Hi
Why are so keen to use BL with HW encryption aka eDrive which has been shown insecure over 5 years ago?
I could not find any information on the net showing that this issue has been resolved - so why do u want an insecure BL installation?
The security flaw in the affected drives was resolved with firmware updates. The flaw wasn’t in the standard, it was in the implementation.
I mean I guess you could always go with LUKS and break the encryption by holding down the enter key.
1 Like
Ok.
But Microsoft still has it disabled by GPO as standard, which doesnt look reassuring 
and getting it to work seems still be very messy.
T700 and 990Pro should work, but its hard to find any reliable info on which drives are working with it.
I would guess the reason that it’s not standard in GPO is because it’s not supported by all drives. Getting it to work requires specific steps, but it’s not very hard. I have it working on the 990 Pro on my GPD Pocket3, and the battery and performance advantages on it over software encryption are quite noticeable.
The issue at hand is that the feature is “supported” in the BIOS, but something is keeping it from functioning properly. I won’t say that using the hardware encryption on the drive is a security panacea or fits everyone’s threat model, but for those of us who understand it and want to use it it’s frustrating to have the way blocked by bugs.
Ok, thx.
I will probabaly switch to a Thinkpad T14s as I now do need WWAN during some days, which Id di not consider when I ordered my FW - still love the FW though…
Assuming this is going to be an issue with older gen Samsung drives (970, 980) due to it being BIOS related? And other drives that support OPAL and eDrive?
It will probably affect all drives yes. You can try it but don’t get your hopes up. I hope the FW13 AMD will get some love soon with some updates.
For your information, the BIOS version 3.05 for AMD 7040 has not resolved the issue. The Samsung Pro 990 in ‘ready to encrypt’ state still lacks the option to disable block SID in BIOS.
2 Likes
Thank you, this is as helpful as it is disappointing… 
The recent update in the framework newsletter stated that they did not have a dedicated team to work on software updates. They apologized for this and explained why it was so. They have also now committed to a dedicated software team which is going to prioritize issues and resolve them as fast as possible. So depending on where we end up on the priority list, probably not very high, we could maybe see some fix in the next months. Hopefully not years…
1 Like
Thanks for checking, although this is not diagnostic for this issue. Block SID should only be enabled after the encryption has taken place - its function is to prevent changes to the configuration once the secure configuration is in place. This isn’t encouraging, per se, but it’s not indicative the issue isn’t fixed. Block SID can also be enabled from the OS via the CLI even if the BIOS doesn’t expose it.
I also doubt it’s been fixed, based on the release notes, although this touches intriguingly close to the issue:
It’s not the same issue, but tangentially related. Not enough for me to spend the time wiping/reinstalling/testing right now though.
Part of what makes this issue so difficult to troubleshoot and test is that it requires a long series of steps to reproduce and verify. I’ve half a mind to get another 990 Pro to test with.
Well, I did go all the way with enabling encryption with Magician, secure erasure of the drive, checking for the ‘disable block SID’ in the BIOS, and even tried the “Windows to Go” method to disable the block SID via a PowerShell script. I ended up with an encrypted drive that was not bootable until decrypted.
I just assumed there was no chance of getting this working until the “ready to encrypt” drive is not visible in the BIOS “secure settings” and have “disable block SID” option.
Understood. Thanks for testing! I also realize I misread what you said about the Block SID option - disabling it is indeed what you want to do to encrypt the drive, then re-enable it afterwards. My bad.
I’m having the exact same issue with Intel® Core™ Ultra Series 1…
Also with a Samsung 990 PRO, enabled encryption with Samsung Magician and got no option in the BIOS to manage the storage on the security tab so I can’t change the operation mode.
I thought it might still work so I proceeded to encrypt with BitLocker but now I’m stuck with an unbootable drive…
It’s very upsetting as performance is way better with hardware encryption…
1 Like
Can we get this prioritized, Framework team?
We are many who would like to use hardware encryption but can’t…
Try “Disable Block SID”
Where? If I did find it then I wouldn’t be here to begin with.
I stated in my post that there are no options to be found.
This is precisely why this whole topic exists…
Maybe here (screenshot):
Well like I said I don’t have this menu at all, that’s exactly what I meant.
Ah, understood. That’s a bummer then.
Just caught up with the rest of the thread…damn, quiet since December. " We haven’t tested an 990 Pro or another SSD with hardware encryption"…I wonder how enterprise clients are handling this.