Try “Disable Block SID”
Where? If I did find it then I wouldn’t be here to begin with.
I stated in my post that there are no options to be found.
This is precisely why this whole topic exists…
Maybe here (screenshot):
Well like I said I don’t have this menu at all, that’s exactly what I meant.
Ah, understood. That’s a bummer then.
Just caught up with the rest of the thread…damn, quiet since December. " We haven’t tested an 990 Pro or another SSD with hardware encryption"…I wonder how enterprise clients are handling this.
+1 it is disappointing to see this bug lingering for over a year.
While it might be not most used feature, it should be quite high on security/privacy scale, and treated as such.
If anyone is curious, 4.06 BETA bios update does not solve the issue for AMD Ryzen 7040 and Samsung 990 Pro (nothing is mentioned in the changelog regarding this issue, so it’s not a surprise)
1 Like
I have the very same issue with Samsung’s 980. My drive is not bootable with hardware encryption enabled. I was using 3.09 BIOS.
@nrp a year and a half ago you said the issue is put on the list to look at. Has it been looked at?
1 Like
It’s been a long wait but we might have something here: Framework Laptop 13 Ryzen 7040 BIOS 3.16 Release BETA - I’m specifically looking at the issue here: Cannot boot from partially locked self-encrypting drives · Issue #42 · FrameworkComputer/SoftwareFirmwareIssueTracker · GitHub
It isn’t the bug they have open that references this thread, but it does appear to be related. It’s worth testing, at any rate, as it involves how the BIOS interacts with drives using OPAL.
I’ll install the BIOS update soon, and I’ll try to test the encryption when I can - although that’s a more time-consuming task because I have to wipe the drive of course.
1 Like
We have a solution for the no-boot issue with hardware encryption on OPAL devices and will begin implementing it across all products.
Here is the validation steps we did with Samsung 990pro
-
Prepare the SSD
1.a To get started, install the SSD and have your Windows 11 Pro installation media ready.
1.b If the SSD was previously locked, perform a PSID Revert and Secure Erase to clean the drive. -
Clean the SSD during the Windows installation process.
On the Windows installation screen:
Press Shift + F10 to open Command Prompt.
Type:
->diskpart
->list disk
->sel disk 0 (select the disk where Windows will be installed, e.g., Samsung 990 Pro)
->clean (This will erase all data on the disk)
Close Command Prompt, refresh the installer, and proceed with Windows installation. -
Verify Encrypted Drive Support
After completing the Windows installation, install Samsung Magician. Once installed, confirm that “Encrypted Drive” is enabled in the drive information. (This requires an internet connection.) -
Enable hardware encryption for BitLocker
->Open Edit Group Policy (Run gpedit.msc).
->Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives
->Open “Configure use of hardware-based encryption for operating system drives”.
->Set it to Enabled.
->(Leave additional options as default; no need to select specific encryption types.) -
Encrypt the drive using BitLocker
Reboot the system.
In Windows, right-click Local Disk (C:) → select “Turn on BitLocker”.
Choose a method to unlock the drive (e.g., Microsoft recommended option).
Save the recovery key to a secure location.
Complete the BitLocker setup wizard. -
Verify encryption progress
Open Command Prompt as Administrator.
->manage-bde -status
Confirm:
Encryption Method: Hardware Encryption
Percentage Encrypted: 0% (initial state). -
Reboot and complete encryption
Restart the system.
->Run manage-bde -status again to confirm:
Encryption Method: Hardware Encryption
Percentage Encrypted: 100% -
Restart the system again to verify that it still boots properly.
4 Likes
This is awesome, thank you @Quin_Chou!
Also, this is a easy and succinct guide for anyone wanting to use hardware Bitlocker.
Please update this thread after you’ve had a chance to try it out on your system.
I’m hoping to try it this weekend. If I have time…
I hear you. I use the laptop almost daily and the last thing I want to do is go through the reinstall, etc for it to not work…..
So… the steps provided by @Quin_Chou did not work. They left the SSD in a weird state where HW bitlocker was enabled, but the drive would not encrypt. I had forgotten about the BLOCK_SID stuff, it’s been too long - I suspect that not toggling that was what got in the way.
Interestingly, even after a BIOS reset, TPM clear, PSID revert, and secure erase, the BLOCK_SID and SSD security management options are still missing from the BIOS. I’m currently building a Windows 2 Go stick to try enabling HW bitlocker with the instructions I’d previously used here: https://blog.odenthal.cc/content/files/2023/04/Hardware-Encryption-on-a-Samsung-980-PRO-SSD-with-Windows-11-using-Bitlocker.pdf - the example SSD is a Samsung 980 but the directions work the same. I know they work too since I’ve used them on two GPD laptops and a Gigabyte TRX40 motherboard.
The Win2Go stick prep takes forever so I’ll report back with results eventually.
OK. It works. The drive is encrypted in hardware, and survives reboots. As expected, the machine is much snappier and runs cooler. I haven’t had time or baseline benchmarks on this machine for battery life but based on my experiences with other machines I expect it’ll help that too.
I’m not a huge fan of having removed BIOS accessibility of BLOCK_SID enable/disablement. Doing it via powershell is fine but there’s no confirmation on reboot like there should be - that’s the whole “physical presence” bit.
3 Likes
Thank you so much for taking the time to try for all of us !
What does “will begin implementing it across all products” means in @Quin_Chou‘s message ? Is it ready for me to reproduce if I just use the last BIOS 3.09 ?
I suspect “implementing it across all products” means adding the fix to all framework models’ BIOS. This issue was present in the 12th gen intel (that I was able to reproduce) and apparently the others had the same issue as well.
3.09 does not have the fix. 3.16 (for the 7040 series 13” AMD) has the fix.
EDIT: for weird phrasing I noticed much later