POST A COMMENT

40 Comments

Back to Article

  • Braumin - Wednesday, April 10, 2013 - link

    This is some pretty cool news actually. Now Bitlocker just needs to support smart card authentication at bootup and we can start using it. Reply
  • lecaf - Thursday, April 11, 2013 - link

    Why would you want that?
    Sure smartcard for OS authentication is a good security feature, but reusing the same smart card for disk unlocking would be nonsense from a security standpoint, and using two would not be practical.
    Reply
  • Araemo - Thursday, April 11, 2013 - link

    Why would you want that? Because every additional password you give a user increases the chances of them writing it on a sticky note on the computer and bypassing your well-designed security.

    Without an ability to use your AD credentials for pre-boot authentication, I recommend my customers go TPM-only (with secure boot if supported) for that reason, plus the supportability reasons.

    Technically, bitlocker supports smartcard-auth... as long as you have a third-party module running pre-bootmgr to authenticate the smartcard and supply the drive protector key to bootmgr.

    I've seen no product that does this, however, so the above statement is more correct than microsoft's line. ;)
    Reply
  • Braumin - Thursday, April 11, 2013 - link

    How do you manage the PIN for 30,000 laptops? 100,000? Even 10 laptops? Just give everyone the same PIN and call it a day? What happens when an employee is fired? You just go re-pin all of your machines? Have them make (and then forget) their own PINs? Reply
  • lecaf - Friday, April 12, 2013 - link

    There is a tool for that: Microsoft BitLocker Administration and Management (MBAM).
    It's a central DB storing recovery information and allow non administrators users to change the PIN.
    Don't use the AD for storing recovery keys as they are stored in clear text.
    Reply
  • Araemo - Friday, April 12, 2013 - link

    MBAM is a necessity for deploying BitLocker in an enterprise environment. But it's not free. You have to buy MDOP. Reply
  • macshuffle - Sunday, April 21, 2013 - link

    I rolled out MBAM globally for our environment. I'm currently looking to upgrade to the recently released MBAM v2.0 as it includes many fixes the original version should have had. It is easy to setup and install....just make sure you backup that key database and the encryption cert for it...otherwise your users will not be able to recover their systems. As another mentioned, you obtain MBAM by purchasing MDOP. Reply
  • Blindsay04 - Wednesday, April 10, 2013 - link

    Very cool indeed, Any idea if this would work in windows 7 ultimate/enterprise as well or is it only bitlocker in windows 8? Reply
  • lurker22 - Wednesday, April 10, 2013 - link

    Shame MS won't simply add eDrive standard support to Windows 7. Reply
  • bobbozzo - Wednesday, April 10, 2013 - link

    FWIW, I can do the same thing by setting a drive password in the motherboard bios with a drive that has hardware encryption... instant encryption enable/disable.
    I have a V-100 Enterprise Kingston drive, but it should work on any drive with hw encryption as long as the motherboard supports a drive password.
    Reply
  • chubbypanda - Wednesday, April 10, 2013 - link

    Of course, that's the way to go. Though in M500 review, Anand said something to oppose to that, something I don't quite understand:

    "Unfortunately, most ATA passwords aren't very secure... " (http://www.anandtech.com/show/6884/crucial-micron-...

    He'd tried and couldn't use long and/or elaborate strings for ATA password in UEFI BIOS? Not sure what machines he's using.
    Reply
  • zachj - Wednesday, April 10, 2013 - link

    Wouldn't this also increase drive life? If software-based full disk encryption makes the drive appear like it's 100% full, then every single write requires a block to be erased first right? Reply
  • kpb321 - Wednesday, April 10, 2013 - link

    Not every write because they have spare area but it would certainly increase the wear because they would be doing it a lot more often. Reply
  • Anon123 - Wednesday, April 10, 2013 - link

    USELESS

    Everyone knows bitlocker contains backdoors.
    Reply
  • DanNeely - Wednesday, April 10, 2013 - link

    Citation please. Reply
  • Jammrock - Wednesday, April 10, 2013 - link

    There are tools that can decrypt BitLocker, TrueCrypt and PGP. But in order for them to work you need a memory dump of the system or the hibernation file so the encryption key can be pulled from memory. But then this is a "flaw" with all software based encryption, as proven by the CSS and AACS hacks to get DVD and Blu-ray working on Linux.

    There are no backdoors in BitLocker. I work at Microsoft and lost my BitLocker recovery key (long story). I called our internal support and their answer was, "you're data is gone."

    But the real proof has to do with one word: profits. If there were backdoors Windows would be disqualified for government and enterprise use. Profits go bye-bye. There are no backdoors.
    Reply
  • lecaf - Thursday, April 11, 2013 - link

    While I agree with you that no known backdoor exist in Bitlocker, your statement "data is gone" is completely wrong. Any encryption implementation would provision recovery keys managed by your organization. MS has a neat server called MBAM for that purpose. So if you loose the primary key, then your security officer could just ask the server to provide a spare (recovery) key.
    Of course that it is valid if your organization manages encryption, if you did it by your self then you've got a serious procedure problem at MS.
    Reply
  • Jammrock - Thursday, April 11, 2013 - link

    I'm well aware of the key recovery tools. That part is covered under the "long story" part.

    This was an interesting case with a new laptop, secure boot, a DisplayPort adapter and a new build of Win8. To make a long story shorter, the BitLocker recovery key was uploaded to Active Directory and I had it saved to a USB drive. When I disabled secure boot it appears that something changed the recovery identifier, which invalidated all the recovery keys.

    The change happened just before I went into a reboot loop caused by a corrupt DisplayLink driver, so the change never got updated to MBAM/AD. With the invalid recovery key I was unable to get into safe mode to fix it ... at first. This is when I called internal support and they said, "good bye data."

    Eventually I plugged the DisplayPort adapter back into the exact same USB port as the last boot and got back in normally, updated my recovery keys and have been running smoothly ever since (thanks to an updated DisplayLink driver). So I didn't end up losing my data, but had I been unable to get past my frowny of doom loop I would have.

    Moral of the story, don't make any UEFI security changes once you've encrypted your drive without backing your recovery keys up immediately afterwards.
    Reply
  • lecaf - Thursday, April 11, 2013 - link

    "which invalidated all the recovery keys."
    Thats interesting, I hope you had the dev team look into this, as this seems like a bug, and should never happen.
    "Moral of the story, don't make any UEFI security changes"
    ..or pause Bitlocker before doing them :)
    Reply
  • taltamir - Monday, June 24, 2013 - link

    "But the real proof has to do with one word: profits. If there were backdoors Windows would be disqualified for government and enterprise use. Profits go bye-bye. There are no backdoors."

    Verisign had a backdoor which was made for the US government. And yes, it was catastrophic for their reputation when it came out. But you can't claim that no business will ever do it, because businesses did. And the US government used it despite having a backdoor in it.
    Reply
  • B3an - Wednesday, April 10, 2013 - link

    Why have i never seen this Win 8 feature mentioned anywhere else before? I always keep up to date on Windows news but this don't seem to have been posted anywhere. Reply
  • B3an - Wednesday, April 10, 2013 - link

    Very nice feature BTW. Shame my 840 Pro's don't support it! Reply
  • iuqiddis - Thursday, April 11, 2013 - link

    Does anyone know how well the linux kernel supports the hardware encryption already present in these SSDs? Or is the only choice to use software encryption? Thanks. Reply
  • Rick83 - Thursday, April 11, 2013 - link

    Whether or not hardware or software encryption are a choice on SSDs is still hotly debated on the dm-crypt mailing list. dm-crypt does support external crypto-engines, but due to the device-mapping nature of the implementation, I'm not sure how well it would work to take into account such integrated solutions. Reply
  • mayankleoboy1 - Thursday, April 11, 2013 - link

    Dont know about hardware encryption, but Linux kernel is adding a AVX2 based software encryption! Reply
  • gattacaDNA - Monday, May 13, 2013 - link

    Unless you are running some of the latest kernels with the right cryptlib packages and then edit / tweak about 4 or 5 different system files, the latest fedora 18 does not even support SSD Trim. The default state of TRIM is OFF. I know b/c I just went thru quite a quest to turn it on. Cannot comment on anything like eDrive but I'll take a _properly implemented_ drive password on the right platform, one who's UEFI/BIOS is designed to handle longer / extended passwords over nothing. Cheers. Reply
  • Tjalve - Thursday, April 11, 2013 - link

    This is awsome news. Ive been knowing abolut the windows 8 support for a long time, however i never found any information on what standards needed to be supported, and none of the drives I tested this on, worked.
    So its my understanding that you need to enable UEFI and boot with UEFI. Does that mean that you need to reinstall the OS aswell?
    Reply
  • Azethoth - Thursday, April 11, 2013 - link

    No, secure boot does not require you to re-install the OS. However, and this is a big hairy however, every other device during boot needs to be signed as well. Sadly this gives you a >>>50% chance that your graphics card is going to screw you. For Radeon the chance is 100% - the chance you are a lucky Powercolor or something owner. For nVidia they have a firmware update for one of their GPU's. Outside of those two cases you are 100% screwed.

    For AMD you will not even find an official notice, but Googling will find a snippet that someone quotes indicating they suck at doing it.

    Gah, this new comment code looks nice but sucks for disabling the Chrome expandable text entry box.
    Reply
  • Azethoth - Thursday, April 11, 2013 - link

    Oh yeah, this is for DIY computers. If you bought a win8 compatible from an OEM then they took care of signing things correctly. Reply
  • Azethoth - Thursday, April 11, 2013 - link

    Looks like things are less bleak, this post indicates you can request the required hybrid vbios from MSI, Sapphire and VTX3D as well. Still sucks for me because 1 Diamond and 1 XFX card. Reply
  • Tjalve - Friday, April 12, 2013 - link

    Alright. So to get this going, you need to enable secure boot? I didnt read that that was a requiremenet, only to boot with UEFI instead of legacy BIOS? Reply
  • B3an - Sunday, April 14, 2013 - link

    Pretty sure you don't need Secure Boot enabled. Don't know why Azethoth mentioned SB...

    You just need UEFI boot enabled. Specifically "UEFI 2.3.1 (Class II no CSM/Class III)" as mentioned in this article. I'd guess most new motherboards with UEFI will support this as long as you're on the latest BIOS/UEFI update.
    Reply
  • Araemo - Thursday, April 11, 2013 - link

    Why would you want that? Because every additional password you give a user increases the chances of them writing it on a sticky note on the computer and bypassing your well-designed security.

    Without an ability to use your AD credentials for pre-boot authentication, I recommend my customers go TPM-only (with secure boot if supported) for that reason, plus the supportability reasons.

    Technically, bitlocker supports smartcard-auth... as long as you have a third-party module running pre-bootmgr to authenticate the smartcard and supply the drive protector key to bootmgr.

    I've seen no product that does this, however, so the above statement is more correct than microsoft's line. ;)
    Reply
  • Johny12 - Monday, April 15, 2013 - link

    I thought the purpose of hardware encryption on the SSD was to reduce the burdon on the host CPU. So with Sandforce you got both better CPU performance AND the benefit of their compression/de-dupe? Reply
  • hceuterpe - Tuesday, April 23, 2013 - link

    You gotta be kidding me. I JUST bought the Crucial C400 SED variant less than a month ago!
    Oh well, I don't plan on using Windows 8 (I rejected it) and my laptop doesn't have UEFI. Also The M500 doesn't seem to best the C400/M4 across the board.

    For people who don't understand Bitlocker, you guys need to stop bashing it and comparing HDD passwords (seriously??). For a large organization, it's one of the easiest ways to enforce data-at-rest security. As for bitlocker, in software mode I've noticed my other laptop (which I don't own myself) tends to hang for extended periods of time especially when it pages. I've heard similiar behavior from Truecrypt, as well..
    Reply
  • LS1 - Thursday, December 19, 2013 - link

    Has anyone been able to get eDrive working right with the Samsung EVO yet? The latest firmware update is supposed to make the drive TCG/OPAL 2.0 Compliant. I gave it a shot and I believe I meet all the system requirements (UEFI with CSM disabled and Secure Boot enabled, Windows 8.1 Pro, BitLocker, etc.) but it still asks me if I want to encrypt only the used space or the entire drive (it shouldn't ask that if it's using eDrive from what I've read). Tried this on a Lenovo K410 Desktop without a TPM chip and on Lenovo ThinkPad T430 with a TPM chip without any luck...if it doesn't work on the business line T series ThinkPad then I don't know what will work or what I might be doing wrong? Reply
  • LS1 - Tuesday, December 24, 2013 - link

    Finally got eDrive to work on the Samsung EVO but I had to install the Samsung Magician software and enable "Encrypted Drive" which instructed me to perform a secure erase and a clean install of Windows 8 which I did and it but I had to make sure the EVO was #1 on the boot order in UEFI/BIOS and also had to run "bcdboot %systemdrive%\Windows" from the Windows command prompt since I kept getting BitLocker errors saying "element not found". After it's done however the same problem as the Crucial M500 exists where the ATA security set is disabled and one CANNOT perform a Secure Erase on the drive and the Samsung Magician software doesn't allow you to set "Encrypted Drive" back to "Ready to be Enabled" or "Disabled". Reply
  • Igorw - Monday, January 13, 2014 - link

    Thank you for the walk through and also pointing out what to look for if the encryption uses software mode instead of hardware mode (that part really helped)!

    With some trouble I now finally have Bitlocker running in hardware mode on my Samsung 840 EVO. The tricks to get it running on this drive were 1) Upgrade your Samsung firmware, 2) Use Secure Erase on the drive after turning Encrypted Drive to Ready to Enable and 3) Install windows in UEFI mode (I had no idea that it was possible to install windows in different modes).

    Thanks again for the great step by step guide.
    Reply
  • Krysto - Monday, February 10, 2014 - link

    The encryption is done by hardware instead of software? So that means it could be backdoored by hardware vendors. Not the fact that Bitlocker is proprietary shouldn't worry you to begin with, in this case. Reply
  • Ctrl_Alt_ID - Saturday, May 03, 2014 - link

    Anand wrote about eDrive over a year ago and still can't readily find an Ultrabook that fully supports eDrive, TPM 2.0, and Connected Standby. Why is this taking so long to come to market? Reply

Log in

Don't have an account? Sign up now