- Sep 13, 2016
- 8
- 0
- 1
What's the best way to go about encrypting your Windows drive with a Samsung 850 Pro? The drive seems to have a hardware encryption options, but I'm afraid this is all very much new to me. I have a TPM enabled motherboard.
You do realize that once that is enabled, and if your motherboard dies, or, you move the SSD to another machine, you will be SOL?
You do realize that once that is enabled, and if your motherboard dies, or, you move the SSD to another machine, you will be SOL?
Bitlocker is software based, not hardware, and the OP didn't specify they were using windows, but leaning toward hardware based.With Bitlocker you can move the drive from one system to another with no problem as long as you save the recovery key file that is created when you initially encrypt the drive. I've done it before. Not sure about Veracrypt.
Bitlocker is software based, not hardware, and the OP didn't specify they were using windows, but leaning toward hardware based.
IIRC, if you have a SED device, and you enable TPM, that is all done in hardware, the key is not accessible.
If you now take that SED device, and stick it in another system that doesn't have TPM, or does, it will see that it isn't the same, and it will still be encrypted.
I believe there was some talk about "moveable" TPM modules, but, I don't recall ever seeing that actually implemented.
I fully agree, and it is why I can't stand WD's external units that come with the key embedded in the controller itself.As a side note, I've never liked the idea of my decryption key stored in the chipset. While I'm sure its somewhat secure, to me it sorta defeats the purpose since all of the information someone needs to get in the system is there if they only have the knowledge to get it. Not trying to sidetrack but since we are discussing TPM I thought I'd throw it out there.
My goodness. It seems like I just stepped knee deep with this subject. There's a ton of must read before actually getting to try the SED hardware encryption. A lot of people seems to be confused with this topic. It seems like AHCI might not really be needed for the actual encrypting, only for Secure Erase - see here:
http://arstechnica.com/civis/viewtopic.php?f=11&t=1312261
Also the use of TPM seems to optional, not mandatory. The links here got me to send an email to Samsung support to try to find out if AHCI is really needed and secondly to contact Gigabyte support if my mainboard (GA-Z77X-D3H (rev. 1.1)) meets or exceeds the requirement of a UEFI 2.3.1 or higher motherboard, without any CSMs (Compatibility Support Modules) enabled, supporting EFI_STORAGE_SECURITY_COMMAND_PROTOCOL. See the link below for good read on this topic and source for the latter requirement:
https://www.lullabot.com/articles/adventures-with-edrive-accelerated-ssd-encryption-on-windows
I could be wrong but I think TPM is mostly about control and usability. First, it provides a way to use encryption without requiring user intervention at startup (i.e. pin). Second, it ties the drive to the hardware which makes it more difficult to separate the two and keep the data intact. It is more beneficial to the organization who issues a secure machine to an end user, especially if group policy is used to restrict movement within the OS. It is less beneficial to the average user who is simply protecting themselves from the potential of data theft through burglary. Powered down, a TPM enabled machine is no more safe than a non-TPM machine assuming your PIN is strong enough. Some here have argued that a TPM machine could be less safe due the possibility of key extraction from the TPM itself.
The use of TPM is completely optional, though you do need to change a setting to use Bitlocker on a non-TPM machine. Even if you were to rely completely on software encryption the performance difference would likely be negligible and you would get the same level of protection. Try not to over think it.