Hi Esteban,

it's been over a month since you lasted posted. Can you give us a status update please?

Thanks

strophy wrote:

Hi Esteban,

it's been over a month since you lasted posted. Can you give us a status update please?

Thanks

EstebanC_Intel never replied after only enabling software encryption. Maybe he never figured out how to enable eDrive hardware encryption.

Nearly 3 months since Esteban confirmed the bug and went off to fix it, is this the maximum speed for Intel support? Did you lock yourself out of your laptop or what happened?

I don't even think it matters a whole lot. The newest driver wouldn't even install on my box because it evidently is no longer supported on the newest RST builds.

I have a Z97 board, btw.

To EstebanC_Intel,

A Intel 535 Series drive does employ hardware encryption using AES 256bit. However, it is NOT an eDrive, and as such will not be recognized by bitlocker as a hardware encryption capable drive. You are using bitlocker in Software Encryption mode.

Today most SSD's are also SED's. However, only a small subset of SED's are actually Opal V2 or eDrive compliant - a requirement to use Bitlocker in Hardware Encryption mode. Bitlocker falls back to Software Encryption mode.

You can recognize which Bitlocker mode your're using, because with Software encryption you will be given the option to only encrypt the used parts of the disk. With Bitlocker Hardware encryption (on an eDrive), you will NOT be prompted to encrypt only the used parts of the disk.

One other thing that often goes unnoticed about eDrive compliant drives. The entire drive is actually NOT encrypted. Instead ranges of the drive get encrypted. In a Windows 10 clean install, the 4th partition - where the C Drive [os] is stored is encrypted, but other partitions are not.

It's a shame that there isn't any good updated documentation that describes Bitlockers Hardware Encryption mode.

One other thing that make this topic confusing, is that some SED's that are eDrive capable, are not shipped in eDrive mode (Samsung). Others are shipped in eDrive mode (Crucial). So in some cases you must first push the drive into eDrive mode using a vendor supplied utility. Even more confusing, when you couple an eDrive with TPM 2.0, the ownership of the TPM is taken over by Windows 10 installation - automatically (unless disabled). It's believed that Microsoft does this so that a user doesn't try to use the ATA mode (not eDrive mode), to lock the drive (think Bios Hard Disk password). It's easy to confuse a Bios ATA password with a Bitlocker TPMandPin challenge - but they are very different.

I hope someone will write a white-paper on all this once the TCG and Microsoft figure out how to actually make Opal and eDrive's secure. It was demonstrated at a Black hat conference that an encrypted drive can simple be moved to a second computer (while keeping it powered) and all of the data can be accessed. Until these standards actually encrypt the SATA commands to communicate with the drive, instead of only unlocking the drive, all SED hard disk data is not really secure, unless the drive is powered down. Once the drive is unlocked by a valid user, it remains unlocked and vulnerable until it is powered down again. So if your data is sensitive, don't just lock the keyboard, or even "standby" the computer. You must hibernate or power down to actually "secure" the data.

https://www.pcworld.com/article/3004670/business-security/self-encrypting-drives-are-hardly-any-better-than-software-based-encryption.html Self-encrypting drives are hardly any better than software-based encryption | PCWorld

https://www.blackhat.com/docs/eu-15/materials/eu-15-Boteanu-Bypassing-Self-Encrypting-Drives-SED-In-Enterprise-Environments-wp.pdf https://www.blackhat.com/docs/eu-15/materials/eu-15-Boteanu-Bypassing-Self-Encrypting-Drives-SED-In-Enterprise-Environme…

EstebanC_Intel It's now been nine months since anyone from Intel participated in this thread, and there's still no resolution for the hardware encryption problem with RST.

Intel: What's going on with this? Can anyone provide an update?

Forgive me for what might be considered a dumb question, but why are you installing Intel RST anyway? The only time that you should be installing Intel RST is if you want to use RAID or disk caching (Intel SRT or Optane). If you are not using any of these technologies, you should not be installing it. It offers no advantages otherwise.

...S

Quoted from Intel:

"Intel® Rapid Storage Technology offers greater levels of performance, responsiveness, and expandability than ever before. Whether you are using one or multiple serial ATA (SATA) or PCIe drives, you can take advantage of enhanced performance and lower power consumption from the latest storage technologies. Additionally, you can rest easy knowing you have added protection against data loss in the event of a hard drive failure."

I am not going to argue with you Rafael, but that quote is talking about the performance gains that you can get using RAID or one of the HDD Caching technologies (SRT (SSD-based Caching) or Optane memory-based caching) that it supports (this is where the 1 comes from, since you can cache a single HDD). The pure gains you might get just using it as a replacement SATA driver are minimal and, IMHO, not worth the effort (especially when considering this bug).

...S

Well I'm not too familiar in this area so you can always correct me, I'd rather have someone correct me so I can learn. It's just that I'm quoting it from Intel directly, but I always take it with a grain of salt ('cuz it could just be written down like that for marketing purposes)

I'm seeing a similar problem. I have a crucial eDrive and a NUC with TPM 2.0. manage-bde -status shows:

Hardware Encryption - 1.3.111.2.1619.0.1.2

So I know that I'm using Bitlocker in eDrive mode. But when I move the drive from the NUC to another computer, the drive is not recognized as a BitLocker encrypted drive, so I am not prompted to enter a Recovery key.

Could you try accessing your drive on another computer? Does it start the recovery mode?

I'm trying to determine if this is a crucial eDrive implementation bug, or a Microsoft Bitlocker eDrive bug. Everything works fine and as expected if I use Software Encryption, so I really think this is an eDrive issue. Your message might suggest that Bitlocker is not doing a good job recognizing the presence of an eDrive, so it never starts the Recovery dialog, and never sends the AK key to the unlock the drive.

This is really frustrating - and DANGEROUS. While encrypting is working great, should the NUC fail, I will not be able to recover the data in another computer via the Recovery Key - if Bitlocker can't recognize its looking at a eDrive.

Any comments?

Did you read the post I made earlier? Hardware encryption is still enabled after you install RST, it's just not detected by Windows. Go ahead and try to unlock your drive on another PC, it's not going to work and you're unable to read its contents until you use a recovery key.

Sorry for double post.

I just did a full wipe and reinstall of my laptop and got to enabled the hardware encryption.

The Secure Erase function of Samsung tool didn't work, so I had to run Diskpart > Clean the disk before installing.

After installing OS I used Samsung Magician to check for 'Encrypted Drive' and it was already enabled. I DID NOT install the Intel RST drivers and didn't install any drivers from laptop OEM. Now it has all Windows updates and applicable native drivers (or default from MS) for SSD and all devices on laptop. I enabled Bitlocker with GUI and after a restart SSD encryption was enabled.

Will keep close track on what driver installation the encryption gets knocked off. (Last time too it was running with h/w encryption but got reverted soon after installing one of the drivers)

Hi,

can you please check your event viewer, if you also get the following error message when using stock windows AHCI driver with your Samsung drive:

A TCG Command has returned an error.

Desc: AuthenticateSession

EnhancedStorage-EhStorTcgDrv

I see this error in a boot up sequence on my Crucial MX300 1Tb + HW Encryption + Windows AHCI driver.

Thank you in advance!