Tested: Windows 11 Pro's On-By-Default Encryption Slows SSDs Up to 45%

[JarredWaltonGPU]

Of course not. You just turn off bitlocker(decrypt drive) and turn it back on. You absolutely do not have to reinstall.

Wrong. There is no way to go from software encryption to hardware OPAL encryption without a reinstall. Look at the instructions for the Samsung 980 Pro that were linked. You need to configure the SSD for hardware encryption, secure erase the SSD, then install Win11 Pro without BitLocker being enabled (use Rufus to turn it off), then tweak group policy to configure hardware encryption for BitLocker, and then turn on BitLocker.

Find me some steps that will work without a clean install and jumping through hoops if you can. The fact that Samsung and others generally require a secure erase before you can install Win11 and have OPAL support should clue you in to the difficulty of making this work.

If you want to prove us wrong, then give it a shot. Post the software BitLocker report, disable BitLocker, take another screenshot, and then figure out how to turn on hardware BitLocker encryption without doing a reinstall. Because I have a Samsung 990 Pro right now that's in software mode, and I have tried similar steps. They did not work without the secure erase and extra shenanigans.

 

[t3t4]

I realize I'm a bit late to the party and I have no interest in reading every comment, much like you I'm sure. But this bitlocker thing, it's a feature before it a function. Simply meaning, go into settings then apps then optional features. Click on the view features then find bitlocker then uninstall it like any other program. But it's a feature, or so they call it.

I do not have it installed on my win 11 desktop/custom built PC, but I do see it as an option on my system. But it seems to me that simply uninstalling the feature should fix the issue for all.

 

[Tac 25]

Windows 11 Pro defaults to BitLocker being turned on, using software encryption. We've tested the Samsung 990 Pro with hardware encryption to show how the various modes impact performance, and how much hardware OPAL support helps.

Tested: Windows 11 Pro's On-By-Default Encryption Slows SSDs Up to 45% : Read more

whoa... this makes me glad to have not installed 11 on my pc.

 

[computerdave911]

Windows 11 Pro defaults to BitLocker being turned on, using software encryption. We've tested the Samsung 990 Pro with hardware encryption to show how the various modes impact performance, and how much hardware OPAL support helps.

Tested: Windows 11 Pro's On-By-Default Encryption Slows SSDs Up to 45% : Read more

this is old news, also if you have OEM ,bitlocker is on also for Windows 10 Home even but they call it device encryption but its still bitlocker, only deference is you cant do external connected drive , only pro, https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker

 

[qwertymac93]

Wrong. There is no way to go from software encryption to hardware OPAL encryption without a reinstall. Look at the instructions for the Samsung 980 Pro that were linked. You need to configure the SSD for hardware encryption, secure erase the SSD, then install Win11 Pro without BitLocker being enabled (use Rufus to turn it off), then tweak group policy to configure hardware encryption for BitLocker, and then turn on BitLocker.

Find me some steps that will work without a clean install and jumping through hoops if you can. The fact that Samsung and others generally require a secure erase before you can install Win11 and have OPAL support should clue you in to the difficulty of making this work.

If you want to prove us wrong, then give it a shot. Post the software BitLocker report, disable BitLocker, take another screenshot, and then figure out how to turn on hardware BitLocker encryption without doing a reinstall. Because I have a Samsung 990 Pro right now that's in software mode, and I have tried similar steps. They did not work without the secure erase and extra shenanigans.

You're right and I misunderstood, I've never even tried going from software to hardware, always gone the other way.

I've already edited my comment. I shouldn't comment while half asleep.

 

[Machou]

What about Windows 10 users ?

 

[USAFRet]

What about Windows 10 users ?

Is your system encrypted?

 

[Machou]

Is your system encrypted?

yes with Bitlocker =)

 

[JarredWaltonGPU]

What about Windows 10 users ?

The default behavior is theoretically the same (enable software BitLocker if certain requirements are met). Software BitLocker vs. Hardware OPAL vs. unencrypted performance shouldn't change with Win10 versus Win11. If you want hardware OPAL under Win10, you would also need to jump through similar hoops (I think the guide I used was initially written for Win10 use, maybe?)

And MS does have valid reasons to prefer full drive software encryption. We've seen lots of encryption standards fail over the years, due to some missed attack vector. But then, MS also requires you to store a copy of your BitLocker key on a USB stick, or else link it to your MS account, which means there's a backdoor to entry that way as well. Unless you think MS wouldn't cave to FBI/CIA/whatever demands if some accused criminal had BitLocker enabled on a drive the gov't wanted to access.

 

[Machou]

The default behavior is theoretically the same (enable software BitLocker if certain requirements are met). Software BitLocker vs. Hardware OPAL vs. unencrypted performance shouldn't change with Win10 versus Win11. If you want hardware OPAL under Win10, you would also need to jump through similar hoops (I think the guide I used was initially written for Win10 use, maybe?)

And MS does have valid reasons to prefer full drive software encryption. We've seen lots of encryption standards fail over the years, due to some missed attack vector. But then, MS also requires you to store a copy of your BitLocker key on a USB stick, or else link it to your MS account, which means there's a backdoor to entry that way as well. Unless you think MS wouldn't cave to FBI/CIA/whatever demands if some accused criminal had BitLocker enabled on a drive the gov't wanted to access.

the only illegal thing I do on the internet is kill gnomes on World of Warcraft.
I'll wait until I change my SSD to encrypt it in hardware. thanks for the guide

 

[TechyInAZ]

Very informative article. One thing that puzzles me though is that with my setup i'm not noticing any noticeable performance drawbacks at all. I only recently enabled software bitlocker encryption on my machine (specs below), and everything from apps loading, Windows boot up times, and even my backups run at the same speeds as before.

I've even ran the Samsung Magician benchmark with encryption enabled, and it appears to outperform other users with the same SSD (970 Evo Plus 1TB), bandwidth and IOPS.

 

[JarredWaltonGPU]

Very informative article. One thing that puzzles me though is that with my setup i'm not noticing any noticeable performance drawbacks at all. I only recently enabled software bitlocker encryption on my machine (specs below), and everything from apps loading, Windows boot up times, and even my backups run at the same speeds as before.

I've even ran the Samsung Magician benchmark with encryption enabled, and it appears to outperform other users with the same SSD (970 Evo Plus 1TB), bandwidth and IOPS.

It could be something where the Ryzen 5800X3D just does it better than on some other setups. I know Ryzen has had some AES acceleration instructions that seem to do well, but I'm not sure if those are explicitly used in "software BitLocker" encryption. If so, that's probably it.

 

[mtrantalainen]

Tested: Windows 11 Pro's On-By-Default Encryption Slows SSDs Up to 45% : Read more

I think this is just a demonstration of low quality implementation by Microsoft. Modern CPUs should be fast enough to encrypt AES 256 around 1–2 GB/s per CPU core. Yes, that means that if you have Samsung 990 Pro, sequential writing to it using AES256 would be limited to 1–2 GB/s if Bitlocker implementation used only a single core but it were otherwise well implemented. The fact that the bandwidth drops to 490 MB/s as demonstrated in the test speaks a lot about Microsoft implementation quality, not that much about encryption performance penalty in general.

Using hardware encryption chips would reduce power usage, though, if you can trust the hardware because you cannot verify that the data is actually encrypted when you use storage device implemented encryption.

 

[TJ Hooker]

I think this is just a demonstration of low quality implementation by Microsoft. Modern CPUs should be fast enough to encrypt AES 256 around 1–2 GB/s per CPU core. Yes, that means that if you have Samsung 990 Pro, sequential writing to it using AES256 would be limited to 1–2 GB/s if Bitlocker implementation used only a single core but it were otherwise well implemented. The fact that the bandwidth drops to 490 MB/s as demonstrated in the test speaks a lot about Microsoft implementation quality, not that much about encryption performance penalty in general.

Using hardware encryption chips would reduce power usage, though, if you can trust the hardware because you cannot verify that the data is actually encrypted when you use storage device implemented encryption.

In the Crystal Disk Mark results further into the article, software Bitlocker hits ~7 GB/s for sequential read/write, on par with the drive-encrypted and unencrypted results. The PCMark result of 490 MB/s clearly doesn't represent the max limit Bitlocker is capable of based on MS' crypto implementation.

You see a similar drop in throughput with Linux: 640 MB/s with software encryption vs 1126 MB/s unencrypted, running a throughput benchmark with 4K block size.

Speeding up Linux disk encryption

In this post, we will investigate the performance of disk encryption on Linux and explain how we made it at least two times faster for ourselves and our customers!

blog.cloudflare.com

But these are all largely synthetic benchmarks. You'd probably never notice the difference in real world use. As I mentioned in a previous comment: the difference in PCMark results for encrypted vs unencrypted (for a 990 Pro SSD) is less than the difference between a 990 Pro and a 980 Pro (and the encrypted 990 Pro beats the unencrypted 980 Pro). I really doubt people would notice a difference between those two drives.

 

[JarredWaltonGPU]

In the Crystal Disk Mark results further into the article, software Bitlocker hits ~7 GB/s for sequential read/write, on par with the drive-encrypted and unencrypted results. The PCMark result of 490 MB/s clearly doesn't represent the max limit Bitlocker is capable of based on MS' crypto implementation.

You see a similar drop in throughput with Linux: 640 MB/s with software encryption vs 1126 MB/s unencrypted, running a throughput benchmark with 4K block size.

Speeding up Linux disk encryption

In this post, we will investigate the performance of disk encryption on Linux and explain how we made it at least two times faster for ourselves and our customers!

blog.cloudflare.com

But these are all largely synthetic benchmarks. You'd probably never notice the difference in real world use. As I mentioned in a previous comment: the difference in PCMark results for encrypted vs unencrypted (for a 990 Pro SSD) is less than the difference between a 990 Pro and a 980 Pro (and the encrypted 990 Pro beats the unencrypted 980 Pro). I really doubt people would notice a difference between those two drives.

Keep in mind that on laptops, which have much less potent CPUs than the 12900K used here, the differences become more noticeable. I think AMD Ryzen CPUs also have better AES acceleration, so using and midrange Core i5 laptop is where it will hurt performance the most.

 

[TJ Hooker]

Keep in mind that on laptops, which have much less potent CPUs than the 12900K used here, the differences become more noticeable. I think AMD Ryzen CPUs also have better AES acceleration, so using and midrange Core i5 laptop is where it will hurt performance the most.

In the cloudflare benchmarks I linked above, they were getting ~600 MB/s, sequential 4K read/write, with a single Skylake core with disk encryption. Testing with my own Ryzen 5700X and a RAM disk, I get 300 MB/s random 4K QD1 (so several times what a 990 Pro is capable of) (the processor gets to mid to high 3.x GHz while the benchmark is running). Sequential 1M QD1 results in ~1200 MB/s, so it'd take roughly two cores to saturate a 990 Pro, based on the Crystal Disk Mark results in this article.

I'm not convinced typical desktop I/O would result in a significant CPU load even for a midrange mobile chip. Especially when you consider that even low power ARM cell phone chips have been handling encrypted filesystems for years without issue.

Edit: surprisingly enough I get better results running the same tests on my Skylake 6700k. ~ 370 and 1500 MB/s for random and sequential, respectively. Could be that it's boosting more aggressively, I may have been a little overzealous enabling power saving settings on my Ryzen system.