Win10Pro, SSD hardware encryption. How do I enable it?

[slowmail]

I recently received an X270, with Win10Pro, Hardware dTPM, and 1TB Solid State Drive, PCIe-NVMe OPAL2.0.

Is it possible to enable bitlocker on the boot drive with hardware encryption? If so, how do I enable it? I have been trying to, but it seems to only use software encryption...
(am able to reformat the laptop if required...)

[w0qj]

There was a similar discussion regarding hardware encrypted SSD and OPAL encryption here:
viewtopic.php?f=62&t=123463

We note that your SSD is an original OEM OPAL 2.0 compliant SSD and using Win10 Professional 64-bit,
which in theory should support hardware encrypted SSD.

Anyone else able to help?

[Puppy]

Note that all modern SSDs use hardware encryption by default with random generated stored key you don't know about. This helps to erase the drive easily just by rewriting the key by another random one. Using good old SATA HDD password feature in BIOS you can protect the key that makes overall good and easy security option. More technical details here https://jbeekman.nl/blog/2015/03/lenovo ... -password/

[RealBlackStuff]

Someone should maybe ask the above jbeekman to figure out how to remove the obnoxious wifi whitelist!

[slowmail]

Thanks for the replies.

I spent a day trawling the net, and arrived at the following conclusion: Win10Pro Bitlocker is not able to use hardware encryption with this drive.

For Bitlocker to use hardware encryption, the drive needs to support IEEE-1667 (aka 'edrive').
The Samsung PM961 drive that comes with this laptop does not appear to support this standard.

To use hardware encryption with this drive, some other software is required (eg: WinMagic's SecureDoc, sedutil, or similar.).

Also, Samsung's Magician software, which is used to enable the 'encrypted drive' flag in Samsung SSDs "does not support an OEM SSD product". (source).

[lanovo]

Bitlocker is software encryption. It is possible to enable both software and hardware encryption in principle. However it is an unnecessary and pointless redundancy. The hardware "decryption" using a passphrase is done preboot. The reason why Bitlocker fails is probably only because of an alteration in the SSD's hardware ID.