Showing results for 
Search instead for 
Did you mean: 
What's DOS?
Posts: 1
Registered: ‎01-03-2019
Location: US
Views: 960
Message 1 of 4

Best full disk encryption setup for new X1 Carbon Gen 6 with Samsung 970 EVO?

I am a bit confused by all the full disk encryption methods available between hardware options like OPAL and software/hardware options like Bitlocker for a X1 Carbon Generation 6 thinkpad. I am about to install Windows on a new Samsung 970 EVO 1 TB NVMe SSD that I just installed. I have a number of questions and concerns.
1) The way I typically do backups in the past is to pull the SSD and install it in another desktop computer or enclosure and make an image using Macrium Reflect or other disk imaging software. My understanding is that if a HD Password in the bios is set in the bios of the thinkpad this is not possible and the drive will be inaccessible on another machine. Is this correct?
2) Is setting the HD Password the same as setting the ATA password? Can it be cleared? Can it be disabled?
3) Does using Bitlocker (which I haven't used before) allow the drive to be read on another computer if the HD password in the bios is not set? How much of a speed/CPU hit is likely to be encountered with using Bitlocker?
4) Are there recommended settings for Bitlocker? I haven't used it before. Any gotchas?
5) It looks like the Samsung 970 EVO supports the eDrive 1667 standard which I believe should allow Bitlocker to use the drives hardware encryption engine. Is this correct? Does this cause any portability issues?
6) If Bitlocker is not used it looks like there are two options for password protecting the SSD either the HD password in the bios or using software for the OPAL password like sedutil. Is one recommended over the other?
7) Is there a consensus best practice for full disk encryption with a X1 Carbon Gen 6? "ATA Password" or "MS eDrive aka Bitlocker hardware encryption" or "OPAL via third party tools"
Fanfold Paper
Posts: 15
Registered: ‎01-03-2019
Location: FR
Views: 927
Message 2 of 4

Re: Best full disk encryption setup for new X1 Carbon Gen 6 with Samsung 970 EVO?

Hi X1C6,
I am using full disk encryption since I got my T410 early in 2009. Today I moved to a T480 512Go SSD NVME.
I don't know what you refer to with HD password (encryption of disk or just access to disk controled by a password). 
If you want full disk encryption, be carefull that the program you use is compatible with UEFI bios/secure boot.
I use jetico bestcrypt volume encryption with a boot password, it comes with a rescue system in case of disk corruption to decrypt it. You will be able to use macrium reflect to take backup of your drive when you are logged in the computer (else data appears encrypted). 
I haven't tested bitlocker but the issue may come when you try to image the disk.
Punch Card
Posts: 20
Registered: ‎03-28-2010
Location: GB
Views: 57
Message 3 of 4

Re: Best full disk encryption setup for new X1 Carbon Gen 6 with Samsung 970 EVO?

You should be able to use hardware bitlocker encryption with this configuration based on my experience with an X1 Carbon 5th Gen and Samsung 970 Pro, although enabling it is a little involved and requires the following steps:


1. Create Windows 10 installation USB drive using the Media Creation Tool downloaded from the Microsoft website ( Note that I haven't been able to get hardware encryption to work using Lenovo recovery media so this is an important step.


2. Install Samsung Magician and follow the procedure to prepare the SSD as an Encrypted Drive (i.e. securely erase the drive using the bootable USB created by Magician). This will wipe your SSD so take a backup beforehand if requried. This will also require changes to the boot configuration in the BIOS.


3. Install Windows 10 using the USB media created at step 1 above. 


4. Install the Samsung SSD driver and Magician. Check the encrypted drive status in Magician. From memory it should state it's Enabled.


5. From my experience, bitlocker may or may not be enabled when Windows is installed. If Bitlocker is enabled, decrypt the drive (you may need to encrypt and decrypt again). If it isn't, encrypt and then decrypt the drive (by either right clicking on the drive and selecting Manage Bitocker or running Bitlocker Drive Encryption from Control Panel).


6. Following step 5, (re)enable encryption for the drive. All being well, you will be prompted to reboot to perform a security check. If you aren't prompted to reboot the drive will be still sofware encrypted and step 5 will need to be repeated).


7. Once rebooted, open an elevated command prompt and run "manage-bde -status" and it should state (again all being well) that the drive is hardware encrypted.

Paper Tape
Posts: 5
Registered: ‎09-18-2019
Location: US
Views: 35
Message 4 of 4

Re: Best full disk encryption setup for new X1 Carbon Gen 6 with Samsung 970 EVO?

There is little reason to go through the convoluted install-reinstall process to enable hardware Bitlocker, which is not required with SEDutil.



If you have a TCG OPAL 2.0 compliant NVME drive, like a Samsung 960 Pro, 970 Pro 970 Evo, or 970 EVO plus, then you can use the SEDutil pre-boot authentication bootloader to unlock that drive and then automatically load Windows. SEDutil is BIOS independent and does not require a clean installation of Windows. Also, you can add and remove the SEDutil pre-boot authentication bootloader at will without having to reinstall Windows. Or, you can disable pre-boot authenication and leave the bootloader in place.


With hardware Bitlocker you need a compatible drive, and the BIOS needs to specifically support Bitlocker. This is not the case with SEDutil. 


The only two downsides with SEDutil in Windows is that sleep is not supported (not really an isssue with instant NVME hibernation,  which is fully supported), and you must disable Secure Boot with SEDutil (debatable whether that is a security issue).


Most of your questions will probably be answered here:


Check out current deals!

Shop current deals

Top Kudoed Authors