01-03-2019 04:19 PM - edited 01-03-2019 04:21 PM
01-04-2019 01:13 AM
09-18-2019 02:04 PM - edited 09-18-2019 02:39 PM
You should be able to use hardware bitlocker encryption with this configuration based on my experience with an X1 Carbon 5th Gen and Samsung 970 Pro, although enabling it is a little involved and requires the following steps:
1. Create Windows 10 installation USB drive using the Media Creation Tool downloaded from the Microsoft website (https://www.microsoft.com/en-gb/software-download/windows10). Note that I haven't been able to get hardware encryption to work using Lenovo recovery media so this is an important step.
2. Install Samsung Magician and follow the procedure to prepare the SSD as an Encrypted Drive (i.e. securely erase the drive using the bootable USB created by Magician). This will wipe your SSD so take a backup beforehand if requried. This will also require changes to the boot configuration in the BIOS.
3. Install Windows 10 using the USB media created at step 1 above.
4. Install the Samsung SSD driver and Magician. Check the encrypted drive status in Magician. From memory it should state it's Enabled.
5. From my experience, bitlocker may or may not be enabled when Windows is installed. If Bitlocker is enabled, decrypt the drive (you may need to encrypt and decrypt again). If it isn't, encrypt and then decrypt the drive (by either right clicking on the drive and selecting Manage Bitocker or running Bitlocker Drive Encryption from Control Panel).
6. Following step 5, (re)enable encryption for the drive. All being well, you will be prompted to reboot to perform a security check. If you aren't prompted to reboot the drive will be still sofware encrypted and step 5 will need to be repeated).
7. Once rebooted, open an elevated command prompt and run "manage-bde -status" and it should state (again all being well) that the drive is hardware encrypted.
09-18-2019 07:01 PM
There is little reason to go through the convoluted install-reinstall process to enable hardware Bitlocker, which is not required with SEDutil.
If you have a TCG OPAL 2.0 compliant NVME drive, like a Samsung 960 Pro, 970 Pro 970 Evo, or 970 EVO plus, then you can use the SEDutil pre-boot authentication bootloader to unlock that drive and then automatically load Windows. SEDutil is BIOS independent and does not require a clean installation of Windows. Also, you can add and remove the SEDutil pre-boot authentication bootloader at will without having to reinstall Windows. Or, you can disable pre-boot authenication and leave the bootloader in place.
With hardware Bitlocker you need a compatible drive, and the BIOS needs to specifically support Bitlocker. This is not the case with SEDutil.
The only two downsides with SEDutil in Windows is that sleep is not supported (not really an isssue with instant NVME hibernation, which is fully supported), and you must disable Secure Boot with SEDutil (debatable whether that is a security issue).
Most of your questions will probably be answered here: