Tested: Windows 11 Pro's On-By-Default Encryption Slows SSDs Up to 45%

[Admin]

Windows 11 Pro defaults to BitLocker being turned on, using software encryption. We've tested the Samsung 990 Pro with hardware encryption to show how the various modes impact performance, and how much hardware OPAL support helps.

Tested: Windows 11 Pro's On-By-Default Encryption Slows SSDs Up to 45% : Read more

 

[macsquirrel_jedi]

I'm using two partition on SSD drive. "System" (Software Bitlocker) and "Data" (no BitLocker). User folders (pictures, video, music etc.) are set to use "Data" partition as default. So there is a way how to get performence back even when Software Bitlocker is enabled. Because partitions can be managed separately.

 

[Makaveli]

In a company provided machine as touched on in the article it will be done on purpose.

Security policy > Performance.

 

[Missing name]

I want to add that Microsoft no longer recommends the use of OPAL compliant SSDs in a recent support ticket I had opened with them.

Here are some of the key CVEs related to vulnerabilities in Opal compliant self-encrypting SSDs:

- CVE-2018-12037 - A weakness was reported in the way that Opal self-encrypting SSDs from multiple vendors handle locking. An attacker with physical access could bypass the encryption by issuing ATA commands during boot.[4]

- CVE-2018-12038 - A weakness was reported in the way that Opal self-encrypting SSDs from Crucial and Samsung handle unlocking. An attacker with physical access could bypass the encryption by modifying the SSD firmware.[4]

- CVE-2020-12812 - Multiple Opal self-encrypting SSDs were found to be vulnerable to authentication bypass, allowing an attacker with physical access to bypass the encryption. SSDs from Crucial, Samsung, and others were affected.[5]

- CVE-2021-3277 - Self-encrypting SSDs from multiple vendors were found to be vulnerable to improper cryptographic verification. This could allow an attacker to bypass the encryption.[5]

- CVE-2022-39009 - A vulnerability was reported in the encryption implementation in Opal self-encrypting SSDs from multiple vendors. An attacker with physical access could bypass the encryption and access user data.[5]

The vulnerabilities allow attackers with physical access to bypass the encryption on vulnerable Opal compliant SSDs from various manufacturers. Organizations using these drives should check with their vendor for firmware updates to address the vulnerabilities. Proper physical security controls can also help mitigate against exploitation.

 

[Dr3ams]

I have Windows 11 Pro installed on a 2.5" SSD. I have nothing to test any performance deficiency with, so for me the drive works as advertised.

 

[ttjg]

I built my PC earlier this year with Windows 11 Pro and 3 2Tb SSD's (a mix of pcie 3 & 4's), and just verified that BitLocker is OFF for all 3 of them. I didn't jump through any hoops when I I did the installations to avoid a BitLocker default that I can remember.

 

[JarredWaltonGPU]

I have four W11 Pro computers at home, none of them are defaulting to Bitlocker encryption. Two modern laptops, and two modern desktops. The title is very misleading, as this is not a default behavior. One system is running W11 Insider Dev build, one running W11 Insider Release Preview build, and the others running standard production builds. So this isn't even a feature that the bleeding edge Dev Insider build is forcing on. All NVMe SSDs. Desktops have HDD storage as well. No Bitlocker.

On top of that, I manage thousands of laptops and desktops at work, half of which are on W11 Pro. Until recently, we didn't have bitlocker enforced through group policies. W11 does not force Bitlocker and is not on by default.

It's obvious the title and article are flexing a bit of clickbait.

There are many ways, mentioned in the article, that you can avoid the default behavior — intentionally or unintentionally! No network connection during installation means you use a local account, which means no BitLocker. Or using a local account even if you have a network connection. Or using Rufus to create an installation medium with BitLocker turned off. Or using Rufus to create an installation medium that creates a local account for you. I generally test new hardware, so guess what that means: no network connection until after I've created an account.

I'd be curious to see what happens if you do a PC reset of an existing non-BitLocker system, though. Because that should give you a network connection for the initial setup and so it would likely return to default behavior.

Microsoft's documentation says that BitLocker being turned on for Windows Pro has been the default since Windows 8.1. However, you need TPM, secure boot, and modern standby all supported and enabled. The TPM aspect often meant pre-Win11 systems (laptops) didn't have BitLocker enabled. It was switched to being default software encryption in 2019. But if you miss any of the specific requirements, it may not be enabled — and I wouldn't expect preview builds to always stick to Microsoft's own official guidelines.

Beyond the BitLocker being on or off default behavior, however, there's also the being in default software mode. There's no way to turn on hardware encryption that I know of without doing a clean install and jumping through some hoops along the way.

 

[HaninTH]

Bitlocker software sucks! But... OPAL hardware also blows (for known and unknown flaws)... so... are we back to no encryption and reasonable physical security practices as the SOP?

 

[baboma]

This response has been re-edited:

I'm using Rufus to clean-install Win11 on all my laptops, which as said will allow disabling the default encryption (among other things like HW requirements and MS acct), so this never comes into play.

This piece goes into considerable technical detail, but IMO it misses the point from the reader's perspective. It's abundantly clear that software-based encryption will substantially sap performance, without all the benchmarking. It's also abundantly clear that for typical home users, said encryption is a Bad Deal(tm), as the perf loss grossly outweighs the risk. That takes two sentences to say.

For the home or small biz user, using drive encryption is almost always inadvisable, whether SW or HW-based. Drive encryption primarily protects the device from physical theft, which is the least likely threat that home users face. It definitely doesn't protect against the more prevalent threats like phishing or ransomware. Coupled with the ~40% perf loss (for SW enc), or the convoluted method above for HW enc, drive encryption should be ignored entirely. Of course, larger enterprises would face different threats, but they have IT people to handle these matters.

Note to Jarred: Windows To Go only exists in Enterprise and Education versions of Windows. It's very much an "unofficial" solution for DIYers. If we were talking about "unofficial" methods, I'm sure there are easier ways to enable HW encryption by default by editing an existing ISO.

From the reader's view, he would want to know three things: 1) what is the simplest way to avoid the default encryption; 2) if encryption is already installed, what is the simplest way to remove it; and 3) what are SSDs with HW-based encryption, if the user decides to opt for that feature (for whatever reason).

#1: the simplest answer is to use Rufus, to clean install Win11 Pro (Home isn't relevant for this discussion). It doesn't involve technical know-how, and is a simple checkmark during the Rufus imaging-to-USB process.

#2: As said in the piece, disable drive encryption with "manage-bde off [drive:]" in an elevated command prompt (Terminal Admin in Win11 parlance).

The last question #3 (which SSDs have HW-based encryption) is never answered.

 

[AloofBrit]

"If you don't feel like you need encryption, the easiest thing to do is just to turn BitLocker off"

but soon after

"The real bad news is that if you already have a Windows 11 Pro install running with software BitLocker encryption, you're out of luck. You need to start fresh with a new OS install"

So which is it?

I haven't played much with 11, but (other than long decryption time if it wasn't a solid state drive) turning off BitLocker was doable in 10

 

[jtrox02]

Don't modern CPU's handle AES instructions? It is my understanding that disk encryption is hardware accelerated by the CPU in Linux. Why isn't it in Windows?

 

[baboma]

========
"If you don't feel like you need encryption, the easiest thing to do is just to turn BitLocker off"

but soon after

"The real bad news is that if you already have a Windows 11 Pro install running with software BitLocker encryption, you're out of luck. You need to start fresh with a new OS install"

So which is it?
========
The 2nd quote refers to if you were to want to switch to HW-based drive encryption, not disabling BitLocker encryption. You still can disable BL with the "manage-bde off [drive:]" command as per the piece.

 

[USAFRet]

BL is NOT always on with a Win 11 Pro install.
Mine isn't, from the fresh OS install I did last year.

BL is sometimes on with a Win 11 Home install.
A laptop that comes with Win 11 S has BL applied.
Promote that S mode to Win 11 Home, the BL stays applied.
My Surface 3 Go is like this.

 

[umeng2002_2]

Make you own Windows installation USB with Rufus and an official ISO. Rufus has the option to disable automatic Bitlocker encytion, disable, online MS Account requirements, TPM, etc.

 

[Makezu]

what a nice <Mod Edit> article. I have never touched bitlocker setting and installed W11 Pro my both PC (desktops) It is turned off DEFAULT. So yeah i do not believe anymore what you guys say.

 

[umeng2002_2]

If Rufus has an option for "Disable BitLocker automatic device encryption," it must not be a BS article.

 

[FauxRealDoe]

There's a MUCH simpler (and more user-friendly) option to checking Bit Locker status.

Start (or Win key)
Type "Bit Locker"
Open the "Manage BitLocker" Control Panel item result.

This Control Panel version will display all fixed drives (including the OS drive) as well as removable data drives (potentially) using BitLocker To Go.

 

[Dr3ams]

A few months ago I did a clean install with Windows 11 Pro. After reading this article I checked if BitLocker is enabled and it isn't. So, I guess Windows 11 Pro doesn't turn on BitLocker by default.

 

[USAFRet]

A few months ago I did a clean install with Windows 11 Pro. After reading this article I checked if BitLocker is enabled and it isn't. So, I guess Windows 11 Pro doesn't turn on BitLocker by default.

Same here.
This from a vanilla Win 11 Pro install last year, from the MediaCreation tool:

 

[TJ Hooker]

IIRC, you can't truly disable encryption on self-encrypting drives (i.e. TCG Opal). If you aren't using encryption then volume is always unlocked (i.e. doesn't require a key to unlock the encryption key and access the drive), but the controller always encrypts/decrypts all data as it enters/exits the drive. Which explains why there is no performance difference between the HW encryption enabled vs disabled results.

 

[JarredWaltonGPU]

Same here.
This from a vanilla Win 11 Pro install last year, from the MediaCreation tool:

Do you have TPM, Secure Boost, Modern Standby, and a Microsoft Account, all present during installation? Because I did actually try a clean install... and ended up with no BitLocker, as the installation media didn't have network support for my motherboard and thus didn't allow for a Microsoft Account.

The majority of people affected directly by this are those buying laptops (or desktops) from an OEM, with Windows Pro.

 

[USAFRet]

Do you have TPM, Secure Boost, Modern Standby, and a Microsoft Account, all present during installation? Because I did actually try a clean install... and ended up with no BitLocker, as the installation media didn't have network support for my motherboard and thus didn't allow for a Microsoft Account.

The majority of people affected directly by this are those buying laptops (or desktops) from an OEM, with Windows Pro.

All of the above, yes.

But I agree...most OEM installed systems will have it in there.
Like my Surface 3 Go mentioned above.

 

[wingfinger]

The last time I tried to use rufus, it produced a faulty install image. This delayed my rebuild considerably.

For rufus, a windows iso had to be downloaded, then rufus was run, then the USB was burnt. I then cleared the drives and tried to install. It failed.

Then I downloaded Microsoft media creation tool and waited for the download. I re-cleared the drives and installed that image.

Isn't there an official windows preinstallation environment way to configure an install image? How about tested instructions for that?

 

[Uilleam]

Windows 11 Pro defaults to BitLocker being turned on, using software encryption. We've tested the Samsung 990 Pro with hardware encryption to show how the various modes impact performance, and how much hardware OPAL support helps.

Tested: Windows 11 Pro's On-By-Default Encryption Slows SSDs Up to 45% : Read more

I wonder if this affects Education versions of Windows 11. At my job we've been having computer that have upgraded to Windows 11 that run extremely slow after the upgrade.

 

[AloofBrit]

========
"If you don't feel like you need encryption, the easiest thing to do is just to turn BitLocker off"

but soon after

"The real bad news is that if you already have a Windows 11 Pro install running with software BitLocker encryption, you're out of luck. You need to start fresh with a new OS install"

So which is it?
========
The 2nd quote refers to if you were to want to switch to HW-based drive encryption, not disabling BitLocker encryption. You still can disable BL with the "manage-bde off [drive:]" command as per the piece.

Strange - so even if you disable sw encryption there's still no way to go to hw without a reinstall?