Most modern SSDs come with some form of hardware encryption. On these drives with hardware encryption, it’s usually permanently turned on - all data written to the NAND is typically stored in encrypted form. This stems from the fact that all writes to NAND had to be scrambled to begin with (writing long repeated strings of data to NAND can cause problems for data retention). The earliest implementations weren’t sophisticated enough to be considered real encryption, but these days it’s not uncommon to see hardware AES-128/256 support.

The bad news has been that relying on OS driven filesystem encryption always meant the use of software encryption on top of your drive’s native encryption. This was particularly a problem on SandForce based drives, where full disk encryption basically ruined any of the performance advantages of the controller’s native compression/de-dupe (you can’t further reduce encrypted data). Other drives suffered (just not as much) due to the added overhead from having to leverage the host CPU to encrypt all data before writing it to disk. There’s also the fact that if you encrypt your entire drive (free space included), the drive ends up looking like a completely full drive - which has performance implications of its own. This was the world that existed with BitLocker under Windows 7 and FileVault under OS X.

With Windows 8, the story is a bit different.

I hadn’t heard of Microsoft’s eDrive standard for Windows 8 until I started working on the Crucial M500 review. It turns out that if you have a storage device (e.g. SSD, eMMC, etc...) that meets the right encryption standards, Windows 8’s BitLocker will leverage the device’s hardware encryption engine, bypassing the software based encryption altogether. The result should be better performance and lower power consumption.

The M500 is the first drive that I’m aware of to support Microsoft’s eDrive standard. Because of its TCG Opal 2.0 and IEEE-1667 compliance, the M500 is eDrive compatible. There are some platform requirements to get eDrive working as well. You’ll obviously need a system that will support BitLocker (although hardware TPM isn’t necessary, you can still go the USB key route). It’s important to note that you have to enable UEFI boot and make sure you have a UEFI enabled Windows 8 install in order for this to work. Your platform will specifically need to support UEFI 2.3.1 (Class II no CSM/Class III). Often times UEFI boot support on motherboards can be tricky, particularly on earlier firmware revisions, so be sure you’re updated (this was the problem I ran into with my test hardware). I've had varied luck with getting DIY desktop PC hardware to behave appropriately with UEFI and BitLocker enabled, so your mileage may vary. The experience on a TPM enabled notebook should be far cleaner from what I've heard.

With all of your ducks in a row, all you need to do is enable BitLocker at this point. If everything is eDrive compliant you won’t be asked whether or you want to encrypt all or part of the drive, after you go through the initial setup BitLocker will just be enabled. There’s no extra encryption stage (since the data is already encrypted on your SSD). If you’ve done something wrong, or some part of your system isn’t eDrive compliant, you’ll get a progress indicator and a somewhat lengthy software encryption process.

For example, with 107GB in use my test 240GB M500 was fully encrypted with BitLocker enabled after a couple of seconds. Just a pause, then boom, BitLocker was enabled. My 256GB Samsung SSD 840 Pro on the other hand took about 21 minutes to encrypt the very same data using software encryption.

The gallery below shows all of the steps I went through to enable BitLocker/eDrive support on my Intel DX79SI motherboard with Crucial’s M500.

The ability to quickly enable/disable BitLocker is a nice perk, but it’s only part of the story. There’s basically no change in performance with BitLocker enabled on the M500 since the encryption is all done on the drive (and was always being done there to begin with).

PCMark 7 - Raw System Storage Score
  Unencrypted BitLocker Enabled Perf Impact
Crucial M500 240GB (eDrive) 4644 4586 -1.2%
Samsung SSD 840 Pro 256GB 6195 5336 -13.9%

The sad reality is, Samsung’s 256GB 840 Pro with software encryption enabled ends up being faster than the M500 running as an eDrive, but in theory if the drives were equal performers you’d see a clear advantage to the eDrive compliant hardware. PCMark 7 isn’t the most stressful test and we’re really only measuring peak performance here however. Given that the 840 Pro should look like a completely full drive with its free space encrypted, I ran a short 4KB random write test to see whether or not that was the case:

Peak Performance - 4KB Random Write (8GB LBA Space, QD32)
  Unencrypted BitLocker Enabled Perf Impact
Crucial M500 240GB (eDrive) 63334.8 IOPS 62865.8 IOPS -0.7%
Samsung SSD 840 Pro 256GB 88911.3 IOPS 63097.53 IOPS -29.0%

Now this is much more interesting. On a mostly empty drive, the 840 Pro behaves like it’s full of data and thus shows lower peak 4KB random write performance. The M500 on the other hand behaves like it’s empty. As neither one of these drives has the best behavior after extended usage in a full state, the long term performance benefits are tremendous.

There should be power savings associated with running as an eDrive, although since my testbed is a desktop PC they aren’t all that visible. The irony here is that none of the modern (UEFI 2.3.1 hit in mid 2011) PC notebook hardware I have on hand will support a 2.5" SSD.

As someone who regularly uses full disk encryption, I can’t tell you how excited I am at the thought of eDrive compliant SSDs. There’s absolutely no reason this shouldn’t be how all OS level encryption works. Kudos to Microsoft for making this happen and to Crucial for supporting it.

I’m hoping we’ll see more eDrive compliant SSDs in the future. For now, anyone who is required to run with BitLocker enabled should seriously consider Crucial’s M500.

On the Mac side, I do hope Apple will follow Microsoft’s lead here and build similar support in to OS X for FileVault. The power and performance savings are worth it, especially when you consider that SandForce based SSDs are now in Apple’s official parts bin.

POST A COMMENT

39 Comments

View All Comments

  • Tjalve - Friday, April 12, 2013 - link

    Alright. So to get this going, you need to enable secure boot? I didnt read that that was a requiremenet, only to boot with UEFI instead of legacy BIOS? Reply
  • B3an - Sunday, April 14, 2013 - link

    Pretty sure you don't need Secure Boot enabled. Don't know why Azethoth mentioned SB...

    You just need UEFI boot enabled. Specifically "UEFI 2.3.1 (Class II no CSM/Class III)" as mentioned in this article. I'd guess most new motherboards with UEFI will support this as long as you're on the latest BIOS/UEFI update.
    Reply
  • Araemo - Thursday, April 11, 2013 - link

    Why would you want that? Because every additional password you give a user increases the chances of them writing it on a sticky note on the computer and bypassing your well-designed security.

    Without an ability to use your AD credentials for pre-boot authentication, I recommend my customers go TPM-only (with secure boot if supported) for that reason, plus the supportability reasons.

    Technically, bitlocker supports smartcard-auth... as long as you have a third-party module running pre-bootmgr to authenticate the smartcard and supply the drive protector key to bootmgr.

    I've seen no product that does this, however, so the above statement is more correct than microsoft's line. ;)
    Reply
  • Johny12 - Monday, April 15, 2013 - link

    I thought the purpose of hardware encryption on the SSD was to reduce the burdon on the host CPU. So with Sandforce you got both better CPU performance AND the benefit of their compression/de-dupe? Reply
  • hceuterpe - Tuesday, April 23, 2013 - link

    You gotta be kidding me. I JUST bought the Crucial C400 SED variant less than a month ago!
    Oh well, I don't plan on using Windows 8 (I rejected it) and my laptop doesn't have UEFI. Also The M500 doesn't seem to best the C400/M4 across the board.

    For people who don't understand Bitlocker, you guys need to stop bashing it and comparing HDD passwords (seriously??). For a large organization, it's one of the easiest ways to enforce data-at-rest security. As for bitlocker, in software mode I've noticed my other laptop (which I don't own myself) tends to hang for extended periods of time especially when it pages. I've heard similiar behavior from Truecrypt, as well..
    Reply
  • LS1 - Thursday, December 19, 2013 - link

    Has anyone been able to get eDrive working right with the Samsung EVO yet? The latest firmware update is supposed to make the drive TCG/OPAL 2.0 Compliant. I gave it a shot and I believe I meet all the system requirements (UEFI with CSM disabled and Secure Boot enabled, Windows 8.1 Pro, BitLocker, etc.) but it still asks me if I want to encrypt only the used space or the entire drive (it shouldn't ask that if it's using eDrive from what I've read). Tried this on a Lenovo K410 Desktop without a TPM chip and on Lenovo ThinkPad T430 with a TPM chip without any luck...if it doesn't work on the business line T series ThinkPad then I don't know what will work or what I might be doing wrong? Reply
  • LS1 - Tuesday, December 24, 2013 - link

    Finally got eDrive to work on the Samsung EVO but I had to install the Samsung Magician software and enable "Encrypted Drive" which instructed me to perform a secure erase and a clean install of Windows 8 which I did and it but I had to make sure the EVO was #1 on the boot order in UEFI/BIOS and also had to run "bcdboot %systemdrive%\Windows" from the Windows command prompt since I kept getting BitLocker errors saying "element not found". After it's done however the same problem as the Crucial M500 exists where the ATA security set is disabled and one CANNOT perform a Secure Erase on the drive and the Samsung Magician software doesn't allow you to set "Encrypted Drive" back to "Ready to be Enabled" or "Disabled". Reply
  • Igorw - Monday, January 13, 2014 - link

    Thank you for the walk through and also pointing out what to look for if the encryption uses software mode instead of hardware mode (that part really helped)!

    With some trouble I now finally have Bitlocker running in hardware mode on my Samsung 840 EVO. The tricks to get it running on this drive were 1) Upgrade your Samsung firmware, 2) Use Secure Erase on the drive after turning Encrypted Drive to Ready to Enable and 3) Install windows in UEFI mode (I had no idea that it was possible to install windows in different modes).

    Thanks again for the great step by step guide.
    Reply
  • Krysto - Monday, February 10, 2014 - link

    The encryption is done by hardware instead of software? So that means it could be backdoored by hardware vendors. Not the fact that Bitlocker is proprietary shouldn't worry you to begin with, in this case. Reply

Log in

Don't have an account? Sign up now