I opened a support ticket RE this issue. I suggest the more people do that, the higher the issue might get prioritized.
I am not 100% sure if thats the same as the term “eDrive” but u can ignore HW acceleration and spaare the trouble and compatibility issues.
Just use SW encryption and be done. The overhead is so neglectibale you will not notice it, vene in benchmarks it is hardly noticable as the encryption speed of the CPU is around 2 GB/s minimum.
Edit:
Also Samsung drives are the worst for ur purposse, u can only set them ONCE - for another setting u need to PSID the drive which samsund doesnt offer - a secure erase wont do it.
Better drives used to be Crucial or Kingston as u can do a PSID revert afterwords
@Stephan_Winter eDrive was the older BitLocker h/w encryption standard that was replaced by Windows Encrypted Hard Drive to my knowledge.
I work in an environment where I’m not able to opt-out of BitLocker and my testing has demonstrated substantial impacts on random read/write access using BL s/w encryption.
You can easily PSID reset Samsung drives using Samsung Magician on a Windows 2 Go USB installation. I’ve done it numerous times.
Ok, I stand corrected than and Samsung drives can be PSID reverted - however Bitlocker and HW encryption still seems to be “difficult” - so I doubt that the speed difference in daily routine will make up for the time u spend to make it work
Each to their own, but in my line of work (software development) consistent small-size disk access is prevalent and is often a bottleneck. E.g. see the recent addition of “Dev Drive” in Windows 11, which is specifically intended to speed up read and write of lots of small files, by using ReFS instead of NTFS, and postponing real-time anti-virus scanning to the background rather than inline with disk access. It can greatly improve developer-centric scenarios.
I’ve been following this thread because I wanted to do the same when I get my AMD laptop. @Damian_Edwards were you not able to find the BlockSID options under Security > Storage Password Setup Page? BIOS guide
I’m not really sure if that page I linked to is supposed to be showing the BIOS for all versions of their hardware or not.
@dansmith65 that BIOS guide looks very out of date compared to what I saw, or I’m very bad at reading it
My BIOS is very graphical and has way fewer options.
I was afraid that might be the case, but since all I can do is speculate until my Batch 8 laptop arrives; I thought I’d ask! It’s actually helpful to know that’s not what I should expect to see when I get it, so thanks for that.
Did you try disabling secure boot? I think I read somewhere that the Block SID option is sometimes hidden unless secure boot is disabled. That wasn’t a framework-specific post I was reading, though.
Another requirement from a different vendor was adding a BIOS administrator password; I think? I forgot how that tied into all of this; it’s just another random thing you could try, if you’re feeling adventurous.
I used the PowerShell snippet from the guide to initiate the disable Block SID request but upon reboot it didn’t stop and verify attendance (which is what it’s supposed to do when requesting that TPM operation). I did disable secure boot as it’s required to boot into the Samsung Secure Erase tool but didn’t check if that changed the Block SID option.
I went through the process of successfully enabling HW encryption with this exact hardware configuration only to lose it on the second reboot twice yesterday. The first time I thought it was my own mistake, by the second I was quite sure it wasn’t. For now I went with software bitlocker as I need to actually use the laptop but am really hoping for a viable option to use the hardware encryption.
Interestingly, if you look in the BIOS, there is a secure erase tool, as well as options to do things like Block SID, but only if the drive is not enabled for hardware encryption. Do a PSID revert and secure wipe, and let the drive appear as just a disk, and you’ll have the tools available to you. I assume the UEFI hides the tools if the drive is ready for encryption as it’s expected that you’re using a different tool for the purpose of managing the drive and its security. It’s possible that a bug in this logic is what’s getting in the way of actually using the drive once it’s encrypted.
Are you all having this issue on the same Samsung 990 drive?
We have run through validation with other drives which do not have an issue with bitlocker.
But I do not think we validate encryption explicitly using hardware OPAL SED support.
Does this issue also happen if you enable bitlocker without HW OPAL SED?
Hello @Kieran_Levin, so good to see someone from Framework here!
I purchased the Samsung 990 Pro instead of the WD SN850X specifically for Bitlocker hardware encryption. I did quite some research and from what I understand Bitlocker requires SEDs to respect the IEEE1667 standard, also known as eDrive.
Found online:
“TCG Opal is another security storage specification and it is not enough for Bitlocker hardware encryption.”
However, the Samsung 990 Pro datasheet is totaly clear about supporting both Opal and IEEE1667. (source of the Datasheet )
“AES 256-bit Full Disk Encryption, TCG/Opal V2.0, Encrypted Drive (IEEE1667)”
So I don’t understand what you mean by:
I’m also seeing the issue with the 990 Pro, I don’t have another drive to test with. Software bitlocker doesn’t cause the issue.
I’d love to have hardware support for encryption on the ssd but at every place i’ve worked, they asked bios companies to remove user configuration in laptops until CVE’s are addressed - i think lenovo obliged for one workplace because they have several hundred thousand employees.
basically last i checked anyone with physical access to ssd can break the opal encryption merely through simple firmware and AT commands yet software bit locker is fine.
Thanks. Anyone who’s checked more recently than four years ago want to weigh in on whether this feature that comes with the laptop should actually work instead of erasing your data?
I am experiencing the same issue as @Damian_Edwards when trying to use a Samsung 990Pro’s OPAL2 hardware encryption. In my case the system is a FW13 13th Gen Intel CPU.
Following the guides completely, I got Windows 11 installed where it enabled hardware encrypted bitlocker. Upon next boot I am receiving the same Boot Manager message where the UEFI cannot see the drive to boot from. Doesn’t matter whether I have Secure Boot enable and enforced, optional or disabled, the very same issue occurs. I went a step further and tried to use DISKPART and BCDEDIT to repair the boot partition, to no success.
I have another system with an Asus motherboard and this system allowed me to use hardware encryption with my 990Pro and W11Pro 23H2. Something is wrong with the FW13 UEFI/BIOS. Can we get this fixed please? @Twistgibber @nrp @Kieran_Levin @ctl
@Damian_Edwards Appears you and I are two FW13 owners actively trying to find a solution to this 990Pro OPAL2 issue. I have an idea on this. Here I go…
I notice that when the 990Pro is not set for encryption enabled, I have the following menu in BIOS/UEFI. Security > Storage Password Setup. In Storage password Setup there are Disable SID settings (several of them and I’m not sure what they all do).
Once I enable encryption using Magician and do the Secure Wipe to fully enable hardware encryption on the 990Pro, when I next enter BIOS/UEFI, the Storage Password Setup menu is gone. Are you seeing the same?
I was thinking to try to do another secure wipe of the 990Pro, then use Magician to disable hardware encryption. Once its disabled, I would then go into BIOS/UEFI Security > Storage Password Setup and “enable Block SID”. Save, then reboot and begin the process all over again with the 990Pro to see if this works around the issue. I do not yet know if the “enable Block SID” function is sticky and will survive multiple reboots or until the hardware encryption key is validated by the Block SID at which time the UEFI/BIOS can safely disable it again on its own. I’m not sure how Framework programmed this to work or if the behavior is proper for what we’re trying to accomplish.
Thoughts before I spend another hour or two on this? Almost as annoying as my time lost on this project is the wear and tear on the 990Pro…ho hum.
The “Block SID” function is to stop changes to the drive encryption key. Toggling it after encryption is enabled is a security measure to prevent software tampering with the key. It’s technically not required after encryption is enabled, but it is important to block attempts to silently disable the encryption by hostile software running from the encrypted drive. Enabling it prior to enabling encryption will just prevent you from completing it - or at least it should; this functionality is obviously currently not working as intended.
As @Ansley_Barnes says, these operations are intended to protect TPM operations if I understand correctly. The “PPRequired” options mean “physical presence required” and is what is supposed to cause the BIOS to stop during POST and prompt for input.
All that said, if one of those options (perhaps “Disable_BlockSIDFunc”) is persistent across reboots, then selecting it BEFORE preparing the 990 Pro for encryption might help, but if the BIOS is then hiding the menu, you won’t be able to unselect it again, leaving the system open to silent encryption changes. Although it might be possible to set the flag from Windows PowerShell as the guide we’ve been using indicates.
Ultimately, it seems this is a BIOS bug that is resulting in the menu being hidden when the drive is ready for encryption. I never saw the menu show up myself, but I know others have reported what @Scott_H has seen, so that definitely seems related to the issue.
Another thought. Perhaps after getting BitLocker hardware encryption enabled, shut down the machine, remove the SSD, then boot into the BIOS and see if the menu shows up again? Probably unlikely because it’s under the storage section and there’d be no drive installed, but might be worth a try. Actually, @Scott_H if you’re in this state right now, perhaps remove the drive and boot into the BIOS to see what’s there?