cancel
Showing results for 
Search instead for 
Did you mean: 

Hardware Encryption (eDrive) on Maximus X Hero 1003 and Evo 960 anybody?

KeksimusMaximus
Level 8
Have anybody sucesfully enabled Hardware encryption on Maximus X Hero 1003 bios using Samsung EVO 960 as OS boot drive (encrypted drive).

Im fighting over it for several days already and everything i do fails. There are few conditions to meet:
- System needs to be Windows 8/10 Pro
- Windows needs to be in UEFI mode
- eDrive compilant SSD
- SATA ports in AHCI mode (no RAID)
- BIOS needs to run UEFI version 2.3.1 with EFI_STORAGE_SECURITY_COMMAND_PROTOCOL enabled (sent mail to customer suport, waiting for reply)


This is the guide i followed: http://www.ckode.dk/desktop-machines/how-to-enable-windows-edrive-encryption-for-ssds/ but steps are pretty much same in various places:

Have OS on other physical disk than EVO 960
Have drive in uninitalised state (diskpart clean)
Install Samsung Magician, in data security switch "Encrypted drive" to "ready to enable"
In Secure Erase create bootable tool
Reboot PC, launch Secure Erase
After secure erase, reboot PC and go straight to bios, set bios to UEFI boot only, enable secure boot, load default keys, set to Windows UEFI, disable CSM (compatability mode)
Reboot PC and start Windows install in UEFI mode
When install done, enable BitLocker for non-TPM systems (gpedit.msc), verify that system is in UEFI mode (msinfo32)
Attempt to enable drive encryption with BitLocker

And this is where issue happens, every time i redo every step on the list (including PSID reset so every time i Begin drive encryption is disabled and i switch it to "ready to enable") BitLocker like a stubborn idiot offers me only Software encryption (the dreaded screen where it asks wheter i want to encrypt whole drive or just used space).

For ****s and gigle s i tried to enable hardware encryption when my EVO was used as storage drive... and it worked. The problems Begin when drive is used as OS drive.

Anybody got experience with this?
Dargus Maximus
~Explorer ~Engineer ~Guide
My Youtube channel - PC modding, streaming, gaming
11,956 Views
28 REPLIES 28

Korth
Level 14
I believe you cannot enable hardware encryption on Windows BitLocker because you do not have any crypto hardware installed.

You need a 14-1 pin Trusted Platform Module (TPM), as specified on page 1-26 of the mobo user manual.
Once installed, it will be detected by the firmware and present new options on the user BIOS.

These are made by a variety of manufacturers. And they're more than just security "tokens", RAS-128 PRNGs, or cypher/password tables ... they're active cryptologic circuits with their own onboard processing and memories.
ASUS happens to sell the best consumer model available, the most recent Infineon part with a pretty black PCB which doesn't clash with ROG mobos:
https://www.amazon.com/Asus-TPM-M-R2-0-14-1-Module/dp/B01DQQLH74
https://www.amazon.ca/ASUS-TPM-M-R2-0-14-1-Module/dp/B01DQQLH74



(While crypto modules are legally unrestricted "over the counter" stuff listed in many vendor inventories, I have learned that in reality they can be sort of difficult for consumers to obtain in Canada. You can still get one if you're persistent, but they're always "backordered" or "out of stock" or subject to other costs and delays which make actually procuring one a bit of a hassle ... I suspect our border agents are apprehensive about letting Canadian citizens have better crypto than Canadian government has, lol. I basically gave up on the stupid time-wasting games and obtained Supermicro TPMs through enterprise channels, better crypto perhaps, but alas they have ugly cheap industrial generic green PCBs.)
"All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." - Douglas Adams

[/Korth]

I have the same problem with a 960 pro. The short answer is that for NVME boot drives it doesn't work because of limitations in the BIOS.

See this thread:
https://us.community.samsung.com/t5/Memory-Storage/HOW-TO-MANAGE-ENCRYPTION-OF-960-PRO/td-p/66475

Apparently Samsung has tested a fix with a BIOS manufacturer and it works, but now OEMs like Asus need to incorporate it.

So.... ASUS - if you are listening please update!

EDIT - You don't need TPM to enable bitlocker hardware e-drive. There is a group policy setting that you can change to enable it. I had e-drive hardware encryption functioning on a Samsung 950 SATA without a TPM.

Korth wrote:
I believe you cannot enable hardware encryption on Windows BitLocker because you do not have any crypto hardware installed.

You need a 14-1 pin Trusted Platform Module (TPM), as specified on page 1-26 of the [URL="http://dlcdnet.asus.com/pub/ASUS/mb/LGA1151


Some motherboards have an integrated TPM (and an empty TPM module connector as well). ASUS calls this "Firmware TPM" on the Z370 Prime-A (the name might varies with brands and boards). It probably has some inconvenient limitations compared to a dedicated hardware module (like the inability to move or clone it to a new motherboard in case you have to return the board for warranty repair or just want to move to a new gen --- may be even a simple firmware upgrade could reset it, so it's mandatory to keep an external backup and carefully plan your upgrades...).

So, since the encryption could be virtually free (hardware acceleration in the SSD controller and an integrated TPM on the motherboard) it could be a pretty nice feature.

Korth wrote:
I believe you cannot enable hardware encryption on Windows BitLocker because you do not have any crypto hardware installed.

You need a 14-1 pin Trusted Platform Module (TPM), as specified on page 1-26 of the mobo user manual.
Once installed, it will be detected by the firmware and present new options on the user BIOS.

These are made by a variety of manufacturers. And they're more than just security "tokens", RAS-128 PRNGs, or cypher/password tables ... they're active cryptologic circuits with their own onboard processing and memories.
ASUS happens to sell the best consumer model available, the most recent Infineon part with a pretty black PCB which doesn't clash with ROG mobos:
https://www.amazon.com/Asus-TPM-M-R2-0-14-1-Module/dp/B01DQQLH74
https://www.amazon.ca/ASUS-TPM-M-R2-0-14-1-Module/dp/B01DQQLH74



(While crypto modules are legally unrestricted "over the counter" stuff listed in many vendor inventories, I have learned that in reality they can be sort of difficult for consumers to obtain in Canada. You can still get one if you're persistent, but they're always "backordered" or "out of stock" or subject to other costs and delays which make actually procuring one a bit of a hassle ... I suspect our border agents are apprehensive about letting Canadian citizens have better crypto than Canadian government has, lol. I basically gave up on the stupid time-wasting games and obtained Supermicro TPMs through enterprise channels, better crypto perhaps, but alas they have ugly cheap industrial generic green PCBs.)


The 8700 chipset has an integrated TPM. No need for an external chip. You just need to enable it in the BIOS.

ROG Hero XIII | 10900k @5.2 GHz | g.skill 2x32GB 4200 CL18 | ROG Strix 2070S | EK Nucleus 360 Dark | 6TB SSD/nvme, 16TB external HDD | 2x 1440p | Vanatoo speakers with Klipsch sub | Fractal Meshify 2 case

Outontheporch
Level 7
Bumping this to the top as I'd like to get an answer from Asus as to whether they are aware of this issue and/or whether they are working with Samsung on it. I see there is a new Hero Bios and I'm wondering if that fixed the problem.

Korth
Level 14
Yes, Windows BitLocker can encrypt data without a TPM. But it's software crypto, not hardware crypto. It's not as secure.

The TPM is not just a passive hardware token which stores crypto keys and passwords ... it also has active "black box" cryptocircuitry (and confidential anti-tampering self-destruct mechanisms) and it's married to one specific platform (motherboard, BIOS, etc). BitLocker crypto involving a TPM cannot be decrypted on any other hardware or motherboard or TPM, the drive cannot be installed/copied to another machine for brute-forcing because part of the crypto algorithm runs in the TPM itself. BitLocker crypto lacking a TPM can be copied/moved to any other (or any number of) machines for brute-force decryption.

That being said, BitLocker's software crypto is secure enough for pretty much anyone who isn't a tinfoil-hat enemy of the state, lol. And BitLocker welded shut with a TPM padlock can be critically problematic if the motherboard or TPM happens to die, there's no way to migrate or recover the data (by design!) if the original machine no longer works.
"All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." - Douglas Adams

[/Korth]

Korth wrote:
Yes, Windows BitLocker can encrypt data without a TPM. But it's software crypto, not hardware crypto. It's not as secure.

The TPM is not just a passive hardware token which stores crypto keys and passwords ... it also has active "black box" cryptocircuitry (and confidential anti-tampering self-destruct mechanisms) and it's married to one specific platform (motherboard, BIOS, etc). BitLocker crypto involving a TPM cannot be decrypted on any other hardware or motherboard or TPM, the drive cannot be installed/copied to another machine for brute-forcing because part of the crypto algorithm runs in the TPM itself. BitLocker crypto lacking a TPM can be copied/moved to any other (or any number of) machines for brute-force decryption.

That being said, BitLocker's software crypto is secure enough for pretty much anyone who isn't a tinfoil-hat enemy of the state, lol. And BitLocker welded shut with a TPM padlock can be critically problematic if the motherboard or TPM happens to die, there's no way to migrate or recover the data (by design!) if the original machine no longer works.


The Samsung is what is called a Self Encrypting Drive (SED). https://www.computerweekly.com/feature/Self-encrypting-drives-SED-the-best-kept-secret-in-hard-drive...

The encryption/decryption on a self-encrypting drive (SED) happens in the drive controller itself. It does not use a TPM to do the encryption. Indeed, a SED controller is ALWAYS encrypting the data whether you've enabled the SED features or not. When you haven't enabled the SED features, the key to encrypt/decrypt the drive is not secured. By utilizing bitlocker, bitlocker simply encrypts this key. When you have TPM, the key to encrypt this key is stored on the TPM - and as you say, locked to the platform. At boot time, the key is retrieved from the TPM. When you don't have a TPM, you can encrypt this key with a PIN or password instead. Bitlocker has a special bootloader that loads that asks for this password or PIN and uses it to unlock the SED's key, which it then uses to boot as normal.

Thus, a TPM is not required for utilizing hardware based encryption on a SED (such as the Samsung 960).

I speak from experience here. In my last computer, which was an asus z97-a with a 4790k, I did not have a TPM chip and yet encrypted my samsung 850 using hardware encryption with bitlocker. This was verified in two ways. First, because it was hardware based, it was INSTANT. When using software encryption it can take hours to complete. Second, I verified with the command line option "manage-bde -status" that it was hardware encryption. I also know I didn't have a TPM because bitlocker initially doesn't work without a TPM unless you change a group policy setting to get it to work.

There is currently a debate about whether TPM is actually more secure or not.

Outontheporch wrote:
There is currently a debate about whether TPM is actually more secure or not.


I'm inclined to think TPM crypto is inherently more secure than non-TPM crypto. TPMs have been hacked and circumvented before - very few times, by very skilled and stubbornly persistent experts (like this one) - but I think it's reasonable to say such attacks are not practical for experts and are thoroughly impossible for non-experts. Active cryptologic onboard the TPM means the crypto algorithm is unknown (and proprietary), so the question of whether TPMs are more secure really boils down to being a question of whether the proprietary crypto scheme/code is intrinsically stronger/weaker than official (and well-known, well-documented, proven) RSA/AES standards.

There are of course many kinds of TPMs, and most are designed for specific enterprise applications. Consumer TPMs are generic, which might make them less secure in specific instances. They are also "uncontrolled" - anyone can buy one, anyone can use one - whereas enterprise TPMs have more rigidly controlled and audited distribution channels which restricts their use within their intended application. Analyzing and defeating crypto is far more difficult when you have limited sets of data/samples to work with.
"All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." - Douglas Adams

[/Korth]

KeksimusMaximus
Level 8
Maximus X Hero bios 1013 is out, have anyone tested if something was fixed? Especially this issue https://us.community.samsung.com/t5/Memory-Storage/HOW-TO-MANAGE-ENCRYPTION-OF-960-PRO/td-p/66475

How f***** difficult is for ASUS to actually post full BIOS changelog??
Dargus Maximus
~Explorer ~Engineer ~Guide
My Youtube channel - PC modding, streaming, gaming