Ensure that BitLocker uses hardware encryption

Discussion in 'Windows 10' started by ponzonik, Jan 2, 2018.

  1. ponzonik

    ponzonik MDL Novice

    Nov 20, 2009
    Hello! I'd like to encrypt my laptop drive, but due to performance concerns, only if I can do so by using hardware disk encryption. Windows 10 BitLocker doesn't clarify the mode of operation before set up.

    I have the following:
    • Windows 10 Pro
    • A TPM 2.0 module
    • UEFI boot (I believe - it's a mid-high end laptop from late 2016)
    • No explicit mentions to disk encryption in the BIOS
    • A SanDisk X300 (OEM) drive with (reportedly) Self-Drive-Encryption (but perhaps it isn't an Encrytped Hard Drive).
    How can I ensure that I incur in no important performance penalties by enabling encryption? I've looked but I can't find instructions that are clear enough to me on how to do it.

  2. Tiger-1

    Tiger-1 MDL Guru

    Oct 18, 2014
    thanks a lot dude for very useful info :good3:
  3. ponzonik

    ponzonik MDL Novice

    Nov 20, 2009
    wow, very nice! thanks! is that switch documented somewhere? it doesn't say how it fails when it does.
  4. S_SubZero

    S_SubZero MDL Member

    Sep 22, 2012
    My previous experience with hardware encryption was pretty negative, though I admit it was some time ago. In my deployments (I am the imaging person at work) I just use software encryption. The link I gave is one of MS's various pages on bitlocker.
  5. GodHand

    GodHand MDL Addicted

    Jul 15, 2016
    Only the X300s support the IEEE 1667 protocol which allows BitLocker to use Get Silo Capabilities to pass limited security protocols that conform to a very limited amount of native TCG Opal 2 security-subsystem commands. Pure Opal 2 security-subsystem control grants hundreds of security features, but using the IEEE 1667 protocol with the Get Silo Capabilities, BitLocker is able to pass those commands allowing for Security Protocol Discovery, Programmatic TPer reset, SID Authority and UID.LockingSP.

    For a free option that works for all Opal 2.0 drives, you can use something like SedUtil. Though its PBA (pre-boot authorization) is very simplistic (then again, so is BitLocker's), it works flawlessly. Or connect to my network server and I'll deploy the godly WinMagic to your device for complete key management :)

    But yeah, sorry, X300 is not eDrive compatible.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. ponzonik

    ponzonik MDL Novice

    Nov 20, 2009
    Great info. Thanks!