How to Enable SSD Hardware Encryption

How to Enable SSD Hardware Encryption - Windows BitLocker

Рет қаралды 6,461

2 жыл бұрын

ssd hardware encryption
how to enable bitlocker hardware encryption on an ssd
sed bitlocker
sed how to enable hardware encryption
installing bitlocker with a self-encrypting ssd
samsung 980 pro hardware-encryption
samaung 990 pro hardware-encryption
samsung 980 pro encrypted drive enable
samsung 990 pro encrypted drive enable
Command list:
diskpart
list disk
sel disk
clean
manage-bde -on C: -fet hardware
manage-bde -protectors -add C: tpmandpin
manage-bde -status
manage-bde -protectors -add C: -recoverykey D:
Bypassing of Self-Encrypting Drives - Techniques for Hackers and Forensic Investigators - • Bypassing of Self-Encr... (security steps taken from here)
Video chapters:
00:09 - OS type
00:34 - TCG Opal and IEEE 1667 req
00:46 - System requirements
01:11 - Global steps
01:42 - Vendor-specific instructions
02:32 - Step 3: 'Ready to enable' Encrypted Drive
02:47 - Step 4: Clean Windows installation
05:05 - Allow to enable hardware-based encryption
05:05 - Allow to enable hardware-based encryption
05:19 - Allow to use TPM for BitLocker
05:28 - Enabling hardware-based encryption
05:45 - Adding TPM+PIN protection
05:57 - Check if hardware-based encryption enabled
06:09 - Add Recovery Key
06:27 - Security configuration
06:54 - Two things to know
Created with Kdenlive :)
Music: Alexander Kostruba - Mastrada
Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for "fair use" for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.

Пікірлер: 32

@KarolMurawski Жыл бұрын

For NVMe disks, you do NOT need to disable Block SID Support. Al least I didn't have to. From what I've read, Block SID Support is not supported in NVMe anyway. Besides that great tutorial - thanks.

@incandescentwithrage Жыл бұрын

Thanks, helped me out today. Worked perfectly

@Andrei-YT01 16 күн бұрын

i went to magician, set the drive to ready to enable, cleared the disk and reinstalled the system, came back to magician and still see the "ready to enable" status. i have tpm , UEFI boot, ssd 970 evo plus. Why do i still see ready to enable??

@floriang.9616 Жыл бұрын

This tutorial helped me a lot, thank you very much. I was struggling with the Samsung 990 pro drama but after nearly 5 months of waiting it worked with the newest filmware.

@stefan_es 3 ай бұрын

Please tell me. If you follow these instructions, will there be no decrease in SSD performance?

@RogerCold009 15 күн бұрын

@@stefan_esno, performance is the same with hardware encryption, only windows software encryption is heavy

@indemonic 13 күн бұрын

Excellent tutorial. Just a question, I understand that in the whole process you will have to perform TWO installations of Windows 11 Pro. What happens if you have an OEM license, will it work in both installations? Should it only be activated in the second (final) installation? Thank you a lot!

@ShogaTatsuki 2 ай бұрын

I tried this with both of my Samsung 970 EVO Plus and 870 EVO. When running the first command, it says hardware encryption isn't supported even tho I turned it on via Samsung Magician already.

@VicharB 6 ай бұрын

I kinda still find it hard to grasp the soup of TPM, SED, FDE & Bitlocker for Windows, i.e how do I do SED (Samsung 990 Pro) with hardware encryption (no loss of speed) and that of Bitlocker (enable/disable); my dream is to have hardware FDE (using SED feature&) on Linux; currently I have Elitebook with TPM 2.0 and OPAL option (which I didn't enable) in BIOS and I have just simply enabled DriveLock feature. Man its a mess/complicated!!!

@quantumkalifa7708 11 ай бұрын

Hi and thanks for this awesome tutorial. I have 1 question that i don't understand (maybe more in the future). If i have PTT (tpm 2.0) at min 5:26 why i have to check "allow bitlocker without a compatible tpm"?

@flexxxxer 11 ай бұрын

you can uncheck if you want in case when you use tpm

@jeverett0902 Жыл бұрын

What does the undecrypted partition table look like after set up? Does it take up the entire drive, or still show regular partitions like normal software encryption bitlocker? Is the password set to get into the hardware encrypted drive, and would that password work if used in a different machine, or is the password just a pin to get into the tpm which has the real hardware decryption key?

@flexxxxer Жыл бұрын

1 - kzfaq.info/get/bejne/mq1nhbSYp7GUiqM.html here about how disk partitions look after enabling SED encryption. in short, the userdata section is unreadable and not copyable and unmountable, while the efi sections and other service sections (pre-boot software and etc) that do not store user data are available 2 - didn't quite understand your question 3 - kzfaq.info/get/bejne/mq1nhbSYp7GUiqM.html here about the details of implementing SED encryption through the TCG Opal standard. in short, yes, tpm module can be called a module that plays the role of a pre-boot authenticator mechanism. that is, if you encrypted the drive via bitlocker/manage-bde (hardware or software encryption is not important) and added the TPM+PIN mechanism to protection, then when transferring the encrypted drive to another computer/laptop with a different TPM module, go through the authentication process using a PIN will not work (PIN from neither the old TPM nor the new TPM will work) - and this is reproducible in practice (you can try it yourself - I tried it and it works like that)

@stefan_es 3 ай бұрын

Please tell me. If you follow these instructions, will there be no decrease in SSD performance? Otherwise, with regular encryption, the performance decrease is quite serious

@indemonic 13 күн бұрын

Actually, hardware encryption is better than software encryption in terms of speed.

@camillo7800 Жыл бұрын

Hello, I am having trouble running hardware encryption on several laptops. But I don't want to format the disks. Is there any way to force hardware encryption without clean disk and reinstalling the operating system?

@flexxxxer Жыл бұрын

no way to do this without clean system installation.

@San37815 Жыл бұрын

Can you add letters and symbols in edition to numbers with enhanced pin?

@flexxxxer Жыл бұрын

yes, you can, policy name which allows to use not only digits for pin is "Allow enhanced PINs for startup" (you can find it in group policy editor)

@b.c.2177 Жыл бұрын

Thank you, very nice instruction! I have ThinkPad P16s (new, one of the latest models) and Samsung 990 PRO 2 Tb. I followed your instruction but did not succeed to get hardware based encryption working. After turning in S. Magician Encrypted Drive to "Ready to enable", it keeps this status after clean Windows 11 installation, so it does not change to "Enabled". The system requirements are UEFI 2.3.1. On my laptop I see UEFI BIOS version: N3BET51W 1.29. How to know if it supports hardware based encryption? Windows does not allow to activate support for hardware encryption in Command Prompt? it returns an error and says that my device does not support hardware based encryption. BitLocker does just software based encryption.

@flexxxxer Жыл бұрын

us.community.samsung.com/t5/Monitors-and-Memory/990-Pro-Encrypted-Drive-hardware-BitLocker-not-working/m-p/2452974 this is a known issue. just wait for ssd firmware update month or two

@b.c.2177 Жыл бұрын

@@flexxxxer Thank you! This gives me hope. I found also a program called Opal Lock (free), which offers OPAL hardware encryption. Do you know it? Unfortunately, at the moment I can not use it, because there is a bag on second step of setting up. I contacted the support and they are working on fixing the issue. I admit that the reason for the inability to complete the setup in this program may be the same that does not allow you to configure encryption with BitLocker

@a7md0_ Жыл бұрын

Same issue with 990 Pro, Samsung Support simply ignored me

@alexnilev7779 Жыл бұрын

Hi. How can i enable this protection without TPM(i have TPM) only with Password(PIN) ? For i can easy move drive to other computer and use only password

@flexxxxer Жыл бұрын

yes ofc

@flexxxxer Жыл бұрын

see documentation from Microsoft: learn.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-protectors

@bobtree4583 Жыл бұрын

Damn why is this so complicated. It’s like they don’t want us to use the features they built in and we paid for

@flexxxxer Жыл бұрын

many things in our lives are not easy, this is the reality. and it's not that someone specifically wants you not to use the functionality for which you paid ... but in general you have not yet seen how LUKS is configured under linux :D

@indemonic 13 күн бұрын

Complicated? 😂It is a ~7min tutorial. There are process that requires tutorials of more than 30 min with dozens of steps (many of them using the CMD terminal).

@jonasdeejee890 Жыл бұрын

did you notice any performance loss after enabling hardware encryption?

@flexxxxer Жыл бұрын

yes, around 1%. software encryption has impact around 4-6%, hardware encryption designed of possibility to speed up encryption via, you know, hardware :)

@jonasdeejee890 Жыл бұрын

@@flexxxxer that difference makes hardware encryption really worth it, though I hate having to reinstall Windows. Good your tutorial exists, I find no documentation on how to enable it on the Samsung website