Windows 10: Impossible to turn on eDrive/Bitlocker with Hardware encryption

Hi. I can't enable Bitlocker hardware encryption for Kingstorn A2000 NVME SSD series.

NVME product page reports:
"Supports a full-security suite (TCG Opal, AES 256-bit, eDrive)"

I followed these instructions:
https://media.kingston.com/kingston...-edrive-to-utilize-hardware-encryption-en.pdf

That give instructions on how to enable hardware encryption, even for windows 1903+, that require a Group Policy change to enable hardware encryption for SSD drives.



Current status:

• Windows 10 Enterprise Version 1909 - OS Build 18363.418
• CSM disabled, UEFI ONLY
• TPM enabled
• Secure Boot enabled
• Group Policy 'Configure use of hardware-based encryption for operating systems' enabled
• Clean windows installation
• Kingston SSD Manager:
• IEEE1667 enabled
• Drive reports 'TCG OPAL Version 2.0 is supported'

Hardware:

• AMD Ryzen 5 3600
• Motherboard MSI Bazooka V2, BIOS: December/2019

Problem: windows doesn't recognize hardware encryption on this drive. Fails with:

"The drive specified does not support hardware-based encryption. (code 0x803100b2)"

which is not true.



Screenshot: https://imgur.com/a/0ZQhOBj



Steps tried:

• Install windows to a different drive
• Enable IEEE1667 and reformat
• Diskpart -> clean disk
• Using a live linux distribution, use sedutil to enable TCG Opal 2.0 on the drive: works
• A LOT of Googling
• Contact kingstorn support

Am I missing something? Any ideas on how to enable Hardware Encryption?

submitted by /u/karkov
[link] [comments]

:)

 

(BUG) BitLocker eDrive hardware encryption

Hi,

I did a clean install of Windows 10, and tried to use hardware encryption via BitLocker on my eDrive compliant 850 EVO ssd.

First it just would not use the hardware encryption (asks if I want to encrypt whole drive or only used portion) but I found that Intel rapid storage was conflicting with the process (version V14501081)

When I uninstalled IRST, the setup went right, but after the first reboot/system check, BitLocker has just dissapeared. It can't be found in the Control Panel (see screenshot), trying to open it via search doesn't work and it's not listed when right clicking
the system drive, but when right clicking my second HDD there is an option to enable it, this brings me to the initialization screen, the BitLocker settings still can't be accessed. There's also no lock icon on the system drive, but BitLocker does ask for
a password on bootup (don't have TPM).

When typing manage-bde -status C: in the command prompt, I get an error (see screenshot)

screenshot:

https://i.imgur.com/JiHCu3K.png

This worked perfectly on Windows 8.1 for me.

Edit: Now BitLocker suddenly started working properly. The lock sign is there and the settings are back, still this is strange behaviour.

 

How to restore a system image backup to a hardware encrypting SSD (eDrive)

Has anyone figured out how to restore a system image backup to a hardware encrypting SSD (eDrive)? The problem I am experiencing is that I can successfully restore the system image to the SSD but hardware encryption is no longer enableable like it was before
the backup and restore.

Here is a basic overview of the procedure: How to Restore System Image Backups on Windows 7, 8, and 10

Here are the specific steps I followed to reproduce and document this problem:

1. Install Windows 10 (1607) onto a Crucial M500 SSD eDrive.

2. Turn on Bitlocker and the C: drive is instantly encrypted on reboot.

3. Confirm hardware encryption using Manage-bde -Status.

4. Create a system image backup using the "Create a system image" command under "File History/System Image Backup" or "Backup and Restore (Windows 7)" in the Control Panel.

5. Boot to a Windows thumb drive or DVD, open a command prompt and Clean the SSD using Diskpart.

6. Restore the system image backup to the SSD. Process completes successfully and Windows runs normally.

7. Re-enable Bitlocker but only software encryption is available. The hardware encryption which was working fine before the image backup and restore is now inoperative.

I have tried this several times with various changes, such as clearing the TPM, turning Bitlocker off before creating the system image, and using a 1511 version of Windows 10 instead of the 1607 version. The results are always the same.

Conclusion: System image backups of a hardware encrypted drive are unusable because the hardware encryption can never be turned on again after the image is restored to a new, or even the same, SSD.

If anyone has figured out how to make this work I would love to hear your solution!

However, I think it is currently impossible because of a bug in Bitlocker, System Image Recovery, or both. I'm hoping that someone from Microsoft will take notice of this post and address the problem, either by providing a procedure that actually works or
by fixing the malfunctioning code in Windows.

 

Bitlocker - What types of Hardware Encryption can it use?

Hello Windows Support Team,

When I run at powershell "manage-bde -status"

I see one drive with "Encryption Method: Hardware Encryption -
1.3.111.2.1619.0.1.2" Is it eDrive, Opal 2.0, or other?

How can I tell what HW encryption is being used? This is a data drive.

Do you have further information on how to force BitLocker into using eDrive or Opal 2.0 ? or what determines what is used by BitLocker?