23

My system:

  • Intel Core i7-4790, which supports AES-NI
  • ASUS Z97-PRO mobo
  • Samsung 250GB EVO SSD (with built-in encryption option)
  • 64-bit Windows 7

If I just want to encrypt my boot drive with AES256 or similar, what would be the difference / faster performance / more secure? Flip Windows Bitlocker on and not use the SSD encryption, or enable the built-in drive encryption that the SSD offers, and don't worry about Bitlocker?

I'm thinking it might be better to offload the encryption to the SSD by using the Evo's encryption option, so that the processor doesn't have to do any encryption, this might be better for I/O performance and give the CPU a breather? Or since this CPU has AES-NI it might not matter?

I'm new to Bitlocker and this SSD encryption option, so any help is much appreciated.

ᄂ ᄀ
  • 4,187
Eddie
  • 331

4 Answers4

11

Old question, but since then several new developments have been found concerning Bitlocker and drive encryption (used either alone or in combination), so I will turn couple of my comments on the page to an answer. Maybe it is of use to someone doing a search in 2018 and later.

Bitlocker (alone):
There have been several ways to breach Bitlocker in it's history, luckily most of them have already been patched / mitigated in 2018. What remains (known) include, for example, the "Cold Boot Attack" - the newest version of which really isn't Bitlocker specific (you need physical access to a running computer and steal the encryption keys, and anything else, straight from the memory).

SSD drive hardware encryption and Bitlocker:
A new vulnerability has surfaced in 2018; if a SSD disk has hardware encryption, which most SSDs have, Bitlocker defaults to using only that. Which means that if that encryption itself has been cracked, the user essentially has no protection at all.
Drives that are known to be suffering from this vulnerability include (but are probably not limited to):
Crucial MX100, MX200, MX300 series Samgung 840 EVO, 850 EVO, T3, T5

More information about the SSD encryption problem here:
https://twitter.com/matthew_d_green/status/1059435094421712896

And the actual paper (as PDF) delving deeper into the problem here:
t.co/UGTsvnFv9Y?amp=1

So the answer really is; since Bitlocker uses the disks hardware encryption, and has it's own vulnerabilities on top of that , you're better off using the hardware encryption if your SSD is not on the list of cracked SSDs.

If your disk is on the list, you're better off using something else entirely since Bitlocker would use the drive encryption anyway. What is the question; on Linux I would recommend LUKS, for example.

DocWeird
  • 1,329
1

I'v been doing some research on this and have a half complete answer for you.

  1. It is always better to use hardware based encryption on a self encrypting drive, if you use the software based encryption on bitlocker or another encryption program it will cause anywhere between a 25% and 45% slowdown in read write speeds. you could see a minimum of a 10% drop in performance. (note you must have an SSD with a TMP chip)

  2. Bitlocker is compatible with hardware based encryption, you can use samsung magic. v 4.9.6 (v5 no longer supports this) to wipe the drive and enable the hardware based encryption.

http://www.ckode.dk/desktop-machines/how-to-enable-windows-edrive-encryption-for-ssds/

  1. you can enable hardware based encryption via the BIOS by setting the master password. You will need to follow some of the steps in the article above, like turning off CMS.

  2. To answer your question I don't really know which is faster. I have reached out to Samsung but given the limited info on this. Unless I get a developer I doubt I will get a good answer to which is the better option. For now I plan to enable the hardware based encryption in my bios.

colin
  • 27
0

I am not familiar with your drive and the encryption options it offers, however hardware encryption can be used with multiple operating systems (e.g. when you want to dual-boot Windows and Linux), while software encryption might be harder to configure. Also, the safety of both methods depends on how and where you store your encryption keys.

I'm thinking it might be better to offload the encryption to the SSD by using the Evo's encryption option, so that the processor doesn't have to do any encryption, this might be better for i/o performance and give the CPU a breather?

You are right, hardware-based encryption does not lower the computer's processing speed.

I have never used encryption on any of my devices, so I'm sorry that I can't help you with the actual process of enabling it. Please do note that in most cases enabling encryption causes the drive to get erased (BitLocker does NOT erase data, however it has an extremely remote chance of corruption, as it is with all live-encryption software). If you want to have multi-OS compatible encrypted drive which stays unlocked until the computer is shut down, go with the hardware encryption feature your hard drive offers. But, if you want something a little more secure but limited to Windows, try out BitLocker. Hope I helped!

fluxoverflow9102
  • 111
-5

Update: I believe this answer was correct and an example of real life enterprise experience in hardware and security ops. Maybe I failed to provide details in my initial answer which created the downvotes but also provided insight into the thought process for a more conclusive answer from the community as a whole. Windows but locker has been compromised since launch and has been a well known issue, and not included in enterprise Windows OS but available to consumer level packages for a layer of security/ band aid, NSA Backdoor.

Samsung EVO SSD's built in encryption would be my choice as it is natively optimized and one of the best SSD's out there for security in corporate environments. Also if you ever lose the key, Samsung can unlock it for a fee via the serial # on the SSD.

CymaTechs
  • 17