Drive encryption

[Kalle Kuurula]

What's the best way to go about encrypting your Windows drive with a Samsung 850 Pro? The drive seems to have a hardware encryption options, but I'm afraid this is all very much new to me. I have a TPM enabled motherboard.

 

[Anteaus]

If you have Windows 10 Pro, I'd recommend going with Bitlocker. It is simple to setup and works well. Veracrypt would be my next choice assuming you can't use Bitlocker. I should add that you could have potential issues with some encryption applications if you boot from a GPT partition. In that case you will need to make sure you are using MBR.

 

[Kalle Kuurula]

Thanks. Reading into this I was also planning to use that, since 850 Pro apparently can do that on a hardware level while utilizing the embedded TPM module.

 

[Elixer]

You do realize that once that is enabled, and if your motherboard dies, or, you move the SSD to another machine, you will be SOL?

 

[corkyg]

You do realize that once that is enabled, and if your motherboard dies, or, you move the SSD to another machine, you will be SOL?

This important. I would suggest you clone a copy of the unencrypted drive and store it in a safe place offsite. That way you will always have something to build on should you have a system failure such as envisioned by Elixer.

 

[Anteaus]

You do realize that once that is enabled, and if your motherboard dies, or, you move the SSD to another machine, you will be SOL?

With Bitlocker you can move the drive from one system to another with no problem as long as you save the recovery key file that is created when you initially encrypt the drive. I've done it before. Not sure about Veracrypt.

 

[Elixer]

With Bitlocker you can move the drive from one system to another with no problem as long as you save the recovery key file that is created when you initially encrypt the drive. I've done it before. Not sure about Veracrypt.

Bitlocker is software based, not hardware, and the OP didn't specify they were using windows, but leaning toward hardware based.

IIRC, if you have a SED device, and you enable TPM, that is all done in hardware, the key is not accessible.
If you now take that SED device, and stick it in another system that doesn't have TPM, or does, it will see that it isn't the same, and it will still be encrypted.
I believe there was some talk about "moveable" TPM modules, but, I don't recall ever seeing that actually implemented.

 

[Anteaus]

Bitlocker is software based, not hardware, and the OP didn't specify they were using windows, but leaning toward hardware based.

IIRC, if you have a SED device, and you enable TPM, that is all done in hardware, the key is not accessible.
If you now take that SED device, and stick it in another system that doesn't have TPM, or does, it will see that it isn't the same, and it will still be encrypted.
I believe there was some talk about "moveable" TPM modules, but, I don't recall ever seeing that actually implemented.

I see what you mean...he could always simply not use the TPM....the pin will need to be entered every time but at least it won't be tied to the board. That's how all my systems are.

As a side note, I've never liked the idea of my decryption key stored in the chipset. While I'm sure its somewhat secure, to me it sorta defeats the purpose since all of the information someone needs to get in the system is there if they only have the knowledge to get it. Not trying to sidetrack but since we are discussing TPM I thought I'd throw it out there.

 

[Elixer]

As a side note, I've never liked the idea of my decryption key stored in the chipset. While I'm sure its somewhat secure, to me it sorta defeats the purpose since all of the information someone needs to get in the system is there if they only have the knowledge to get it. Not trying to sidetrack but since we are discussing TPM I thought I'd throw it out there.

I fully agree, and it is why I can't stand WD's external units that come with the key embedded in the controller itself.
Encryption does have its place, but, the vast majority of the people out there don't know that if something goes wrong with the controller, they are pretty much screwed.
Yeah, sorry for getting slightly OT OP.

 

[Kalle Kuurula]

Don't worry about OT, I see all this as being important and appreciate the input.

I hate it, but I knew my LSI card would somehow pose an obstacle. According to this (see paragraph 4.), you need your drive AHCI enabled:
http://www.ckode.dk/desktop-machines/how-to-enable-windows-edrive-encryption-for-ssds/

I have LSI OEM 9217-8i (flashed to LSI 9207-8i) HBA and as far as I know it doesn't support AHCI. I don't like the idea of having to move the 850 Pro to motherboard port for two reasons: Firstly to hinder it down even slightly and secondly because all the ports all already occupied and I'd have to move one of my noisier HDD's to the LSI, which in instance doesn't support idle spin down either, unlike the motherboard ports. Not the ideal RAID/HBA card for your HTPC, but it all came to me as news after that fact that I'd already purchased the card. If I recall right no LSI based cards support idle spin down for connected disk. If I'm wrong I would give a ton of thanks for pointing out a PCIe 3.0 HBA card cabable of connecting a bare minimum of four disks, with idle spin down support (and preferably AHCI as well .

By the way, the link above suggests you don't need TPM to enable hardware level BitLocker encryption on a Self Encrypting Drive, like the 850 Pro (see paragraph 15.).

 

[Kalle Kuurula]

My goodness. It seems like I just stepped knee deep with this subject. There's a ton of must read before actually getting to try the SED hardware encryption. A lot of people seems to be confused with this topic. It seems like AHCI might not really be needed for the actual encrypting, only for Secure Erase - see here:
http://arstechnica.com/civis/viewtopic.php?f=11&t=1312261

Also the use of TPM seems to optional, not mandatory. The links here got me to send an email to Samsung support to try to find out if AHCI is really needed and secondly to contact Gigabyte support if my mainboard (GA-Z77X-D3H (rev. 1.1)) meets or exceeds the requirement of a UEFI 2.3.1 or higher motherboard, without any CSMs (Compatibility Support Modules) enabled, supporting EFI_STORAGE_SECURITY_COMMAND_PROTOCOL. See the link below for good read on this topic and source for the latter requirement:
https://www.lullabot.com/articles/adventures-with-edrive-accelerated-ssd-encryption-on-windows

 

[Anteaus]

My goodness. It seems like I just stepped knee deep with this subject. There's a ton of must read before actually getting to try the SED hardware encryption. A lot of people seems to be confused with this topic. It seems like AHCI might not really be needed for the actual encrypting, only for Secure Erase - see here:
http://arstechnica.com/civis/viewtopic.php?f=11&t=1312261

Also the use of TPM seems to optional, not mandatory. The links here got me to send an email to Samsung support to try to find out if AHCI is really needed and secondly to contact Gigabyte support if my mainboard (GA-Z77X-D3H (rev. 1.1)) meets or exceeds the requirement of a UEFI 2.3.1 or higher motherboard, without any CSMs (Compatibility Support Modules) enabled, supporting EFI_STORAGE_SECURITY_COMMAND_PROTOCOL. See the link below for good read on this topic and source for the latter requirement:
https://www.lullabot.com/articles/adventures-with-edrive-accelerated-ssd-encryption-on-windows

I could be wrong but I think TPM is mostly about control and usability. First, it provides a way to use encryption without requiring user intervention at startup (i.e. pin). Second, it ties the drive to the hardware which makes it more difficult to separate the two and keep the data intact. It is more beneficial to the organization who issues a secure machine to an end user, especially if group policy is used to restrict movement within the OS. It is less beneficial to the average user who is simply protecting themselves from the potential of data theft through burglary. Powered down, a TPM enabled machine is no more safe than a non-TPM machine assuming your PIN is strong enough. Some here have argued that a TPM machine could be less safe due the possibility of key extraction from the TPM itself.

The use of TPM is completely optional, though you do need to change a setting to use Bitlocker on a non-TPM machine. Even if you were to rely completely on software encryption the performance difference would likely be negligible and you would get the same level of protection. Try not to over think it.

 

[Kalle Kuurula]

I could be wrong but I think TPM is mostly about control and usability. First, it provides a way to use encryption without requiring user intervention at startup (i.e. pin). Second, it ties the drive to the hardware which makes it more difficult to separate the two and keep the data intact. It is more beneficial to the organization who issues a secure machine to an end user, especially if group policy is used to restrict movement within the OS. It is less beneficial to the average user who is simply protecting themselves from the potential of data theft through burglary. Powered down, a TPM enabled machine is no more safe than a non-TPM machine assuming your PIN is strong enough. Some here have argued that a TPM machine could be less safe due the possibility of key extraction from the TPM itself.

The use of TPM is completely optional, though you do need to change a setting to use Bitlocker on a non-TPM machine. Even if you were to rely completely on software encryption the performance difference would likely be negligible and you would get the same level of protection. Try not to over think it.

Thanks for the input. I was under the impression that the function of TPM would also be to serve as a layer of protection against brute force attacks. They way I understood it as I vaguely familiarized myself with the topic earlier that it stores the actual BitLocker encryption key inside the module, which in this case would be a very long random string and only a shorter user selectable key would be typed in with limited tries at the system startup for the TPM to initialize and open the system with the actual key.

 

[Kalle Kuurula]

Seems like I found an answer to my question before Gigabyte support got around to it. FAQ (here) answers that my board has eDrive support, meaning that it must be in compliance with the UEFI requirements listed three posts above.

"Q: Does it support Encrypted Hard Drive (eDrive) in Windows 8?
A: Yes, it supports."

That means that unless the lack of AHCI poses an insuperable obstable I should be set to go for hardware encryption.

 

[Kalle Kuurula]

In the mean time I'll throw in a new question: What if I go with the hardware encryption with TPM and want to add, remove or replace system hardware? Would I disable BitLocker, do the hardware changes and then re-enable BitLocker again?

 

[Kalle Kuurula]

While waiting for the replies from Samsung and Gigabyte, I went ahead with the software encryption with BitLocker. I have been satisfied with it so far. I can't see a performance hit.

Asking if AHCI is required, the best answer I managed to get with a second try from Samsung support was "AHCI/UEFI is recommended", whatever that actually means. I just received a response from Gigabyte rep that the provided BIOS's apparently aren't compatible with eDrive, although they state so on their site, but say are working on it and will get back to me with supposedly a new one. There's a chance that I'll still go ahead with the hardware encryption after I get these cleared out.