How to Enable BitLocker Hardware Encryption with SSDs

Beginning with Windows 8 BitLocker can offload the encryption from the CPU to the disk drive. But enabling that can be challenging. Here is how.

Why Use Hardware Encryption?

Doing encryption in hardware on the disk drive instead in software by the CPU should be more effective. That translates into longer battery life and higher performance. AnandTech has some numbers that illustrate these points.

Requirements

These are the system requirements according to TechNet:

For data drives:

  • The drive must be in an uninitialized state.
  • The drive must be in a security inactive state.

If the drive is used as a startup drive the following apply additionally:

  • The computer must always boot natively from UEFI.
  • The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
  • The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined.

One very important thing is uninitialized state: it means that you cannot clone a drive with data on it and enable BitLocker with hardware encryption afterwards.

Problem: Intel Rapid Storage Technology Driver

What Microsoft does not list in their requirements is that older versions of the Intel Rapid Storage Technology Driver prevent hardware encryption. There is a 12-page thread in the Lenovo forums mainly about this problem. Version 13.2 of the RST driver fixes the issue, so make sure you have at least that version installed.

I would not recommend the alternative solution of not installing the RST driver. As the German magazine c’t found out it may increase your system’s idle power consumption.

Instructions

The following instructions worked for me. I am using a Samsung SSD 850 Pro as data drive, so the UEFI requirements do not apply (although I do have the BIOS mode set to UEFI). The computer is a Lenovo W540 laptop.

The main points are:

  1. Update your RST driver to at least version 13.2.4.1000
  2. Wipe the disk with diskpart clean
  3. Use Samsung Magician to switch the Encrypted Drive status to ready to enable
  4. Reboot
  5. Initialize and format the drive
  6. Enable BitLocker

The following sections explain the process in more detail.

Update the RST Driver

I had version 12.8.10.1005 of the RST driver installed and Windows Update would not offer any newer version. A visit to Intel’s Download Center got me 13.2.4.1000.

Before the update Samsung Magician would give me the error Failed to perform the operation on the selected disk and all data security modes would be disabled. After the update that was gone.

Diskpart Clean

The disk needs to be in uninitialized state. Open an elevated command prompt and type (this deletes all data on your second hard disk!):

  • diskpart
  • list disk
  • select disk 1
  • clean

Samsung Magician

Enable Encrypted Drive status in Samsung’s SSD management software by clicking Ready to enable:

Samsung SSD Magician - ready Encrypted Drive status

After a reboot it should look like this:

Samsung SSD Magician - Encrypted Drive status after reboot

Format the Drive

Initialize and format the drive in Disk Management. Remember: before you do that the drive should be in uninitialized state like this:

Disk Management - not initialized

Enable BitLocker

Enable BitLocker the usual way. Make sure you do not get the following screen asking how much of the drive to encrypt, otherwise BitLocker is encrypting in software:

BitLocker Drive Encryption - how much to encrypt

Check if BitLocker really uses Hardware Encryption

The BitLocker UI in Control Panel does not tell you whether hardware encryption is used, but the command line tool manage-bde.exe does when invoked with the parameter status. You can see that hardware encryption is enabled for D: (Samsung SSD 850 Pro) but not for C: (Samsung SSD 840 Pro without support for hardware encryption):

Check BitLocker hardware encryption status with manage-bde 3

, , , ,

18 Responses to How to Enable BitLocker Hardware Encryption with SSDs

  1. Jim March 28, 2015 at 06:38 #

    Thank you very much for your guide it told me exactly what I needed to know and I was able to enable hardware encryption on a new secondary drive with out re installing windows.

  2. Justin March 31, 2015 at 19:07 #

    How can I boot to my DVD drive when CSM is disabled? The option to boot to the drive, and therefore to install Windows, won’t seem to appear for my gigabyte motherboard.

    • Justin April 4, 2015 at 08:57 #

      Ok, I figured out the CSM part. I just needed to use rufus to create a bootable usb key.

      However, I’m still having a lot of trouble getting this to work. I have a TPM module installed, CSM disabled and UEFI bios use confirmed. I’ve followed the steps exactly for my Evo840 with Samsung Magician, and Gigabyte’s support staff assures me that the motherboard does support edrive. However, every time I get to the step of enabling encryption I get the “Encrypt part of drive or whole drive” question indicating software-based encryption.

      As a test, I installed Windows 8.1 to an old SATA drive instead and then activated bitlocker on the Samsung SSD as a secondary drive. That worked great, and when I run the command “manage-bde.exe -status f:” it confirms that the ssd is indeed hardware encrypted in this secondary drive position.

      How come I can’t get it working when the SSD is the primary drive? Any ideas would be appreciated!

  3. Mark UX July 21, 2015 at 15:48 #

    Hello Helge Klein,

    I have tried many, many ways of replicate this post in my Samsung SSD 850 EVO (no PRO) without success. My laptop is an HP without TPM support, and every try I do, leads to software encryption. It is very stressing not to be able to perform the hardware encryption.

    I am starting to assume that hardware encryption is available on the PRO version and not* the EVO. Do you know something about this?
    Thanks,
    Mark.

  4. Mark UX July 21, 2015 at 15:51 #

    Also, I forgot to mention that my attemps involve trying to hardware-encrypt the SSD of the OS (not data drive), so I am not sure if the “uninitialized state” applies also to the cases where I want hardware encryption on the OS drive. Any hints will be very welcomed.

    • Terry July 26, 2015 at 14:54 #

      To Mark: According to the Samsung Tooltip, to get hardware encryption of an OS drive, you have to install a NEW Operating System on it.

      Basically, the steps required would be:

      1. Plug the OS drive into A DIFFERENT MACHINE (or the same machine if you’re planning to wipe it, but you can’t boot off of the drive yet…)
      2. Do the DISKPART cleaning of the SSD.
      3. Run Samsung Magician and “Secure Erase” the drive.
      4. Change the drive to “Ready to Enable”.
      5. Shut down the computer and install the new OS to the drive.
      6. After OS comes up, enable BitLocker on the SSD.
      7. Done!

  5. Paul Roland August 15, 2015 at 23:08 #

    Great article. A good think to note: On my T440P I used to install the latest and greatest rst driver 14.5.0.1081 however after 4 hours of troubleshooting I realized that somehow FDE will not work with this version and will fallback to software (leaving the M$ one works). Not sure what would happen if I add 14.5 after encrypting ran out of patience.

    • Paul Roland August 15, 2015 at 23:14 #

      Update: At least on windows 10, installing rst drives will fallback to software encryption, encrypting and then updating the driver for ahci will also break encryption, very difficult to recover via psid revert.

  6. J.R. November 15, 2015 at 12:53 #

    Microsoft changed something on build 10586 aka 1511, and enabling hardware encryption via BitLocker no longer works at least on Samsung SSDs (‘parameter is incorrect’). If you encrypt it on build 10240 and then upgrade to 10586 it will still be enabled, but if you disable it you won’t be able to re-enable it.

    • Larry November 17, 2015 at 03:24 #

      Well, those technically inclined can also use MSED, an open-source program to enable SSD hardware encryption.

      http://www.r0m30.com/msed

  7. bollerfant January 4, 2016 at 14:47 #

    Maybe a dumb question: If i do this with a brand new Evo 850, by hooking it up to my current Windows and perform the steps above. Can i then turnoff the PC, disconnect all the other Harddrives (only leaving the encrypted Evo 850 connected) and install Windows 10 with a clean install?

    Or how does this works? I want a hardware-accelerated completely encrypted Evo 850 with Windows 10 clean installed.

    • Athila Mattos May 31, 2016 at 07:53 #

      Did you try? I am wondering if that will work too. I have a SAM SUNG 850 Pro with hardware encryption and I want hardware encryption on my C: drive. Basically this is my setup:

      – ThinkPad T520 with 2 disk drives
      – SSD is connected to the SATA controller, it’s my primary drive (850 Pro)
      – HDD is connected in place of the optical drive through a disk caddy
      – My computer is old but it’s UEFI capable

      This is what I did:

      – Created a brand new Windows 10 boot media (using a USB stick)
      – Booted on Windows 10 using this USB and clicked on “Repair your computer”
      – Opened up CMD and started disk part
      – I zeroed both disks using “clean all” option (this turns them back into MBR)
      – Converted them back into GPT with convert gpt
      – Installed Windows 10 on the secondary disk drive, not the SSD
      – Installed SAMSUNG Magician and it automatically detected my SSD drive as “Encrypted”

      I still didn’t format the SSD drive as I ran out of time last night.
      I will perform a few tests tonight with the secure erase and see what I get.

      I’ve been trying to figure out the hardware encryption on my 850 Pro for a while and I had a lot of problems creating that bootable usb drive using Samsung Magician. There’s no way that I could have gone past an error message saying that the media creation failed. I performed all sorts of research and I finally found this GREAT article which actually explains how to do this. Thank you, author !

      I will paste the rest of my tests here after I get home.

  8. Rivadi_NL February 25, 2016 at 20:17 #

    I van make a backup from the hardware Bitlocker encrypted drive using Acronis True image 2016. But I have not managed to restore a backup.
    How can that be done?

  9. DexterG September 30, 2016 at 05:20 #

    Has anyone figured out how to restore a system image backup to a hardware encrypting SSD (eDrive)? The problem I am experiencing is that I can successfully restore the system image to the SSD but hardware encryption is no longer enableable like it was before the backup and restore.

    I have written-up the full test procedure here: http://answers.microsoft.com/en-us/windows/forum/windows_10-update/how-to-restore-a-system-image-backup-to-a-hardware/c4140eed-0323-4134-befb-c10335790b64

  10. DexterG October 12, 2016 at 17:45 #

    This weekend I did some more testing using a new self-encrypting solid state drive, a Crucial MX300, which supports Microsoft’s eDrive standard.

    What I learned is that restoring a Microsoft system image backup from the M500 breaks the hardware encryption capability but otherwise works normally. I also tried cloning the M500 to the MX300 using Paragon Hard Disk Manager but that broke the hardware encryption capability as well. And lastly, I tried imaging and then restoring the M500 to the MX300 using Paragon HDM but got the same results: Windows works fine but the hardware encryption is not re-enableable.

    So the conclusion from all of these tests seems to be that if your eDrive fails, or if you want to migrate to a new eDrive, you will have to reinstall Windows and all of your programs from scratch.

    I wish that some Microsoft engineers working in the Bitlocker department would address this shortcoming by either explaining why this behaviour exists (maybe they think it is necessary for security reasons) or treating it as a bug and working on fixing it.

    I can’t believe that no one else has raised this issue already! To me it seems like as a major problem with the whole self-encrypting eDrive architecture. You should be able to replace a drive without the hardware encryption breaking and your system image backups becoming useless.

  11. The_ShadowWw November 3, 2016 at 11:58 #

    Storage type must be ACHI
    The computer must always boot natively from UEFI.
    The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
    The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).

    TPM chip is optional
    Secure boot is optional
    GPT and MBR are both supported
    if there is RST software/drivers it has to be at least version 13.2.4.1000

    this can be done with 2 disks or one

    From a windows install that meets the above criteria
    set state to ready to enable via Samsung Magician
    Make a secure erase USB (for dos)
    Reboot pc, change boot mode to bios boot (for the secure erase USB)
    boot into secure erase, erase
    Reboot pc, change bios boot settings to EFI again (do not let the pc start booting from the drive or you might start the process from beginning)
    boot back to windows disk and check via Samsung magician or install windows to your secure erased disk

  12. Nikolay March 9, 2017 at 20:32 #

    Hello,

    Thank you for the useful article!

    I have a Samsung 850 Pro and would like to implement full disk hardware encryption on a dual-boot machine with Debian and Windows 8.1.
    The hardware is a Thinkpad T440p.

    Could you please advise me whether setting up BitLocker from within Windows would enable me to use the SSD for booting Debian?
    Which would be the best approach in such a scenario?

    As far as I understand, MSED does not enable suspend to RAM (sleep). Hence, I would prefer to avoid it.

    Thank you!

    Kind regards,
    Nikolay

  13. lfc_NCM October 18, 2017 at 09:54 #

    Hello

    Thanks, I’ve managed to encrypt Samsun 850 Evo using this method.

    Did anyone test Samsung 960 EVO M2 for hardware encryption?

    Please let me know
    Thanks
    NCM

Leave a Reply