Solved

With new Win 8.1 UEFI laptop with eDrive (SED that meets eDrive) how to tell if BitLocker using the hard drive chip encryption or software

Posted on 2013-12-06
5
2,579 Views
Last Modified: 2014-02-05
I have a new Win 8 designed laptop with UEFI that I put in a Crucial M500 480 GB SED (Self Encrypting Drive) that is Opal 2 spec and meets IEEE spec. to be an "eDrive" for Windows 8.

I installed Win 8 Pro on my new SSD SED (has encryption in hard drive chips that once turned on does all encryption at hardware level).

I then turned on BitLocker on C: and D: (each 225 approx. on the physical hard drive) and encrypted both.  It took about 10 to 15 minutes to complete the BitLocker encryption process doing this.

What I need to know is:  Did the BitLocker take control of the SSD SED Drive and is using the hardware encryption built in to the hard drive hardware or is BitLocker still being done in Software like in older hard drives that do not are not SED (eDrives).

I can not locate any status that tells me how BitLocker is doing the encryption.   If it is being done in software (like old ways) than that is slower etc. and defeats the purpose of having an SED (eDrive) for the SSD.

I contacted Crucial tech support for their Crucial M500 480 GB drive and they said it sounded like it was using the hardware since it only took about 10 to 15 minutes to encrypt the C and D partitions but since I have a high end i7 with SSD it still may have not taken ownership of the drive and is just doing in software for the BitLocker encryption.  They said they did not know how to tell if BitLocker was using hardware or just doing software.

I am sure there must be a way to tell from some system status.

Any help or ideas??  I need to know this.

Thanks,
0
Comment
Question by:rdwolf
  • 3
  • 2
5 Comments
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 39745411
Hi.

"they said it sounded like it was using the hardware since it only took about 10 to 15 minutes to encrypt the C and D partitions" - they don't really know what they are talking about. Since win8, Bitlocker does only encrypt used space by default. If the drive only hosts a few dozen GBs and is an ssd, this is very quickly done in software. So how many GBs are used?

Please read http://forum.crucial.com/t5/Solid-State-Drives-SSD/M500-problem-with-Bitlocker-encryption/td-p/128662 , it holds info and also features the Bitlocker syntax needed to see what's going on from the command line. Enable-BitLocker -MountPoint c: -TPMProtector -HardwareEncryption (powershell) is close to the the right syntax.
0
 

Author Comment

by:rdwolf
ID: 39745953
I had done research and found to get BitLocker status you can use the PowerShell command listed below.  It became very clear that the Crucial support I got did not know what they were talking about saying that was hardware encryption.  I figured that out on my own and when I got Level 2 there they agreed it was software and not hardware... But the Crucial level 2 was pretty lost when it came to answering my question on why I could get hardware encryption to work on non OS volume) but only software on OS volume.  I pointed them to some discussions (like you had link for) that showed a ton of users having same type of problems with Crucial M500 but that did not really help get a solution with Cruical saying talk to Microsoft (so I did).

I did more tests and found that no matter what I did with my laptop (no TPM) I could not get the BitLocker to use the Crucial M500 SED (eDrive) hardware encryption and only BitLocker Software encryption on my OS (C:) drive.  

However, my Data partition (D: in my case) used hardware encryption when I enabled BitLocker on that volume.  

After much investigation, I got an answer from a Microsoft Partner forum that you must have a TPM chip to be able to use the hardware encryption on the OS drive.   I let them know they do not have enough/any doc. on this that I could find and given by 2015 almost all SSD drives will be SEDs they should have that doc..   They agreed...

Here is the command I used for status and various other options.

> manage-bde -status c:

I ran that command on my Win 8.1 Pro ASUS UEFI laptop with the Crucial M500 480 GB that had BitLocker turned on and got  output for both C and D volumes (both on Crucial M500 480 GB) of:

for C:

Volume C: []
Size: 223.86 GB
BitLocker Ver 2.0
Coversion: Fully Encrypted
Percentge Encrypted: 100%
Encryption Method: AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification field: Unknown
Key Protections:
 Password
 External key
 Numerical Password

From above, I am certain now the encryption is being done in software on my Crucal M500 480 GB since I know your drive does AES 256 etc and above is all BitLocker Software encryption I believe.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 39748049
rdwolf, you are using manage-bde.exe - that is not powershell (even when call from inside the powershell console, it stays batch). I am telling you because I think you should look into the powershell commands to see the status and see whether soft- or hardware enc. is used. Should be software as it is 128 bit, you are right, but I am not sure whether BL would use the hw 256 bit or might be able to use hw 128 bit.

Anyway, maybe best would be to stop worrying and leave it as it is, the performance impact is very small if noticeable at all. You might wanna decrypt it and re-encrypt it after policy enforcing 256 Bit AES, which is possible in software if the policy is modified.
0
 

Author Comment

by:rdwolf
ID: 39748180
McKnife,   using the Manage-bde command I can clearly see my D: volume is using hardware encryption and C: using software.  I changed the BitLocker Group Policy to up the encryption to 256 bit as shown.

I am not worried about the performance on my laptop with software I just want to fully understand how BitLocker works with SED (eDrives) for Win 8.1 for business reasons.  Microsoft's doc. on such a config. I mentioned is pretty poor/lacking as I described.  The vendor of the SED (Crucial) is also very poor at supporting this config. that even at Level 2 support there they basically can not provide very much info. at all.  Pretty disappointed with Crucial support for their M500 SED (eDrive) line as they should now this stuff IMO. but that is okay I am figuring it all out.

 I have used SEDs for a while and have used Absolute Secure Drive (ASD) under Win 7 and that works well but the ASD software does not yet support Win 8.1 or UEFI.  ASD support says you must put the BIOS in old school non UEFI if I want to use.  

I have also tested TrueCrypt (for non SED) fine but there is no support for TrueCrypt so for business clients I do not want to recommend as I would rather have some support org. behind the encryption.

I have also tested Check Point FDE under Win 8.1 and Win 7 for non SED computers with very good success.

I had obtained a SED for my new laptop and wanted to try and fully use the hardware encryption built in and fully understand as mentioned.    BitLocker seems the only way to go right now if I want to run Win 8.1 and UEFI...   The vendors of  SED management are moving a bit slow for Win 8.1 and UEFI (Absolute Secure Drive and Win Magic, etc.) but should have solutions out within 2 to 4 months it seems.    As mentioned, my investigation is to fully understand this for my business and my clients for this area.

Thanks for your input.
manage-bde-example-D-hardware-C-.png
0
 

Author Closing Comment

by:rdwolf
ID: 39836010
Thanks for the help
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Ever wondered why Windows 8 and 10 don't seem to accept your GPO-based software deployment while Windows 7 does? Read on.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now