05-21-2018 10:21 AM
I am just setting up a new X1 Yoga 3rd gen with the included 1TB drive (Samsung MZVLB1T0HALR). As I understand, since it is OPAL 2.0, it should be self-encrypting. I was under the impression modern Bitlocker can make use of self-encrypting drives for hardware encryption rather than using software encryption. After setting up Windows, Bitlocker automatically started encrypting the drive. The fact that this took time led me to try "manage-bde -status C:" in an elevated CMD and I found that it was using software encryption.
How do I go about getting Bitlocker to use the hardware encryption capabilities?
For now, I disabled Bitlocker and then enabled Disk Password in the BIOS. I do get asked for the password at boot-up but how do I know the drive is actually encrypted and this isn't just an access password? In other words, if the SSD is pulled out and placed in another system, it should still be encrypted. According to https://support.lenovo.com/us/en/solutions/migr-69621 I should see a Disk Encryption HDD setting in BIOS if my drive supports encryption --- but I don't see this setting.
As an aside, I tried to also download the Samsung Magician utility, but as you would expect, it says my drive is not supported (likely due to Microsoft drivers and/or that this is an OEM drive).
05-21-2018 11:54 AM
If it is an OPAL drive it is encrypted by the hardware. The operating system and the user don't see anything to show any encrypting, so there is no performance hit. That simply means that the bits and bytes are stored in the memory chips in a non-sequential manner so someone couldn't use electronic gear to dump the memory chips to get at your data. If you put the drive into a different machine, it couldn't be accessed without supplying the password. If there were no password, the drive could be mounted in another system, either directly or via an external housing, and read out your data because the data would be un-encrypted by the drive and passed to the OS. The password is also encrypted via the BIOS and stored on the drive in an area that cannot be directly accessed. The only command that can allow reading is a challange command. One warning, if you want to move the drive to another system, you need to remove the password first or mount it into a "similar" machine so you can supply the password via the BIOS encryption. My understanding is that machines T440 and newer use the same encryption. Also, there is no way to supply the password to an external drive.
05-21-2018 12:02 PM
Thanks for your comprehensive response!
Could you also respond to this part:
According to https://support.lenovo.com/us/en/solutions/migr-69621 I should see a Disk Encryption HDD setting in BIOS if my drive supports encryption --- but I don't see this setting.
The lack of that setting in BIOS makes me wonder how I know it's really being encrypted.
05-21-2018 12:52 PM - edited 05-21-2018 12:52 PM
FDE is a different technology (for spinning drives). With OPAL encryption, there is no option. It is always encrypted. I doubt that the BIOS even knows about it.