Solved Bitlocker, Windows 8 and self encrypting drives

Hi - I notice there are some good tutorials about Bitlocker on here and I wondered if anyone could help me.

I am trying to install a Seagate Constellation.2 self-encrypting drive with Windows 8 for use with Bitlocker. Several articles that I've read imply that Bitlocker will recognise the SED.


There's no problem with the installation but there is no indication that Bitlocker sees the SED as anything other than a normal drive (should there be?). If I try to encrypt the full drive with Bitlocker, it's obvious, from the time it takes, that it is software encrypting it and not just switching the encryption interface on.


The MS Bitlocker page itself says it works with 'encrypted hard drives' and points out that this is not the same as SED, but I'm not sure what that means (it seems to be more to do with deployment of drives that are already encrypted).

Any idea what's going on?

My understanding is that Bitlocker will just use the hardware encryption if it's present, unless you have specifically disabled it in group policy. The default group policy setting is to use hardware encryption, and fall back to software.

You can see this by opening the group policy editor gpedit.msc and navigating to Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption/Fixed Data Drives and in the right hand pane choose configure use of hardware-based encryption for fixed data drives.

One thing to note is that it says this:

"If you do not configure this policy setting, BitLocker will use hardware-based encryption with the encryption algorithm set for the drive. If hardware-based encryption is not available BitLocker software-based encryption will be used instead."

I can't seem to find any way to disable encryption, so it seems to me that this feature is simply transparent.

I don't know if you're using a TPM or not, but I can't find any info on whether or not a TPM is required for use with an SED. But it's possible that may be.

FYI, that comment in the docs about a difference between an EHD and SED, it's BS. All enterprise drives are now TCG compliant, so it's not a big deal. What they're talking about are those self-encrypting USB sticks that were out a few years ago. You don't really have to worry about those anymore, and SED is really the term that has become in common use, EHD never quite caught on.

Thanks for that. It has made things a lot clearer. But, as usual with these things, made it more difficult.

I think you're right about probably needing TPM - this does not seem to be stated anywhere, but is implied in a couple of other places. Unfortunately none of my motherboards have TPM, so I will either have to get a new motherboard or a TPM module (not much cheaper) to fit an existing board, just to check.

I thought about putting the drive in a brand new Novatech laptop I have (although I note that the Constellation is rather thick and probably won't fit), so checked the BIOS for TPM but found UEFI Secureboot, which I think is completely different (but possibly complementary) and just seems to make life even more complicated. I assume Bitlocker wants TPM. But maybe it works with Secureboot. I would have to go to a lot of trouble reinstalling and setting it up on the laptop and am worried that at some point the drive will give up and lock itself.

I find it truly bizarre (but in keeping with IT practice) that SEDs are not just de facto standard drives and that it's not easy to set up.

I'll have to take this to its illogical conclusion, so I'll sort out checking it with TPM and post back the results. Then I guess I'll have to try and work out what l have to do to make it work with laptops that do and don't have TPM.

ADDENDA1 - I just picked up a message from the MS technet forum which says that this only works with OPAL2 compliant drives, which the Constellation.2 is not. The thread is here... BitLocker with Self Encrypting Drives

ADDENDA2 (19/7/13) - I got this working with an MSI board and an OPAL2 drive in case you're interested. The thread is here... BitLocker with Self Encrypting Drives


Thanks again for your help

Hi -- Anyone with BitLocker (Windows 8) experience, please help me out with any recommendations if you can. . . .
I want to turn on BitLocker without TPM, but before doing that, I need to understand what happens when you suspend BitLocker temporarily to download a Windows update, but--as sometimes unexpectedly happens with a large update--the Windows update makes a couple of restarts? Would the restarts trigger a BitLocker recovery or other action that would screw-up or stop the download? And what about defragging? Do you simply stop defragging drives that utilize BitLocker? Any thoughts would be appreciated.

Um, this thread was really to do with self-encrypting drives.

Having said that, if you google Bitlocker and defrag, there seem to be a lot of posts saying it will work OK.

WRT windows updates under suspend and restarts, this seems to apply... Suspend-BitLocker

trivelino said:

I thought about putting the drive in a brand new Novatech laptop I have (although I note that the Constellation is rather thick and probably won't fit), so checked the BIOS for TPM but found UEFI Secureboot, which I think is completely different (but possibly complementary) and just seems to make life even more complicated. I assume Bitlocker wants TPM. But maybe it works with Secureboot. I would have to go to a lot of trouble reinstalling and setting it up on the laptop and am worried that at some point the drive will give up and lock itself.

Click to expand...

BitLocker (W8) does work with UEFI Secureboot, quote from the link:

To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.

Click to expand...

CR00zng:
Thanks for that information. If you look further up the list, you'll find that I've managed to do what I was trying to.

The language used in that bit of the MS FAQ is typically confusing for someone without specific knowledge. I assume it's talking about the instruction set for SEDs because it doesn't make much sense otherwise. For someone like me trying to build a system, it takes you off on meandering paths that have no relevance. On the other hand, the FAQ as a whole is very helpful.

I was confused about TPM and Secure Boot to begin with, but, since I've had to write a short description of security issues to people who have little technical knowledge, I've come to understand them better. While interesting, they are not particularly relevant to what I am trying to achieve - my concern was that they might have to be present (however illogical that may seem) for Bitlocker to work with the SEDs.

The problem with buying motherboards and laptops for this, is that they don't specify the level of UEFI compliance. Often, the documentation/information just mentions the existence of UEFI and says no more, or only in connection with something like dual-booting, leaving one wondering exactly what they do comply with. The only specification that I found I could tentatively rely on was that the boards/laptops must be Windows 8 certified.

I'm glad you got this working. I also found this article on Anandtech where he gets SED working with an m500, and apparently you have to make sure everything is configured correctly along the security chain, or it just silently doesn't work. That means your UEFI must have CSM disabled, and it must meet minimum requirements.. etc..

AnandTech | Hardware Accelerated BitLocker Encryption: Microsoft Windows 8 eDrive Investigated with Crucial M500

And yeah, Opal 2 is required.

Thanks. All extra information about this is useful. I can't remember off-hand if I actually disabled CSM when I installed (I think the board offers both or either - the manual says nothing about it), so I'll check. I think I may also try moving the drive and make sure the data is unreadable.