Ensure that BitLocker uses hardware encryption

Discussion in 'Windows 10' started by ponzonik, Jan 2, 2018.

  1. ponzonik

    ponzonik MDL Novice

    Nov 20, 2009
    13
    0
    0
    Hello! I'd like to encrypt my laptop drive, but due to performance concerns, only if I can do so by using hardware disk encryption. Windows 10 BitLocker doesn't clarify the mode of operation before set up.

    I have the following:
    • Windows 10 Pro
    • A TPM 2.0 module
    • UEFI boot (I believe - it's a mid-high end laptop from late 2016)
    • No explicit mentions to disk encryption in the BIOS
    • A SanDisk X300 (OEM) drive with (reportedly) Self-Drive-Encryption (but perhaps it isn't an Encrytped Hard Drive).
    How can I ensure that I incur in no important performance penalties by enabling encryption? I've looked but I can't find instructions that are clear enough to me on how to do it.

    Thanks!
     
  2. Tiger-1

    Tiger-1 MDL Guru

    Oct 18, 2014
    4,127
    4,640
    150
    ^^
    thanks a lot dude for very useful info :good3:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. ponzonik

    ponzonik MDL Novice

    Nov 20, 2009
    13
    0
    0
    wow, very nice! thanks! is that switch documented somewhere? it doesn't say how it fails when it does.
     
  4. S_SubZero

    S_SubZero MDL Junior Member

    Sep 22, 2012
    68
    23
    0
    My previous experience with hardware encryption was pretty negative, though I admit it was some time ago. In my deployments (I am the imaging person at work) I just use software encryption. The link I gave is one of MS's various pages on bitlocker.
     
  5. GodHand

    GodHand MDL Senior Member

    Jul 15, 2016
    400
    444
    10
    Only the X300s support the IEEE 1667 protocol which allows BitLocker to use Get Silo Capabilities to pass limited security protocols that conform to a very limited amount of native TCG Opal 2 security-subsystem commands. Pure Opal 2 security-subsystem control grants hundreds of security features, but using the IEEE 1667 protocol with the Get Silo Capabilities, BitLocker is able to pass those commands allowing for Security Protocol Discovery, Programmatic TPer reset, SID Authority and UID.LockingSP.

    For a free option that works for all Opal 2.0 drives, you can use something like SedUtil. Though its PBA (pre-boot authorization) is very simplistic (then again, so is BitLocker's), it works flawlessly. Or connect to my network server and I'll deploy the godly WinMagic to your device for complete key management :)

    But yeah, sorry, X300 is not eDrive compatible.
     
  6. ponzonik

    ponzonik MDL Novice

    Nov 20, 2009
    13
    0
    0
    Great info. Thanks!