Watch out: Microsoft used to let Bitlocker detect hardware encryption capabilities on SSDs and enabling Bitlocker used to be as simple as enabling hardware drive encryption.
Then it turned out hardware drive encryption was trash and insecure as hell. Microsoft removed hardware encryption from Bitlocker because in many cases you didn’t need the key to decrypt the data or there was a manufacturer set default master password.
Don’t trust hardware encryption, use software encryption instead.
As for the performance impact, I’m a little surprised by these numbers. AES acceleration allows for tens of gigabytes per second of throughput on modern chips, I wonder what’s happening here. There has always been a performance gap between encrypted and unencrypted, but I thought that only really hurt writes, and no more than a few percent.
This article starts off with some inaccurate information right from the onset, so it leaves me with some credibility concerns that incline me to do some of my own testing.
Since Windows 10 1803, both Windows 10 and 11 Home and Pro have automatically enabled Bitlocker Encryption during the Out Of Box Experience (OOBE) as long as the following conditions are met:
- The device is UEFI and Secure Boot enabled
- The device has a TPM2.0 device that is enabled
- There are no un-allowed Direct Memory Access (DMA) capable devices on a DMA capable bus.
- The user signed in using a Microsoft Account and had an active internet connection at the time.
It is not specific to Windows 11 and has nothing to do with Home/Pro. This has been going on since 2018.
They also mention encryption built-in to SSDs. That is a fundamentally different kind of encryption. With Bitlocker, removing an SSD from a device or accessing it from anything but the original Windows environment will require the user to enter a 25-digit key to gain data access. Without Bitlocker, the on-disk encryption does not prevent data access in those scenarios. That encryption key exists primarily so that you can secure erase the disk by changing the encryption key. The alternative is a block-level erasure, which would put wear and tear on the SSD.
Pretty disappointing to see this coming from an otherwise reputable source like Tom’s Hardware.
You’re off with your claims about built-in encryption. While there are drives that do what you describe, there are also drives that require a key to be provided to the drive for unlocking it. There’s an entire specification for how the authentication to the hard drive is made at boot or when mounting it.
More reason not to switch. 🙂👍
This is not a reason to prevent switching, quite the opposite. Encryption is an awesome thing, and should always be used. It also inevitably causes slowdowns, but the best case is that it’s practically nonexistent of a performance hit. Not a lot of Linux distros let you set up luks root encryption in the installer, and it’s still pretty tricky to setup. But also if you’re using Linux, you should always be using luks encryption if you can as well.
First thing i do is disable bitlocker. Its PITA when dualbooting too
Is it? I just select Windows in the UEFI popup and Bitlocker unlocks fine. It’s only a problem if you’re trying to chainload through GRUB or whatever, and even then you only need to enter the recovery key once and Windows won’t throw an error again (unless you decide to boot through the UEFI firmware, because the TPM measurements change).
I guess if you’re still stuck running some old MBR based OS you’ll run into more issues, but dual booting has never caused Bitlocker issues for me.
It sounds like the article is an update to the age old performance issue discussions between hardware and software RAID solutions.
If you use a software solution for anything where there’s a dedicated hardware solution, the software solution is always slower due to CPU overhead.
Article recommendation boils down to: If you’re going to use encryption, and you want your full disk speed, use a hardware encryption solution. In their test their hardware supported OPAL.
If you set up hardware encryption, be sure to change the master password and set the security level to maximum. Also look up if the manufacturer of your SSD is known to sell drives with broken encryption or shitty implementations of useful encryption.
There’s a good reason Microsoft stopped trusting hardware encryption in Bitlocker.
