Setup of Hardware Encryption on Crucial SEDs via Bitlocker

Moderator Moderator



Windows 8.1 and 10 Professional/Enterprise versions all automatically support encryption key management of SEDs through Windows encryption called BitLocker. Before enabling Bitlocker hardware encryption, the below requirements must first be met (encryption software other than BitLocker may have further or modified requirements): 




  • TPM Module: BitLocker only supports TPM version 1.2 and 2.0 (or newer). In addition, you must use a Microsoft-provided TPM driver (Please note, BitLocker can also work without a TPM, but it will need a USB flash drive to set the password instead). Please contact your system manufacture if you need help identifying your TPM availability.
  • UEFI 2.3.1 or greater: The host computer should be at a minimum of UEFI 2.3.1 and should have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. This enables security protocol commands to be sent to and from the SED. Please contact the manufacturer of your host computer if you are not sure this requirement is met.
  • Secure Boot: In the system BIOS setting Secure Boot must be enabled, most Windows 8.1 and greater system will come with this automatically enabled. Please contact your system manufacture for assistance enabling this.
  • Opal 2.0 support: The system needs to support Opal 2.0 security standards. The Opal 2.0 standard is not backwards compatible; Crucial SEDs are not compatible with Opal 1.0. Contact your system manufacture if need help verifying your system’s Opal compliance.
  • UEFI Mode: The host computer must always boot from UEFI. Any “compatibility” or “legacy” boot mode must be disabled. We recommend putting the system in UEFI-only mode before installing the Crucial SED. CSM (compatibility support mode) needs to be disabled as well. Contact your system manufacture for help with these settings. 
  • Two partitions (one not encrypted): The SSD must have two partitions (drives with Windows installed generally do anyway) and the main partition to be encrypted must be NTFS. This secondary unencrypted partition need to be at least 1.5GB in size. This partition is used for authentication purposes and is required for encryption to work.
  • Uninitialized Drive: The drive must be in an uninitialized state with all security modes inactive; Crucial SSDs out of the box come are in this state. (This refers to the security state of the SED under the TCG and ATA protocols.) If the drive has been previously initialized, you may need to refer to instructions from the BIOS maker or any previous encryption software which may have been used to return the SED to an uninitialized state.  Windows 10 and 8.1 cannot manage encryption on SEDs that are attached to the host computer via a RAID controller.
  • Basic Disk: Dynamic disks are not supported by BitLocker. Windows 8 and Windows 10 drive will come configured as a Basic disk with GPT partition layout, which is required to use hardware encryption.     



Configuring the Host System

It is recommended that the host system UEFI be configured to properly accept the SED before physically installing it, as outlined in the example below. Details of the system setup will vary from system to system, as will the names of various functions. However, they are similar enough that a single example should be sufficient. For details on specific UEFI setups, contact your computer's manufacturer.


Enabling Secure Boot

Microsoft Secure Boot is a requirement to run any Windows 8.1 or 10 system. Any computer that has been configured from the factory for Windows 8.1/10 (as shown by a Windows 8/10 sticker) will already have Secure Boot enabled. If the host system was originally configured for Windows 7 or a previous operating system, check to ensure that Secure Boot is enabled, as shown below.

secure boot.png 


UEFI Boot Mode/CSM Support

The host computer system must be in UEFI-only mode, as shown below. Typically, the CSM will be automatically disabled in UEFI-only mode; however, this should be verified and the CSM should be disabled if necessary.




Installing Windows 8.1/10

The most straightforward method of implementing hardware encryption is to perform a clean, new installation of the operating system. BitLocker versions in the Windows 8.x and 10 Enterprise and Professional editions support hardware encryption on SEDs. No special steps are needed for this function; simply follow the normal OS installation process described by Microsoft.  After the OS is installed, proceed to the Enable BitLocker section.


Boot Order

In the BIOS boot priority settings, the system must be set to boot to your SSD first, you cannot have USB or CD options before it.


System Cloning

Because Crucial SEDs support eDrive, activating BitLocker creates special partitions, which are required to put the eDrive features in effect. When an eDrive-activated SSD is cloned, these special partitions may not be properly copied to the target drive. The target drive may function, but this is not considered a valid process and it may cause latent performance problems. If the source disk has been encrypted using software encryption in Bitlocker, first ensure that BitLocker is turned off before initiating the image clone to a Crucial SED. If using BitLocker in software encryption mode on the source system, a decryption process will be required to turn off BitLocker. This can take several hours, depending on the amount of user and OS data on the drive.


Enable BitLocker

Follow the steps below to enable BitLocker.

  • Press the Windows key (usually between <Ctrl> and <Alt>); then type “This PC” and press Enter.
  • Right-click on the icon for the system drive and select Turn on BitLocker from the pop-up menu.



  • Next, a status box confirming that BitLocker is configuring will display, along with a status bar. This will complete momentarily.


  • Select one of Microsoft's options for saving your recovery key. While Crucial has no preferred option here, do not neglect this step. In some circumstances, this may be the only way to recover data from your SSD. Crucial has no factory backdoor methods by which to recover data if an authentication key or password is lost. Once the key is saved, select Next to continue.




  • BitLocker will ask, "Are you ready to encrypt this drive?" After you click Continue, a system restart will be required to complete the process.




  • After the reboot is complete, you will see from the BitLocker padlock icon on your system drive that BitLocker is enabled.




The video below illustrates the process in full.




Kilobyte Kid

The above list of requirements is VERY helpful, but you left out one crucial piece of information: the drive must be in an uninitialized state before Bitlocker will recognize it.


This can be a little bit tricky, because simply reformatting or deleting the partitions will not achieve it. You must run the Clean command from Diskpart (which you can do from the Windows 8 installation process by pressing F10).


Another helpful tip: if all of the above requirements are met Bitlocker will not ask you if you want to encrypt the entire drive or just the existing data, it will just be encrypted instantly; if you get that message the eDrive failed to initialize properly.

Kilobyte Kid

are you kidding?  sluffing off built-in encryption to third-party software?  if the controller can encrypt the data, let it do it by itself!  that way no software is slowing anything down and wiping the drive is an instantaneous process of simply regenerating new keys.

but instead, we're relying on microsoft?  and securely erasing my mx100 will now take several passes of overwriting the entire drive, causing unnecessary wear and costing unnecessary time.

no thank you.  i'll be going through the hassle of using truecrypt and luks instead.

please tell me you'll upgrade the firmware to properly implement pre-boot fde.

Moderator Moderator

On an MX100, just as with any other Self-Encrypting Drive, all data is always encrypted by the controller when written to the NAND, and decrypted when read. Using Windows 8 BitLocker with the SED feature of the MX100 enables the user to put a "lock" on the drive, to protect the data against unauthorized access. Basically, once Windows 8 BitLocker has been activated and configured to use the drive's built-in hardware encryption, the data on the drive can only be accessed after the user puts in their BitLocker credentials. However, all the encryption is still done by the controller, just as it was before BitLocker was configured to work with the drive's SED ability. You can read more in this article, The Advantages of Hardware Encryption

Kilobyte Kid

i'm very glad to read, from the article you referenced, that there's no performance hit.  but that's only 1 of 2½ issues.  i have some follow-up questions.  perhaps we should take this to a forum instead of the knowledge base?
-what about prior issue #2 (securely wiping the drive)?  is this easily and instantly doable?  we'll ignore #3 (relying on microsoft gets ½ a point).  Smiley Very Happy
-with the encryption keys stored on the controller, doesn't using third-party encryption software mean the keys themselves aren't encrypted by a user pw, making it that much easier for someone with physical access to the drive to extract them from the firmware?
-if the controller is doing the encryption, why bother with bitlocker?  is it so slightly-more-savvy-than-average joe can easily enable it, or so you don't have to write it into the firmware?  (i'm being serious, not snarky--i'm a software developer myself.)  personally, i'm dual-booting win7* and ubuntu 14, which means i need 2 separate encryption methods instead of just supplying my credentials at boot to decrypt the hd and then choosing which os to load.
-also, if i upgrade the windows os, ms requires the os volume to be decrypted first.  this would obviously not be the case if windows was unaware that it was encrypted.
*last, what about those poor silly saps who are running win7 (or earlier)?  i just read that win7 bitlocker doesn't support self-encrypting drives--it was an update as of win8.  we're just out of luck?  i realize you can't support everything, but win7 is still a ms-supported os, and it seems like a better service to (more of) your customers to enable full-disk encryption all the time.
thank you!

Moderator Moderator
Hello again, Yes, if you have a large number of questions it would probably be easier for you to receive swift and accurate answers if you ask the community in the SSD Forum. You can also contact our support, there is a link to their contact info in the footer of the article. Smiley Happy
Kilobyte Kid



we changed from HDD to M500 SSDs on our HP 4540s. But we have two devices where we cannot activate drivelock as it is telling us "HDD is HW encrypted". Other work, but these two not ...

Any idea on how we can fix this issue? Notebooks are running Win 7 prof x64.

Kilobyte Kid

I haven't found even single word about Linux. Have Linux users a chance to enable the Hardware Encryption?

Kilobyte Kid

How do I DISABLE sed?

The essential security is to KEEP ACCESS to MY data. I don't mind others seeing them (provided they can't alter them). Too much "security" is against this essential security. In particular SED, while NOT really protecting me, exposes me to loss of all my data, under various circumstances and external intents and attempts.

What I want is to disable SED, reliably and for good. No word about this in this article; anyone has an answer? TIA,

Versailles, Thu 15 Jun 2017 16:27:25 +0200

Kilobyte Kid

I cross over to develop an application that helps the activation of hardware encryption ... I have a 300 lenovo yoga with ssd crucer mx300 and it has been impossible for me to follow all the methods.

*removed competitor* has application that enables hardware encryption.