what am I missing there?

 

[drtweak]

If you have a TPM and it is enabled in the BIOS it uses it by default. Only when you do not have a TPM, and have to allow BitLocker to use a Password/USB drive that it does not use it. Just make sure you ALWAYS make a backup of the encryption key if there is any data you need on there as a TPM does NOT use any password or anything.

 

[dc2000]

A quick update. Thanks for sticking with me, btw.

I already re-installed Windows 10 three times, and this hardware based encryption still doesn't work.

To recap. I have two SSD drives:

- C: boot drive: Samsung SSD 970 PRO 512GB
- D: drive: Samsung SSD 970 EVO 1TB

So to avoid wasting time on re-installing Windows, I decided to try to enable it on drive D: first.

I followed these steps:

1. Bring disk D: to uninitialized state first. From Windows PowerShell (admin)

diskpart
list disk
select disk 1
clean
exit

2. Start up Samsung Magician (btw, it doesn't look like anything that I see in screenshots here or here)

Then select my drive "Samsung SSD 970 EVO 1TB"

At the bottom I have to hit the > chevron to scroll the bottom menu to the left and then pick "Data Security".

In "Encrypted Drive" section, click "Ready to enable".

The screen changes to this:

Then switch to "Secure Erase" and Run Secure Erase. Insert a blank USB and write into it.

Exit Sumsung Magician.

3. Reboot computer, mash Del key to enter UEFI/BIOS. Then enable Compatibility Support Module (CSM) and disable Secure Boot. Restart.

4. Mash F12 to get to the boot manu. Then boot from the USB thumb drive created above.

5. Accept the warning and select disk 2 to securely erase it. Receive confirmation of success.

6. Reboot and mash Del to enter BIOS again. Then disable Compatibility Support Module (CSM) and enable Secure Boot. (Have to reboot twice to satisfy this dumb BIOS that wants to know that my video card supports secure boot.)

7. Reboot and load up Windows 10 pro. Log in with my account.

8. Start up Magician again. This time, if I go back to Data Security it still shows "Ready to enable" instead of "Encrypted drive enabled" as suggested here:
https://www.lullabot.com/articles/adventures-with-edrive-accelerated-ssd-encryption-on-windows

9. OK, f' it. I close magician and go to Disk Management in Windows. Give that drive a GPT partition and then assign it a driver letter D:

10. Go to it in Windows Explorer, right click it, select "turn on Bitlocker" -> automatically unlock this drive -> save key to a file -> and then it shows this dreaded software encryption window:

ARGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH!!!!!!!!


So what am I doing wrong??????

 

[drtweak]

Nope you are on the right track! hit encrypt entire drive and see if it encrypts very quickly. I know i had a whole tutorial on it when i first tried to do it but i have 40 pages of post i have posted to XD

 

[dc2000]

Yes, I did. And it took about an hour. Then having like 0% chance of success, I still checked with
manage-bde -status D:
and it gave me XTS-AES 128
So, no. It didn't work.

 

[drtweak]

Hmmm. I'll see if i can find anything else out. I don't have a Samsung SSD to test on currently either.

 

[dc2000]

Hmmm. I'll see if i can find anything else out. I don't have a Samsung SSD to test on currently either.

I gave up. It doesn't seem to work with those NVMe drives. Here's my account.

 

[drtweak]

If i could afford a NVMe drive i would try but don't have one

And yea that is the exact method for the SATA version there.

Sorry I couldn't help more!

 

[dc2000]

If i could afford a NVMe drive i would try but don't have one

Yeah, those suckers are spendy. But they are fast too. Although I would've definitely waited to buy an NVMe drive if I knew that it doesn't support hardware encryption (yet).