Page 1 of 3 1 2 3 LastLast
Results 1 to 10 of 26
  1. #1
    ROG Guru: White Belt Array KeksimusMaximus PC Specs
    KeksimusMaximus PC Specs
    MotherboardAsus ROG Maximus X Hero
    Processori7-8700k
    Memory (part number)G.Skill Trident Z RGB 3200MHz 2x8GB
    Graphics Card #1EVGA GTX1080Ti FTW3
    MonitorDell s2718dg A04
    Storage #1Crucial MX100 128GB
    Storage #2WD Black 500GB
    CPU CoolerNZXT Kraken X62
    CaseNZXT S340 Elite
    Power SupplySeasonic Prime Gold 650
    Keyboard CoolerMaster Masterkeys L White
    Mouse Tracer Pert TRM-503
    Headset HyperX Cloud I
    OS Windows 10 Pro
    KeksimusMaximus's Avatar
    Join Date
    Oct 2017
    Reputation
    10
    Posts
    104

    Hardware Encryption (eDrive) on Maximus X Hero 1003 and Evo 960 anybody?

    Have anybody sucesfully enabled Hardware encryption on Maximus X Hero 1003 bios using Samsung EVO 960 as OS boot drive (encrypted drive).

    Im fighting over it for several days already and everything i do fails. There are few conditions to meet:
    - System needs to be Windows 8/10 Pro
    - Windows needs to be in UEFI mode
    - eDrive compilant SSD
    - SATA ports in AHCI mode (no RAID)
    - BIOS needs to run UEFI version 2.3.1 with EFI_STORAGE_SECURITY_COMMAND_PROTOCOL enabled (sent mail to customer suport, waiting for reply)


    This is the guide i followed: http://www.ckode.dk/desktop-machines...tion-for-ssds/ but steps are pretty much same in various places:

    Have OS on other physical disk than EVO 960
    Have drive in uninitalised state (diskpart clean)
    Install Samsung Magician, in data security switch "Encrypted drive" to "ready to enable"
    In Secure Erase create bootable tool
    Reboot PC, launch Secure Erase
    After secure erase, reboot PC and go straight to bios, set bios to UEFI boot only, enable secure boot, load default keys, set to Windows UEFI, disable CSM (compatability mode)
    Reboot PC and start Windows install in UEFI mode
    When install done, enable BitLocker for non-TPM systems (gpedit.msc), verify that system is in UEFI mode (msinfo32)
    Attempt to enable drive encryption with BitLocker

    And this is where issue happens, every time i redo every step on the list (including PSID reset so every time i Begin drive encryption is disabled and i switch it to "ready to enable") BitLocker like a stubborn idiot offers me only Software encryption (the dreaded screen where it asks wheter i want to encrypt whole drive or just used space).

    For ****s and gigle s i tried to enable hardware encryption when my EVO was used as storage drive... and it worked. The problems Begin when drive is used as OS drive.

    Anybody got experience with this?
    Dargus Maximus
    ~Explorer ~Engineer ~Guide
    My Youtube channel - PC modding, streaming, gaming

  2. #2
    ROG Guru: Black Belt Array Korth PC Specs
    Korth PC Specs
    MotherboardASUS X99 R5E (BIOS2101/1902)
    ProcessorHaswell-EP E5-1680-3 SR20H/R2 (4.4GHz)
    Memory (part number)Vengeance LPX 4x8GB SS DDR4-3000 (CMK32GX4M4C3000C15)
    Graphics Card #1NVIDIA Quadro GP100GL/16GB, 16xPCIe3, NVLink1 (SLI-HB)
    Graphics Card #2NVIDIA Quadro GP100GL/16GB, 16xPCIe3, NVLink1 (SLI-HB)
    Sound CardJDS Labs O2+ODAC (RevB), USB2 UAC1
    MonitorASUS PG278Q
    Storage #1Samsung 850 PRO 512GB SSDs, 4xSATA3 RAID0
    Storage #2Comay BladeDrive E28 3200GB SSD, 8xPCIe2
    CPU CoolerRaijintek NEMESIS/TISIS, AS5, 2xNH-A14
    CaseObsidian 750D (original), 6xNH-A14
    Power SupplyZalman/FSP ZM1250 Platinum
    Headset Pilot P51 PTT *modded*
    OS Arch, Gentoo, Win7x64, Win10x64
    Network RouterActiontec T3200M VDSL2 Gateway
    Accessory #1 TP-Link AC1900 Archer T9E, 1xPCIe
    Accessory #2 ASUS/Infineon SLB9635 TPM (TT1.2/FW3.19)
    Accessory #3 ASUS OC Panel I (FW0501)
    Korth's Avatar
    Join Date
    Mar 2015
    Reputation
    152
    Posts
    2,719

    I believe you cannot enable hardware encryption on Windows BitLocker because you do not have any crypto hardware installed.

    You need a 14-1 pin Trusted Platform Module (TPM), as specified on page 1-26 of the mobo user manual.
    Once installed, it will be detected by the firmware and present new options on the user BIOS.

    These are made by a variety of manufacturers. And they're more than just security "tokens", RAS-128 PRNGs, or cypher/password tables ... they're active cryptologic circuits with their own onboard processing and memories.
    ASUS happens to sell the best consumer model available, the most recent Infineon part with a pretty black PCB which doesn't clash with ROG mobos:
    https://www.amazon.com/Asus-TPM-M-R2.../dp/B01DQQLH74
    https://www.amazon.ca/ASUS-TPM-M-R2-.../dp/B01DQQLH74



    (While crypto modules are legally unrestricted "over the counter" stuff listed in many vendor inventories, I have learned that in reality they can be sort of difficult for consumers to obtain in Canada. You can still get one if you're persistent, but they're always "backordered" or "out of stock" or subject to other costs and delays which make actually procuring one a bit of a hassle ... I suspect our border agents are apprehensive about letting Canadian citizens have better crypto than Canadian government has, lol. I basically gave up on the stupid time-wasting games and obtained Supermicro TPMs through enterprise channels, better crypto perhaps, but alas they have ugly cheap industrial generic green PCBs.)
    Last edited by Korth; 04-03-2018 at 02:38 AM.
    "All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." - Douglas Adams

    [/Korth]

  3. #3
    ROG Member Array
    Join Date
    Nov 2017
    Reputation
    10
    Posts
    18

    Asus needs to update the Bios

    I have the same problem with a 960 pro. The short answer is that for NVME boot drives it doesn't work because of limitations in the BIOS.

    See this thread:
    https://us.community.samsung.com/t5/...PRO/td-p/66475

    Apparently Samsung has tested a fix with a BIOS manufacturer and it works, but now OEMs like Asus need to incorporate it.

    So.... ASUS - if you are listening please update!

    EDIT - You don't need TPM to enable bitlocker hardware e-drive. There is a group policy setting that you can change to enable it. I had e-drive hardware encryption functioning on a Samsung 950 SATA without a TPM.
    Last edited by Outontheporch; 04-13-2018 at 09:39 PM.

  4. #4
    ROG Member Array
    Join Date
    Nov 2017
    Reputation
    10
    Posts
    18

    Bumping this to the top as I'd like to get an answer from Asus as to whether they are aware of this issue and/or whether they are working with Samsung on it. I see there is a new Hero Bios and I'm wondering if that fixed the problem.

  5. #5
    ROG Guru: Black Belt Array Korth PC Specs
    Korth PC Specs
    MotherboardASUS X99 R5E (BIOS2101/1902)
    ProcessorHaswell-EP E5-1680-3 SR20H/R2 (4.4GHz)
    Memory (part number)Vengeance LPX 4x8GB SS DDR4-3000 (CMK32GX4M4C3000C15)
    Graphics Card #1NVIDIA Quadro GP100GL/16GB, 16xPCIe3, NVLink1 (SLI-HB)
    Graphics Card #2NVIDIA Quadro GP100GL/16GB, 16xPCIe3, NVLink1 (SLI-HB)
    Sound CardJDS Labs O2+ODAC (RevB), USB2 UAC1
    MonitorASUS PG278Q
    Storage #1Samsung 850 PRO 512GB SSDs, 4xSATA3 RAID0
    Storage #2Comay BladeDrive E28 3200GB SSD, 8xPCIe2
    CPU CoolerRaijintek NEMESIS/TISIS, AS5, 2xNH-A14
    CaseObsidian 750D (original), 6xNH-A14
    Power SupplyZalman/FSP ZM1250 Platinum
    Headset Pilot P51 PTT *modded*
    OS Arch, Gentoo, Win7x64, Win10x64
    Network RouterActiontec T3200M VDSL2 Gateway
    Accessory #1 TP-Link AC1900 Archer T9E, 1xPCIe
    Accessory #2 ASUS/Infineon SLB9635 TPM (TT1.2/FW3.19)
    Accessory #3 ASUS OC Panel I (FW0501)
    Korth's Avatar
    Join Date
    Mar 2015
    Reputation
    152
    Posts
    2,719

    Yes, Windows BitLocker can encrypt data without a TPM. But it's software crypto, not hardware crypto. It's not as secure.

    The TPM is not just a passive hardware token which stores crypto keys and passwords ... it also has active "black box" cryptocircuitry (and confidential anti-tampering self-destruct mechanisms) and it's married to one specific platform (motherboard, BIOS, etc). BitLocker crypto involving a TPM cannot be decrypted on any other hardware or motherboard or TPM, the drive cannot be installed/copied to another machine for brute-forcing because part of the crypto algorithm runs in the TPM itself. BitLocker crypto lacking a TPM can be copied/moved to any other (or any number of) machines for brute-force decryption.

    That being said, BitLocker's software crypto is secure enough for pretty much anyone who isn't a tinfoil-hat enemy of the state, lol. And BitLocker welded shut with a TPM padlock can be critically problematic if the motherboard or TPM happens to die, there's no way to migrate or recover the data (by design!) if the original machine no longer works.
    "All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." - Douglas Adams

    [/Korth]

  6. #6
    ROG Member Array
    Join Date
    Nov 2017
    Reputation
    10
    Posts
    18

    Quote Originally Posted by Korth View Post
    Yes, Windows BitLocker can encrypt data without a TPM. But it's software crypto, not hardware crypto. It's not as secure.

    The TPM is not just a passive hardware token which stores crypto keys and passwords ... it also has active "black box" cryptocircuitry (and confidential anti-tampering self-destruct mechanisms) and it's married to one specific platform (motherboard, BIOS, etc). BitLocker crypto involving a TPM cannot be decrypted on any other hardware or motherboard or TPM, the drive cannot be installed/copied to another machine for brute-forcing because part of the crypto algorithm runs in the TPM itself. BitLocker crypto lacking a TPM can be copied/moved to any other (or any number of) machines for brute-force decryption.

    That being said, BitLocker's software crypto is secure enough for pretty much anyone who isn't a tinfoil-hat enemy of the state, lol. And BitLocker welded shut with a TPM padlock can be critically problematic if the motherboard or TPM happens to die, there's no way to migrate or recover the data (by design!) if the original machine no longer works.
    The Samsung is what is called a Self Encrypting Drive (SED). https://www.computerweekly.com/featu...ption-security

    The encryption/decryption on a self-encrypting drive (SED) happens in the drive controller itself. It does not use a TPM to do the encryption. Indeed, a SED controller is ALWAYS encrypting the data whether you've enabled the SED features or not. When you haven't enabled the SED features, the key to encrypt/decrypt the drive is not secured. By utilizing bitlocker, bitlocker simply encrypts this key. When you have TPM, the key to encrypt this key is stored on the TPM - and as you say, locked to the platform. At boot time, the key is retrieved from the TPM. When you don't have a TPM, you can encrypt this key with a PIN or password instead. Bitlocker has a special bootloader that loads that asks for this password or PIN and uses it to unlock the SED's key, which it then uses to boot as normal.

    Thus, a TPM is not required for utilizing hardware based encryption on a SED (such as the Samsung 960).

    I speak from experience here. In my last computer, which was an asus z97-a with a 4790k, I did not have a TPM chip and yet encrypted my samsung 850 using hardware encryption with bitlocker. This was verified in two ways. First, because it was hardware based, it was INSTANT. When using software encryption it can take hours to complete. Second, I verified with the command line option "manage-bde -status" that it was hardware encryption. I also know I didn't have a TPM because bitlocker initially doesn't work without a TPM unless you change a group policy setting to get it to work.

    There is currently a debate about whether TPM is actually more secure or not.

  7. #7
    ROG Guru: Black Belt Array Korth PC Specs
    Korth PC Specs
    MotherboardASUS X99 R5E (BIOS2101/1902)
    ProcessorHaswell-EP E5-1680-3 SR20H/R2 (4.4GHz)
    Memory (part number)Vengeance LPX 4x8GB SS DDR4-3000 (CMK32GX4M4C3000C15)
    Graphics Card #1NVIDIA Quadro GP100GL/16GB, 16xPCIe3, NVLink1 (SLI-HB)
    Graphics Card #2NVIDIA Quadro GP100GL/16GB, 16xPCIe3, NVLink1 (SLI-HB)
    Sound CardJDS Labs O2+ODAC (RevB), USB2 UAC1
    MonitorASUS PG278Q
    Storage #1Samsung 850 PRO 512GB SSDs, 4xSATA3 RAID0
    Storage #2Comay BladeDrive E28 3200GB SSD, 8xPCIe2
    CPU CoolerRaijintek NEMESIS/TISIS, AS5, 2xNH-A14
    CaseObsidian 750D (original), 6xNH-A14
    Power SupplyZalman/FSP ZM1250 Platinum
    Headset Pilot P51 PTT *modded*
    OS Arch, Gentoo, Win7x64, Win10x64
    Network RouterActiontec T3200M VDSL2 Gateway
    Accessory #1 TP-Link AC1900 Archer T9E, 1xPCIe
    Accessory #2 ASUS/Infineon SLB9635 TPM (TT1.2/FW3.19)
    Accessory #3 ASUS OC Panel I (FW0501)
    Korth's Avatar
    Join Date
    Mar 2015
    Reputation
    152
    Posts
    2,719

    Quote Originally Posted by Outontheporch View Post
    There is currently a debate about whether TPM is actually more secure or not.
    I'm inclined to think TPM crypto is inherently more secure than non-TPM crypto. TPMs have been hacked and circumvented before - very few times, by very skilled and stubbornly persistent experts (like this one) - but I think it's reasonable to say such attacks are not practical for experts and are thoroughly impossible for non-experts. Active cryptologic onboard the TPM means the crypto algorithm is unknown (and proprietary), so the question of whether TPMs are more secure really boils down to being a question of whether the proprietary crypto scheme/code is intrinsically stronger/weaker than official (and well-known, well-documented, proven) RSA/AES standards.

    There are of course many kinds of TPMs, and most are designed for specific enterprise applications. Consumer TPMs are generic, which might make them less secure in specific instances. They are also "uncontrolled" - anyone can buy one, anyone can use one - whereas enterprise TPMs have more rigidly controlled and audited distribution channels which restricts their use within their intended application. Analyzing and defeating crypto is far more difficult when you have limited sets of data/samples to work with.
    "All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." - Douglas Adams

    [/Korth]

  8. #8
    ROG Guru: White Belt Array KeksimusMaximus PC Specs
    KeksimusMaximus PC Specs
    MotherboardAsus ROG Maximus X Hero
    Processori7-8700k
    Memory (part number)G.Skill Trident Z RGB 3200MHz 2x8GB
    Graphics Card #1EVGA GTX1080Ti FTW3
    MonitorDell s2718dg A04
    Storage #1Crucial MX100 128GB
    Storage #2WD Black 500GB
    CPU CoolerNZXT Kraken X62
    CaseNZXT S340 Elite
    Power SupplySeasonic Prime Gold 650
    Keyboard CoolerMaster Masterkeys L White
    Mouse Tracer Pert TRM-503
    Headset HyperX Cloud I
    OS Windows 10 Pro
    KeksimusMaximus's Avatar
    Join Date
    Oct 2017
    Reputation
    10
    Posts
    104

    Maximus X Hero bios 1013 is out, have anyone tested if something was fixed? Especially this issue https://us.community.samsung.com/t5/...PRO/td-p/66475

    How f***** difficult is for ASUS to actually post full BIOS changelog??
    Dargus Maximus
    ~Explorer ~Engineer ~Guide
    My Youtube channel - PC modding, streaming, gaming

  9. #9
    ROG Guru: Orange Belt Array geneo PC Specs
    geneo PC Specs
    MotherboardMaximus XII Hero
    ProcessorIntel 1070k @ 5.1Ghz
    Memory (part number)64 GB G.Skill TridentZ RGB 3200/CL14 @ 3600
    Graphics Card #1Asus ROG Strix 2070 Super A8G
    MonitorEIZO Coloredge CG2730 and Viewsonic QHD displays
    Storage #1Samsung 512 GB 960 Pro
    Storage #21TB 850 x 1 TB 860 EVO RAID0, 6 TB WDC Black HDD
    CPU CoolerNoctua NH-D15 Chromax
    CaseFractal Design R4 w/ tempered glass
    Power Supply750W Seasonic Prime Ultra Titanium
    Keyboard CM Quickfire Rapid TKL
    Mouse Logitech G305
    Headset Bose
    Headset/Speakers Vanatoo T1, ML Dynamo 300
    OS Windows 10 Pro X64
    geneo's Avatar
    Join Date
    Feb 2014
    Reputation
    37
    Posts
    408

    Nevermind
    Last edited by geneo; 04-26-2018 at 07:25 PM.

  10. #10
    ROG Member Array
    Join Date
    Nov 2017
    Reputation
    10
    Posts
    18

    bump.

Page 1 of 3 1 2 3 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •