04-30-2018 01:37 PM
We are just regular users here. Unfortunately I don't have any direct experience with TPM hardware encryption and my actual experience with Windows Bitlocker is limited to "pausing" it to allow a system firmware update. Some UEFI TPM implementations may force you to enable encryption on the boot drive first. You may have to settle for enabling ATA Security unless you enable encryption on your boot drive as well.
Here is one article that might give you some pointers. I believe it is using Microsoft eDrive and I'm not sure if Crucial Storage Executive provides this option. Here is another article with some details that might help and an older Crucial forum post with some details. I recall reading some negative things about eDrive.
Most documentation is for encrypting the boot drive and not just a secondary drive. For Bitlocker hardware encryption it seems you need Windows Pro, the BIOS/UEFI system setting is set for UEFI mode, the SSD needs to be on an AHCI enabled controller, all security on the SSD must be disabled and the SSD must be Secure Erased or have been "cleaned" with Diskpart before Bitlocker will use hardware encryption. It seems the Intel RST driver (at least older versions) may interfere with hardware encryption. Also be aware that you can lose access to all the data on the encrypted drive if there is a hardware failure so make sure to keep good verified backups.
I would suggest you thoroughly research the various options as there are advantages & disadvantages to everything. You should search Microsoft's website for information on Bitlocker. It seems they hide information all over the site so you may have to dig a bit. It wouldn't hurt to contact Crucial support as targetbsp suggested.
If you do get this working, please update this post so it can help others.
05-01-2018 05:17 AM
@therock003 I would recommend you also check out our Knowledge base article
Setup of Hardware Encryption on Crucial SEDs via Bitlocker in addition to the great advice already given by @targetbsp and @HWTech (thanks guys!). The article has a list of requirements that must be fulfilled before you are able to set up Hardware encryption, a step by step guide as well as a video detailing the steps.
If the help given already has been useful, please remember to give a kudos to the users, or click on "Accept as solution" if this has answered your question.
05-04-2018 01:00 AM - edited 05-04-2018 01:01 AM
Support so far has been great, and im still taking it all in. Secure boot is disabled on my system, so no suprise that i got the software encyption outcome. Also from those articles and many more, it is now common knowledge that when turning on bitlocker for a drive and getting this screen (which i got of course) means that you've failed and youre getting the software encryption
I am contiuing with my description, taking you all along with me on my journey to completion
Now as for the prerequisites based on the articles
-tpm module->got it
-uefi 2.3.1 or greater->this seems almost impossible to distinguish, but based on lots of google searches i believe i'm onto 2.4. Got the latest bios firmware for my system no doubt, but i cannot find anywhere even on the BIOS menu the actual version
-Secure Boot-> there is an option legacy support disable/secure boot enabled.
-UEFI mode-> already on it, and the above option also makes sure that legacy mode is turned off, so youre not in any hybrid mode
Two partitions (one not encrypted)-> This is my first question mark. I read on the comments that on the windows installation you invoke a console and run diskpart to create those partitions. It also says it needs to be 1.5G. 1.5GB for a hidden partition seems much to me are we sure it needs that much, and if i take carte of it via diskpart upon installation is it a definite success? This i have to investigate some more
-And finally the edrive opal support. I'll have to enable these on both my boot and data drive while priming them. Not sure what these are, havent still fully read about those standards.
It seems so complex, thought things were going to be easier
And one final thing if im not mistaken, when hardware encrypting, if the disks chip fails, do you lose all data, and only way to keep up is to perform regular backups?
06-20-2018 11:36 PM - edited 06-21-2018 10:21 PM
The encryption key is generated on board the drive. The manufacturer does not retain or even have access to the key. Moreover, you do not have to trust it. When putting an SED into service it is considered good practice to start by directing the SED to regenerate its encryption keyto the driver. Doing this before loading any software on the drive eliminates the possibility of the driver manufacturer ,or anyone else who might have had a chance to access the drive before the current owner, acquiring any secret, like the encryption key, that could be later used to break into the user data. mobdro