Tested: Windows 11 Pro's On-By-Default Encryption Slows SSDs Up to 45%

[AloofBrit]

IIRC, you can't truly disable encryption on self-encrypting drives (i.e. TCG Opal). If you aren't using encryption then volume is always unlocked (i.e. doesn't require a key to unlock the encryption key and access the drive), but the controller always encrypts/decrypts all data as it enters/exits the drive. Which explains why there is no performance difference between the HW encryption enabled vs disabled results.

I always found this confusing, but it made more sense once it was described as being like if you had an account with a blank password

If you enable BitLocker on a self-encrypting drive the utility jumps from 0 to 100% encrypted because it knows the drive is already encrypted - it just sets a key

 

[dennphill]

This ol' curmudgeon is happy having kept Win 10.

 

[Aurn]

Oh, thanks a lot for this article ! If all goes well, I’ll install Windows 11 Pro on my new computer in a couple of weeks (my current PC isn’t compatible because of Ryzen 1000 series CPU) and I don’t want BitLocker. It’s good to know that it isn’t turned on when you create a local account because I was thinking of using a local account…

Does the “OOBE\BYPASSNRO” command still work when Windows 11 installer asks you to connect to a network, or do I absolutely need to use Rufus to be able to create a local account ?

And another question : does using BitLocker increase SSD wear (detrimental effect on SSD endurance) ?

 

[evdjj3j]

Don't modern CPU's handle AES instructions? It is my understanding that disk encryption is hardware accelerated by the CPU in Linux. Why isn't it in Windows?

I wondered the same thing. Would the CPU make a whole lot of difference since they almost all have hardware accelerated AES? Would it really make a big difference with an i3 or i5? I would think it would have to be tested before one could say whether the 12900 vs say a 12600 would make a big difference.

 

[baboma]

>This ol' curmudgeon is happy having kept Win 10.

Win10 Pro/Ed/Ent also enables BitLocker by default. The reason you only hear about it for Win11 is that most PCs don't have TPM enabled before Win11 made it a requirement.
=====

Device Encryption in Windows - Microsoft Support

Learn about BitLocker Device Encryption in Windows and how to enable it.

support.microsoft.com

BitLocker encryption is available on supported devices running Windows 10 or 11 Pro, Enterprise, or Education.

On supported devices running Windows 10 or newer BitLocker will automatically be turned on the first time you sign into a personal Microsoft account (such as @outlook.com or @hotmail.com) or your work or school account.

BitLocker is not automatically turned on with local accounts, however you can manually turn it on in the Manage BitLocker tool.
=====

 

[not-TMS]

Have the test (for software encryption) compared performance between full hard-drive encryption and encryption only for user-data area?

 

[nickc120167z]

I am seeing Dell laptops running Windows 11 home with bitlocker enabled come into my shop and no way to disable it. None of the customers realized bitlocker was enabled or even knew what it was. You can go to the MS link and log in to get your key. Surprisingly I get customers who insist they never entered a e mail address to first set up their computer but must have created a outlook.com e mail when setting up their computer and do not remember what they used. I had a user come in with a ASUS laptop running Windows 11 home who set up a local account then his board failed and it seems like bitlocker was turned on and key was unrecoverable.

 

[ThatMouse]

If you installed Windows 11 Pro yourself, Bitlocker is NOT ON BY DEFAULT. Carry on.

 

[kyzarvs]

I have Windows 11 Pro installed on a 2.5" SSD. I have nothing to test any performance deficiency with, so for me the drive works as advertised.

If you have a 2.5" SSD then it will be running on SATA and almost any CPU will be able to encrypt/decrypt as fast as SATA will go.

 

[bigdragon]

Isn't there a checkbox controlling drive encryption when you set up partitions during interactive Windows installation? I could have sworn there was a toggle in there.

As a home user, I have zero interest in running BitLocker. I don't keep any sensitive documents on my PC. BitLocker makes perfect sense in a business environment though. I expected BitLocker would be forced on for the enterprise edition of Windows rather than the pro edition.

 

[baboma]

>As a home user, I have zero interest in running BitLocker. I don't keep any sensitive documents on my PC.

This a misconception many people have about drive encryption. They think BL protects their data with encryption, but it doesn't. What it protects is against physical access to the data, eg when the device is stolen, or shared. These are OFFLINE threats.

When you are using the PC, the data is decrypted for your use, and as such drive encryption is useless against ONLINE threats like phishing or ransomware that come from the Internet.

For less knowledgeable users, this may create a false sense of security, thinking that "my data is encrypted so I'm protected against malware/ransomware." Thus, the substantial (~45%) perf loss notwithstanding, having BL enabled may actually be worse than having no BL, if it creates a moral hazard in encouraging risky behavior.

>BitLocker makes perfect sense in a business environment though.

Not really. Businesses are targeted much more often than home users, as the payoff is higher. And most threats for businesses come from ONLINE, not offline. Everyday, we hear of large companies being hit by ransomware. Again, BL does nothing against those threats.

 

[Alvar "Miles" Udell]

1.4GB/s vs 1.6GB/s copy speed software encrypted vs unencrypted/hardware encrypted, 3.1GB/s vs 3.2GB/s read speed software vs hardware, 10µs higher latency software vs hardware encrypted.

If the tests included a game loading test of a game which uses many small files and a copy test of a folder containing hundreds or thousands of smaller files (such as photos), neither of which was performed by TH, or even a Windows cold boot test, things home users would encounter, and it showed a massive (20%+) difference, then I'd consider it news relevant and something to actually be concerned with. As it stands this article is not worthy of being written by a senior editor at a reputable tech site

 

[Brian D Smith]

Do you have TPM, Secure Boost, Modern Standby, and a Microsoft Account, all present during installation? Because I did actually try a clean install... and ended up with no BitLocker, as the installation media didn't have network support for my motherboard and thus didn't allow for a Microsoft Account.

The majority of people affected directly by this are those buying laptops (or desktops) from an OEM, with Windows Pro.

Curious - does no BitLocker mean no Windows Hello?

 

[King_V]

Huh, my budget laptop, with Windows 11 Home, has software encryption, based on the output from manage-bde -status

And, this is on a lowly Ryzen 3 5300U with 8GB of RAM and a 256GB SSD.

I've definitely got to get rid of that. I don't do "important things" with this machine anyway where data security is a concern.

 

[TJ Hooker]

Huh, my budget laptop, with Windows 11 Home, has software encryption, based on the output from manage-bde -status

And, this is on a lowly Ryzen 3 5300U with 8GB of RAM and a 256GB SSD.

I've definitely got to get rid of that. I don't do "important things" with this machine anyway where data security is a concern.

All modern CPUs have dedicated hardware for accelerating AES encryption/decryption. Even low powered ARM mobile chips are more than capable of handling full disk encryption, as all Android and Apple phones come with disk encryption enabled. You have nothing to be concerned about.

 

[TJ Hooker]

Looking at the two quasi 'real-world' benchmarks performed here, PCMark and Diskbench, the performance difference seen between encryption on and off is less than the difference between a 990 Pro and a 980 Pro. Does anyone think you'd ever notice a difference between a 990 Pro and a 980 Pro in real world usage?

 

[qwertymac93]

Strange - so even if you disable sw encryption there's still no way to go to hw without a reinstall?

Of course not. You just turn off bitlocker(decrypt drive) and turn it back on. You absolutely do not have to reinstall.

Edit: I misread the comment, going from HW to SW is fine, going from SW to HW isn't so easy.

 

[Sleepy_Hollowed]

This is not a big deal if you partition your drive and install apps that don't require security and pagefile in the non-encrypted partition.

You definitively want that software encryption, Microsoft is absolutely doing the right thing.

If you have a laptop, you're going to have to consider security vs battery though, as for sure you might want to do a happy medium and do the hardware encryption route to save battery.

 

[digitalgriffin]

Microsoft is being dumb here. The only reason you would need the level of security Microsoft created, is if you have sensitive information. Ie: business secrets or govt info.

And as MS has been RUMORED to be in cohoots with the US govt I'm not so sure other countries should be using MS's encryption.

 

[punkncat]

I went to check W11P installs (multiple) and BitLocker is not on by default.

 

[boyobejamin]

Would like to see more info from the article. The premise that software encryption on write is slower than hardware encryption on write is slower than no encryption is obvious.

What about the performance impact of software vs hardware level encryption for both "encryption on write" AND "full disk encryption".

Data about the comparison of all 5 options on the same hardware in a table would be useful for providing an informed opinion.

- Software encrypt on write
- Hardware encrypt on write
- Software full disk encryption
- Hardware full disk encryption
- No encryption.

 

[Dweib]

I upgraded to Windows 11 Pro via Windows update on a 14" home notebook a few months ago. Just ran your test including on my 990 Pro 4tb and nothing is encrypted. It says,

BitLocker version: none,
Conversion Status: Fully Decrypted,
Percentage Encrypted: 0.0%,
Encryption Method: None,
Protection Status: Protection Off

And in the control panel under "BitLocker Drive Encryption" it says bit locker is off for all drives. So I don't understand why you say it's turned on by default? Is that more in a office setting than at home? Is your article aimed more at IT professionals than the casual home user? Please explain. I got your article in my facebook feed early this morning. I use Malwarebytes Premium.

 

[romkslrqusz]

This article starts off with some inaccurate information right from the onset, so it leaves me with some credibility concerns that incline me to do some of my own testing.

Since Windows 10 1803, both Windows 10 and 11 Home and Pro have automatically enabled Bitlocker Encryption during the Out Of Box Experience (OOBE) as long as the following conditions are met:
- The device is UEFI and Secure Boot enabled
- The device has a TPM2.0 device that is enabled
- There are no un-allowed Direct Memory Access (DMA) capable devices on a DMA capable bus.
- The user signed in using a Microsoft Account and had an active internet connection at the time.

It is not specific to Windows 11 and has nothing to do with Home/Pro. This has been going on since 2018.

They also mention encryption built-in to SSDs. That is a fundamentally different kind of encryption.
With Bitlocker, removing an SSD from a device or accessing it from anything but the original Windows environment will require the user to enter a 25-digit key to gain data access.
Without Bitlocker, the on-disk encryption _does not_ prevent data access in those scenarios. That encryption key exists primarily so that you can secure erase the disk by changing the encryption key. The alternative is a block-level erasure, which would put wear and tear on the SSD.

Pretty disappointing to see this coming from an otherwise reputable source like Tom’s Hardware.

 

[JarredWaltonGPU]

1.4GB/s vs 1.6GB/s copy speed software encrypted vs unencrypted/hardware encrypted, 3.1GB/s vs 3.2GB/s read speed software vs hardware, 10µs higher latency software vs hardware encrypted.

If the tests included a game loading test of a game which uses many small files and a copy test of a folder containing hundreds or thousands of smaller files (such as photos), neither of which was performed by TH [Ed: WRONG!], or even a Windows cold boot test, things home users would encounter, and it showed a massive (20%+) difference, then I'd consider it news relevant and something to actually be concerned with. As it stands this article is not worthy of being written by a senior editor at a reputable tech site

That 50GB copy test consists of something like 30-40 thousand files. There are some larger files (up to 6.7GB), but tons of small files. The more small files, the bigger the advantage for OPAL/unencrypted, up to the theoretical maximum of around 40% if you're doing effectively 4K random IO.

Please check your attitude when criticizing the author (me). You don't actually know all the details of the testing, and rather than asking, you're making incorrect assumptions.

 

[JarredWaltonGPU]

I went to check W11P installs (multiple) and BitLocker is not on by default.

I have also confirmed that the vast majority of consumer (enthusiast) motherboards will not fully support all the requirements to have BitLocker auto-enable. The best test for getting Win11 Pro to automatically enable BitLocker seems to be using a laptop.

Nevertheless, this is not an error in the article itself. Please note that Microsoft's own documentation says BitLocker should be automatically enabled when the appropriate requirements have been met, and in fact this should also happen with Windows 10 Pro and Windows 8.1 Pro. This is what I talk about in the article when we say this has theoretically been the policy of MS since 2016.

The problem, especially with custom-built desktops, is that very few motherboards properly support TPM, Secure Boot, and Modern Standby in such a way that it passes muster and gets enabled during the initial setup. This has started to change with newer motherboards defaulting to Win11-compatible settings that should work, though networking support is still a potentially missing link. Primarily, this will affect OEM laptops and PCs from large manufacturers (Dell, HP, Lenovo, etc.)