Recently I purchased a new mainboard, CPU, SSD and some other components. The SSD is a SED (Self Encrypting Drive), which offers the possibility of hardware based encryption. To me this sounded like a good place to start with disk encryption. Up until now I only used Truecrypt containers, but felt the need for a whole disk encryption. And what better way to do this, than with hardware based encryption. So I dived into Windows Bitlocker, combined with UEFI and secure boot. Of course I had some issues, experienced frustrations, but finally, victory!
My setup:
- Gigabyte Z97X-SLI mainboard, ver 1.2
- Crucial MX300 (CT750MX300) 750 GB SSD
- Windows 10 Pro
This article explains in detail the requirements and steps needed to use the SED functionality on the Crucial MX300.
In summary:
- Be ready to install a fresh, new Windows 10 installation. As far as I know it's not possible to enable/toggle hardware based encryption on a existing Windows 10 installation, or to clone a W10 installation to a SED drive. You have to start from scratch.
- Make sure your bios is set to UEFI, CSM is switched off and Secure Boot turned on. For the Gigabyte Z97X-SLI mainboard this means:
- Enter the bios (classic view)
- Go to tab Bios Features
- Windows 8 features: set to Windows 8 (not Windows 8 WQHL)
- CSM Support: Never
- Secure boot: enabled
- Secure boot mode: Custom
- Choose Key Management
- Default Key Provisioning: Enabled
- Select option Install default Secure boot keys
- Save settings
Furthermore, to my knowledge the option Fast Boot isn't required for secure boot. You can set this to whatever you like, but make sure you can still use your USB keyboard during boot. Otherwise you can't enter your Bitlocker password (I experienced this).
- Boot your computer with the W10 installation media (DVD or USB) and install Windows on the SSD. Be sure that the drive is uninitialized before installing Windows. You can accomplish this by hooking up the drive to another computer and use diskpart to clean the drive. Or at the disk setup part of the Windows installation, make sure all partitions are removed. When you use a newly bought SSD, you don't need to worry about this and you can use the drive right away.
After the Windows installation, verify the layout of the disk partitions with disk management. There should be 3 partitions.
 |
| Disk partition layout |
- Enable Bitlocker
Now it's time to enable Bitlocker. In contrast to software based encryption, Bitlocker doesn't have to encrypt the entire drive. This is already enabled on the drive itself. Whether you use Bitlocker or not, the drive already encrypts and decrypts data on the fly. This is a transparant process. The only difference with Bitlocker is that it will tell the drive to lock the drive and only decrypt the data when the correct keys are entered during boot. This means that enabling Bitlocker on a SED is a simple task and not time consuming.
In my case I'm only using Bitlocker with a PIN, not a TPM chip or USB key. In order for Bitlocker to accept a PIN as a valid authentication method, you'll need to set a group policy.
Open the local group policy editor, go to Computer Configuration -> Administrative Templates -> Windows Components -> Bitlocker Drive Encryption -> Operating System Drives.
Set Require additional authentication at startup to enabled.
Make sure Allow Bitlocker without a compatible TPM (requires ........) is enabled
 |
| gpedit setting |
Exit gpedit.
Open explorer, right-click the partition you want to encrypt (probably the C drive) and choose Turn on Bitlocker. (If you get an error message about a missing TPM chip, then your group policy changes are incorrect)
Follow the step-by-step instructions. If everything goes well, Windows will reboot to verify the Bitlocker operations and once rebooted, the partition is encrypted.
One important note here: During the Bitlocker setup when you're presented with the following question, then something went horribly wrong and I'm afraid you'll have to start all over. Because this question should only be asked with using software based encryption, not hardware based.
 |
| You should NOT see this question! |
After the reboot, you can verify that the drive uses hardware based encryption, by opening an elevated command prompt, and use the following command:
manage-bde -status c:
 |
| Verify hardware encryption |
IMPORTANT INFORMATION ABOUT Intel RST DRIVERS !!!!
Now you may install hardware drivers, software, et cetera, to further customize your Windows 10 installation. But whatever you do,
DO NOT INSTALL the Intel RST SATA drivers !!!!
These drivers are known to break the Bitlocker installation. My own experience with this is that after enabling Bitlocker and installing these Intel drivers, I still had the Bitlocker logon screen during boot, but the partition was no longer encrypted. I verified this with the manage-bde command. I wasn't able to solve this, so I had to reinstall Windows. :(
This bug in the RST drivers is mentioned on other forums as well. Perhaps there are versions of this driver that will work fine with Bitlocker, but I'm sticking with the Microsoft standard SATA AHCI controller drivers.
Finally, I also experienced the issue that when you start your computer, the computer turns off while typing your Bitlocker password. I found a solution on another forum for this:
open up command prompt window as administrator:
type in this command: bcdedit /set {bootmgr} bootshutdowndisabled 1
press enter key, wait couple seconds then exit window. reboot the system and see if issue is resolved.
Good luck with your SED and Bitlocker!
