Harden-Windows-Security icon indicating copy to clipboard operation
Harden-Windows-Security copied to clipboard
Published 2 weeks ago verified publisher icon HotCakeX

[Suggestion]: Add the option for hardware encryption with Bitlocker on supported NVMe SSDs

Open matru opened this issue 3 months ago • 2 comments

Are you sure the Security measure is not already implemented?

  • [x] Yes, I have checked and the Security measure I'm suggesting to be implemented is not duplicate. 🫡

Please explain your new Security measure suggestion

Bitlocker now recommends against this since software encryption is superior if firmware on the drive is not regularly updated and patched against new CVEs, however there are still cases where one would want to choose hardware encryption over it.

matru avatar Sep 18 '25 19:09 matru

Hi, Thanks for the suggestion, it's a good one. When i built the BitLocker sub-component of the app i made it default to software encryption. I'll expose an option in the UI that user can choose between software and hardware encryption, although it looks like on hardware encryption we can't guarantee it using the most secure option XTS-AES-256 unless the hardware supports it, from what i've seen it's usually XTS-AES-128 on modern SSDs.

HotCakeX avatar Sep 19 '25 13:09 HotCakeX

@HotCakeX I might've been wrong here, thinking that a simple option would do the work.

So as I said before, BitLocker by default uses software encryption, the reasons why might be the following:

For BitLocker to support hardware encryption, the drive itself needs to have hardware encryption based on TCG/Opal, but also IEEE 1667 compliance, this combo was called eDrive in the past, now it's called encrypted hard drive for Windows, which is different from just SED (Self-encrypting hard drives).

Now if the drive does have both, BitLocker can be forced to use hardware based encyrption, but there are still some requirements to be met, and since one of them is the drive being in an uninitialized state, this cannot just work out of the box, since it implies that Windows can't be installed beforehand.

Now if you provide this documentation in the app, and make sure that users will only use it on a disk with those requirements, and not for the default OS (Windows) drive, which I believe is possible, it might still make sense to be included in the options, but it definitely is not as easy as I've thought it to be. It's weird that the documentation on this online is not so clearly laid out. Maybe, this option should not be included after all, as it's more confusing then not.

For example, it seems that some Samsung drives like the 990 PRO do support eDrvie or "encrypted hard drive for Windows", while not even one Crucial NVMe drive does. Here is one more useful link for eDrive supported drives and BitLocker.

For drives that just SED, you can always use third party software before and prepare the disk to be encrypted, but this doesn't integrate with Bitlocker in anyway whatsoever.

matru avatar Sep 23 '25 14:09 matru