Menu
Article

How to enable Bitlocker HW encryption with modern SSDs on system drive (e.g. Samsung 980 Pro)

Frederik

• 3 min read
💡
Updated 27.04.23 with the help of Rob from the comments. Big thanks! See his full version of the guide attached at the bottom of the article.

I recently spent nearly a whole day enabling Bitlocker HW encryption on my Windows 11 system drive, Samsung 980 Pro 1TB. I will write down the steps I did and things I learned while being on this endeavor to hopefully help someone else on the world wide web.

Preconditions

  • To use Bitlocker in combination with SSD Hardware full disk encryption, your SSD needs to support TCG Opal and eDrive standard (IEEE-1667). Sadly most manufacturers do not specify this in their datasheets, so the information on this is very scarce. If you want to know which devices support TCG Opal (not just standard AES via Bios user password) you can try to filter here: https://geizhals.de/?cat=hdssd&xf=8525_TCG+Opal
  • You need the corresponding proprietary software for your SSD from the manufacturer. E.g. Samsung Magician or Kingston’s SSD Manager
  • A Windows 2 Go installation is not needed in all cases, but definitely helpful. To create one download the latest Windows ISO (https://www.microsoft.com/software-download/windows11) and use Rufus on a fast USB Stick, ideally NVME based. (https://rufus.ie/de/)

Steps to take

  1. Install the future system/windows drive (SSD) which you want to encrypt in the target computer.
  2. You need to have the Compatibility Support Module (CSM) disabled in the BIOS. On most BIOS you can find this option in the BOOT settings. Some BIOS hide the option if fast boot is enabled.
  3. Boot into a Windows installation. Ideally, this would be a USB Stick with Windows 2 Go on it. The Windows installation can *not* be on the SSD you want to encrypt.
  4. Install the SSD Software component and find the option to make the drive ready for encryption. In Samsung Magician this is found under "Data Management - Encrypted Drive". In Kingston’s SSD Manager this option is called "IEEE 1667 Enable"
  5. If the drive now shows "enabled" or "ready to enable" you need to do a secure erase of the drive. Either you can do it directly in the tool or the BIOS has an option for this in the "Tools" section. Otherwise, there is hdparm on Linux or diskpart on Windows for this job.
  6. Now you need to disable "Block SID" in the BIOS of your mainboard, where you also find your TPM config. If you do not have this option in the BIOS (like me) there is a way to do this in a Windows 2 Go installation:
    - open Powershell as admin in Windows 2 Go
    - Run: `$tpm = gwmi -n root\cimv2\security\microsofttpm win32_tpm`
    - Run: `$tpm.SetPhysicalPresenceRequest(97)`
    - Reboot
  7. On the next boot the POST screen will alert you that "a configuration change was requested issuing a Block SID command". Now you need to plug in your Windows installation stick and remove the Windows 2 Go stick.
  8. Press "F10" to accept the command and the computer should reboot. On this next boot you need to install Windows on the target SSD. (without accessing BIOS or Boot menu before)
  9. After successful installation of Windows you need to force Bitlocker to use hardware encryption via group policy.
    - open "group policies" via start
    - Computer configuration > administrative templates > Windows components > Bitlocker > system drive > administrative Configure use of hardware-based encryption for fixed data drives
    - activatethe policy and disable fallback to software encryption in the lower left.
  10. Now open Bitlocker and encrypt your system drive.
  11. Optional: If the POST screen in step 7 told you that the disable "Block SID" config is persistent (and not for just one boot), then you need enable it again. Either in the BIOS (where you disabled it before) or via Windows Powershell:
    - open Powershell as admin in Windows 2 Go
    - Run: `$tpm = gwmi -n root\cimv2\security\microsofttpm win32_tpm`
    - Run: `$tpm.SetPhysicalPresenceRequest(96)`
    - Reboot

Helpful ressources:

Hardware Encryption on a Samsung 980 PRO SSD with Windows 11 using Bitlocker
by Rob from the comments! Big Thanks!
Hardware Encryption on a Samsung 980 PRO SSD with Windows 11 using Bitlocker.pdf
69 KB
download-circle

https://media.kingston.com/kingston/articles/enabling-and-disabling-edrive-to-utilize-hardware-encryption-us.pdf

https://eu.community.samsung.com/t5/computers-it/samsung-ssd-970-evo-plus-drive-encryption-won-t-change-from/td-p/1352406

Share