2

Is it possible to enable Bitlocker hardware encryption (on a Samsung pro SSD) without having to re-install Windows 10 pro?

A similar question was asked here but was too vague and closed.

user986363
  • 161
  • 1
  • 7
  • It’s impossible to enable BitLocker on Windows 10 Home. You can enable BitLocker protection at any point if you are running Windows 10 Professional – Ramhound Feb 11 '21 at 10:14
  • I'm also interested in this. I don't want to run through the Windows installer and have a fresh Windows just to have hardware encryption. If the hard disk must be wiped, I'm fine with taking an image of my current install first and reapplying the image after. I just don't want to start fresh right now. Hardware encryption shouldn't be a special thing that only the Windows installer can do. – Slix Jan 03 '22 at 20:28
  • @Slix I posted some feedback while its still somewhat fresh in my memory. Good luck. – user986363 Jan 05 '22 at 11:42
  • BitLocker no longer uses hardware encryption by default. Unless you really need hardware encryption, you should stick to the defaults. – Daniel B Jan 05 '22 at 12:04
  • Microsoft disabled hardware encryption in group policy due to security concerns quite some time back. This article shows that the security concerns today between BitLocker hardware and software encryption are similar and at times software encryption is more insecure. https://www.cs1.tf.fau.de/research/system-security-group/sed-insecurity/ – user986363 Jan 05 '22 at 12:37

1 Answers1

0

Its possible but there are some requirements you must first fulfill.

  1. Your motherboard must support your boot drive being hardware encrypted. This appears only to be a problem on laptop motherboards as far as I can tell and when the boot drive is NVME. So, the manufacturer must explicitly support self encrypted NVME boot drives, otherwise nothing you try will work, even formatting and re-installing windows will not work.
  2. The drive must be provisioned to make use of hardware encryption. You can provision your drive on another computer too. In the case of a Samsung drive, Samsung provides tools to enable "Encrypted Drive". After enabling this feature, their tool should report "Encrypted Drive - Enabled".

Steps

Note: Before you begin make sure your drive is completely decrypted (if you were using BitLocker).

  1. Clone your source drive to another drive as a backup.
  2. Verify that your backup works by booting up from it.
  3. Format and provision your source drive for hardware encryption.
  4. Clone your backup drive to your source drive and boot up Windows.
  5. Update your group policy to force Bitlocker hardware encryption only
  6. Enable Bitlocker on your source drive. If it succeeds and starts encrypting you are good. If it fails, its likely that the drive does not support hardware encryption or your motherboard is not setup for hardware encryption or does not support the configuration you are using.

Warnings

  1. You may very likely have to invest a lot of time getting this to work. So be prepared for that.
  2. You may need to do research on how to provision a drive on your computer and may need to make changes to your bios and or run special PowerShell scripts.
user986363
  • 161
  • 1
  • 7