Issues enabling BitLocker hardware encryption (Windows Encrypted Hard Drive) on AMD 7840

Damian_Edwards · November 4, 2023, 3:11pm

Just got my Framework 13 AMD 7040 (7840U, 64GB) and am trying to set it up with a Samsung 990 Pro 2TB SSD with Windows 11 using BitLocker hardware encryption (Windows Encrypted Hard Drive). I’m using this guide which I’ve successfully followed on my desktop rig using a Samsung 990 Pro 1TB. In my testing the hassle is totally worth it if you’re going to be using BitLocker (which is mandated in many corporate environments) as the default software-based encryption can dramatically impact disk performance.

The two places where the process differed from what I’ve done before were the secure erase of the SSD after enabling encryption in Samsung Magician (when it enters the “Ready to enable” state), and the disabling of the “Block SID” function in the BIOS.

I couldn’t find a secure erase tool in the BIOS, and couldn’t get Samsung Magician to make the bootable USB with its secure erase tool successfully, so I ended up using diskpart for that instead. Guides say this should be sufficient but I’m not sure.

For the step where one has to go into the BIOS to disable the “Block SID” function, so that the next volume created on the SSD is setup for encryption, I couldn’t find the option in the BIOS (3.02) so I used the workaround approach of issuing the command via PowerShell and rebooting. At that point usually, the BIOS will print a message and halt on POST, detailing that a block SID request has been made and to confirm the action or deny the request and reboot. I did see something different come up during POST at this stage but it flashed too quickly to be legible.

I continued on with the Windows 11 install at this point and confirmed that Samsung Magician reports the drive as having Encrypted Drive “Enabled”, supposedly confirming that the SSD has been successfully configured for hardware encryption. After editing Group Policy to force BitLocker to use hardware encryption and rebooting once more, I proceeded to enable BitLocker.

Unfortunately BitLocker seems to have completely ignored the setting and encrypted the drive using software-based encryption instead. A performance test once it completed showed results inline with what I’ve seen on software-encrypted BitLockered 990 Pros before: a huge impact to random IOPS perf, dropping what should be around 1 million IOPS to 100K or so.

For my next attempt, I plan to revisit the secure erase step and try again to get the Samsung secure erase tool bootable USB created. I’m still not sure what to make of what I saw at the disable “Block SID” step.

It would be great if the Framework 13 BIOS exposed the “Block SID” settings and included an SSD secure erase tool. Alternatively, a guide on how to complete the process to install Windows 11 Pro and enable BitLocker hardware encryption when using a supported SSD would be much appreciated.

sharpjs · November 4, 2023, 6:09pm

FWIW, I have used nvme-cli (which provides the nvme command) successfully on Linux to secure-erase Samsung 970 Pros before. I resorted to that after first attempting to secure-erase using my MSI motherboard’s BIOS and being horrified when it erased the wrong drive*. IIRC, nvme-cli should be installed on most distributions’ installer images.

*Partially my fault. There were two identical drives, and the MSI BIOS secure-erase UI showed only their manufacturer and model name, without any way to know which drive was which. I guessed that they were listed in the order of the motherboard’s M.2 slot labels. Perhaps I guessed incorrectly, or maybe the BIOS has a bug with duplicate drive descriptions. Both are plausible.

Damian_Edwards · November 4, 2023, 11:01pm

Thanks. I ended up managing to get the Samsung Secure Erase Tool bootable USB working and am attempting to go through the whole process again.

Damian_Edwards · November 5, 2023, 4:29am

Well, I had more the luck the second time, using the Samsung Secure Erase tool & enabling BitLocker via the command line I was able to get it to the point it was using hardware encryption. Unfortunately on the next boot it failed POST saying it couldn’t find the boot device. I believe that’s the same result others have seen attempting the same. I think we’re stuck until this is addressed by Framework with a BIOS update.

Heinz-Willi_Eichmeye · November 6, 2023, 12:04pm

That is the point. However, this applies not only to AMD but also to Intel 11.

However, my tests have shown that the performance loss is significantly lower with the AMD. This is therefore irrelevant in my usage profile.

Also interesting, copying large amounts of data does not cause the fan to spin up on the AMD, unlike the Intel 11.

Pouasson · November 10, 2023, 9:27am

Thanks a lot @Damian_Edwards for this post and your documented attempt.

I would like to do the exact same think on my Batch 7 with 990 pro and I was counting on it being possible right away.

I was looking at the same exact guide, are you sure the step 11 is not the problem ?
“Optional: If the POST screen in step 7 told you that the disable “Block SID” config is persistent (and not for just one boot), then you need enable it again.”

If not, what are our options? How could we get Framework to prioritise this?

Damian_Edwards · November 10, 2023, 11:28pm

I opened a support ticket RE this issue. I suggest the more people do that, the higher the issue might get prioritized.

Stephan_Winter · November 11, 2023, 2:47pm

I am not 100% sure if thats the same as the term “eDrive” but u can ignore HW acceleration and spaare the trouble and compatibility issues.

Just use SW encryption and be done. The overhead is so neglectibale you will not notice it, vene in benchmarks it is hardly noticable as the encryption speed of the CPU is around 2 GB/s minimum.

Edit:
Also Samsung drives are the worst for ur purposse, u can only set them ONCE - for another setting u need to PSID the drive which samsund doesnt offer - a secure erase wont do it.
Better drives used to be Crucial or Kingston as u can do a PSID revert afterwords

Damian_Edwards · November 11, 2023, 5:41pm

@Stephan_Winter eDrive was the older BitLocker h/w encryption standard that was replaced by Windows Encrypted Hard Drive to my knowledge.

I work in an environment where I’m not able to opt-out of BitLocker and my testing has demonstrated substantial impacts on random read/write access using BL s/w encryption.

You can easily PSID reset Samsung drives using Samsung Magician on a Windows 2 Go USB installation. I’ve done it numerous times.

Stephan_Winter · November 11, 2023, 6:14pm

Ok, I stand corrected than and Samsung drives can be PSID reverted - however Bitlocker and HW encryption still seems to be “difficult” - so I doubt that the speed difference in daily routine will make up for the time u spend to make it work

Damian_Edwards · November 11, 2023, 8:27pm

Each to their own, but in my line of work (software development) consistent small-size disk access is prevalent and is often a bottleneck. E.g. see the recent addition of “Dev Drive” in Windows 11, which is specifically intended to speed up read and write of lots of small files, by using ReFS instead of NTFS, and postponing real-time anti-virus scanning to the background rather than inline with disk access. It can greatly improve developer-centric scenarios.

dansmith65 · November 12, 2023, 12:04am

I’ve been following this thread because I wanted to do the same when I get my AMD laptop. @Damian_Edwards were you not able to find the BlockSID options under Security > Storage Password Setup Page? BIOS guide

I’m not really sure if that page I linked to is supposed to be showing the BIOS for all versions of their hardware or not.

Damian_Edwards · November 12, 2023, 12:11am

@dansmith65 that BIOS guide looks very out of date compared to what I saw, or I’m very bad at reading it

My BIOS is very graphical and has way fewer options.

dansmith65 · November 12, 2023, 12:27am

I was afraid that might be the case, but since all I can do is speculate until my Batch 8 laptop arrives; I thought I’d ask! It’s actually helpful to know that’s not what I should expect to see when I get it, so thanks for that.

Did you try disabling secure boot? I think I read somewhere that the Block SID option is sometimes hidden unless secure boot is disabled. That wasn’t a framework-specific post I was reading, though.

Another requirement from a different vendor was adding a BIOS administrator password; I think? I forgot how that tied into all of this; it’s just another random thing you could try, if you’re feeling adventurous.

Damian_Edwards · November 12, 2023, 3:54am

I used the PowerShell snippet from the guide to initiate the disable Block SID request but upon reboot it didn’t stop and verify attendance (which is what it’s supposed to do when requesting that TPM operation). I did disable secure boot as it’s required to boot into the Samsung Secure Erase tool but didn’t check if that changed the Block SID option.

Ansley_Barnes · November 14, 2023, 3:25am

I went through the process of successfully enabling HW encryption with this exact hardware configuration only to lose it on the second reboot twice yesterday. The first time I thought it was my own mistake, by the second I was quite sure it wasn’t. For now I went with software bitlocker as I need to actually use the laptop but am really hoping for a viable option to use the hardware encryption.

Interestingly, if you look in the BIOS, there is a secure erase tool, as well as options to do things like Block SID, but only if the drive is not enabled for hardware encryption. Do a PSID revert and secure wipe, and let the drive appear as just a disk, and you’ll have the tools available to you. I assume the UEFI hides the tools if the drive is ready for encryption as it’s expected that you’re using a different tool for the purpose of managing the drive and its security. It’s possible that a bug in this logic is what’s getting in the way of actually using the drive once it’s encrypted.

Kieran_Levin · November 15, 2023, 11:17pm

Are you all having this issue on the same Samsung 990 drive?
We have run through validation with other drives which do not have an issue with bitlocker.
But I do not think we validate encryption explicitly using hardware OPAL SED support.

Does this issue also happen if you enable bitlocker without HW OPAL SED?

Pouasson · November 16, 2023, 8:12am

Hello @Kieran_Levin, so good to see someone from Framework here!

I purchased the Samsung 990 Pro instead of the WD SN850X specifically for Bitlocker hardware encryption. I did quite some research and from what I understand Bitlocker requires SEDs to respect the IEEE1667 standard, also known as eDrive.

Found online:

“TCG Opal is another security storage specification and it is not enough for Bitlocker hardware encryption.”

However, the Samsung 990 Pro datasheet is totaly clear about supporting both Opal and IEEE1667. (source of the Datasheet )

“AES 256-bit Full Disk Encryption, TCG/Opal V2.0, Encrypted Drive (IEEE1667)”

So I don’t understand what you mean by:

Ansley_Barnes · November 16, 2023, 4:32pm

I’m also seeing the issue with the 990 Pro, I don’t have another drive to test with. Software bitlocker doesn’t cause the issue.

Byron_Miller · November 19, 2023, 3:55pm

I’d love to have hardware support for encryption on the ssd but at every place i’ve worked, they asked bios companies to remove user configuration in laptops until CVE’s are addressed - i think lenovo obliged for one workplace because they have several hundred thousand employees.

basically last i checked anyone with physical access to ssd can break the opal encryption merely through simple firmware and AT commands yet software bit locker is fine.