Hardware encryption on a Samsung 980 Pro in Windows 11

[CrisR82]

I'm looking into making use of disk encryption and seems like I opened a can of really weird worms, containing a large amount of conflicting and very unclear information...thought I'd ask here in case anyone has actual recent info or experience with it.

 

From what I can gather, BitLocker supports hardware encryption, however it requires you to wipe the whole drive, in my case a secure erase using a Samsung Magician-created USB stick and then reinstall Windows.

Here is where I started getting conflicting information - according to some, as long as I'm on UEFI with Secure Boot and TPM enabled, just wiping the drive with the Samsung tool and then installing a fresh Windows 11, it should automatically enable hardware encryption...while according to others, you need a group policy in Windows 11 to enable it...and according to others, you need all that AND obscure BIOS setting changes (most people seem to be talking about Windows 8 and 10, which makes it even more confusing).

 

I don't really mind wiping my drive and going through a setup process but it would be great to actually know what I'm supposed to be doing to actually get it to work, anyone has any info on this, or even an actual step-by-step guide?

(the whole thing stems from the part where according to many people, software-based BitLocker can cause 20-40% performance drop)

 

 

If needed, the PC setup is:
ASrock B650 PG Lightning (BIOS 2.02, dated 2023/11/21)

AMD Ryzen 7 7700X

RTX4070

32GB DDR5-5600

Samsung 980 Pro 1TB M.2 Gen4 as boot drive (with a Kingston A400 480GB SSD and Seagate Barracuda 1TB 7200rpm HDD secondary drives)

Windows 11 Pro

[Kilrah]

You don't need to format to enable bitlocker, can be done at any time. 

Encryption will be done in hardware as long as your CPU supports the required instructions, which is the case for basically anything made in the past 10 years if not more.

[CrisR82]

5 minutes ago, Kilrah said:

You don't need to format to enable bitlocker, can be done at any time. 

Encryption will be done in hardware as long as your CPU supports the required instructions, which is the case for basically anything made in the past 10 years if not more.

 

Are you sure about that? Like, I have little experience with this, but everyone else seems to be suggesting that BitLocker always uses software encryption, with one post in particular specifically mentioning that if you see a screen during the setup process where you are asked to pick how to encrypt the drive (the attached screenshot), it's definitely software-based encryption.

[kokosnh]

He probably means the bitlocker encryption hardware acceleration on SSD. 
 

and well that’s a whole can of worms right there.  the hardware acceleration on SSD, was fazed out quite long ago ( years ), after some discoveries, and came back only recently as

 

https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/encrypted-hard-drive

 

I won't even start on the boot problems, and VROC… 

 

what you want to enable is that "encrypted hard drive", very little SSD actually have the required hardware to support it, but I believe 980 pro actually do support it ( but you have to double check that ).

 

of course, intel 8 gen, or amd zen 2 architecture, with TPM build it, also required.

 

 

[CrisR82]

2 hours ago, kokosnh said:

He probably means the bitlocker encryption hardware acceleration on SSD. 
 

and well that’s a whole can of worms right there.  the hardware acceleration on SSD, was fazed out quite long ago ( years ), after some discoveries, and came back only recently as

 

https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/encrypted-hard-drive

 

I won't even start on the boot problems, and VROC… 

 

what you want to enable is that "encrypted hard drive", very little SSD actually have the required hardware to support it, but I believe 980 pro actually do support it ( but you have to double check that ).

 

of course, intel 8 gen, or amd zen 2 architecture, with TPM build it, also required.

 

 

 

After a bunch of additional digging around, I was pointed to a guide that seems to cover what I need (assuming it actually works that is) - https://blog.odenthal.cc/how-to-enable-bitlocker-hw-encryption-with-modern-ssds-e-g-samsung-980-pro/

 

Checking the 980 Pro here - https://www.techpowerup.com/ssd-specs/samsung-980-pro-1-tb.d47 - it does appear to offer hardware-based encryption so this should be a better option than software-based, at least for the boot drive, the others I guess will have to make do with software-based.

[kokosnh]

58 minutes ago, CrisR82 said:

assuming it actually works that is

I’m not entirely sure, if this guide, is enabling the old hardware based acceleration in bitlocker, or the "encrypted hard drive", and I'm not bothered enough to figure it out.

1 hour ago, CrisR82 said:

it does appear to offer hardware-based encryption

Lots of SSD do have hardware based encryption acceleration, but you need a specific ones, for the „encrypted hard drive” to work. 
 

[Kilrah]

All my drives have been encrypted using bitlocker for years now, that's what you call "software" but as mentioned is still hardware-accelerated by the CPU even if not done by the drive itself, and any kind of speed test always returns speeds within spec. 

 

Seems like going through major hassle reinstalling a system for something that's entirely unnoticeable.

If that's a worry prepare for the surprise of your Gen4 drive almost never getting past 500MB-1GB/s transfers in real life use.

[CrisR82]

33 minutes ago, Kilrah said:

All my drives have been encrypted using bitlocker for years now, that's what you call "software" but as mentioned is still hardware-accelerated by the CPU even if not done by the drive itself, and any kind of speed test always returns speeds within spec. 

 

Seems like going through major hassle reinstalling a system for something that's entirely unnoticeable.

If that's a worry prepare for the surprise of your Gen4 drive almost never getting past 500MB-1GB/s transfers in real life use.

I'm not concerned about the drive speed, I don't have any other drive that can do anything even close to that.

Again, I've read probably a lot of junk information, maybe outdated stuff and god know what else when researching this, but it seems a lot of it pointed at software encryption taking up CPU resources - that's the part I'm interested in - if it is indeed the case, and I have hardware capable of preventing this, shouldn't I be using that? I would definitely love to not have to go through the guide above (or other hoops and loops) if the whole performance thing is not a thing these days.

 

I'll have to reinstall the OS on my PC within the next week or so, which is why I decided t dig further into this matter and see how exactly to proceed.

[kokosnh]

When I tested bitlocker (software) on my old platform i7 2600K ( and it has AES-NI instructions ), I had like 50% performance hit on M.2 NVMe SSD.