Windows 8 and 8.1 Forums


Bitlocker, Windows 8 and self encrypting drives

  1. #1


    Posts : 5
    Windows 8 Pro

    Bitlocker, Windows 8 and self encrypting drives


    Hi - I notice there are some good tutorials about Bitlocker on here and I wondered if anyone could help me.

    I am trying to install a Seagate Constellation.2 self-encrypting drive with Windows 8 for use with Bitlocker. Several articles that I've read imply that Bitlocker will recognise the SED.


    There's no problem with the installation but there is no indication that Bitlocker sees the SED as anything other than a normal drive (should there be?). If I try to encrypt the full drive with Bitlocker, it's obvious, from the time it takes, that it is software encrypting it and not just switching the encryption interface on.


    The MS Bitlocker page itself says it works with 'encrypted hard drives' and points out that this is not the same as SED, but I'm not sure what that means (it seems to be more to do with deployment of drives that are already encrypted).

    Any idea what's going on?

      My System SpecsSystem Spec

  2. #2


    Posts : 1,925
    Windows 8.1 Pro


    My understanding is that Bitlocker will just use the hardware encryption if it's present, unless you have specifically disabled it in group policy. The default group policy setting is to use hardware encryption, and fall back to software.

    You can see this by opening the group policy editor gpedit.msc and navigating to Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption/Fixed Data Drives and in the right hand pane choose configure use of hardware-based encryption for fixed data drives.

    One thing to note is that it says this:

    "If you do not configure this policy setting, BitLocker will use hardware-based encryption with the encryption algorithm set for the drive. If hardware-based encryption is not available BitLocker software-based encryption will be used instead."

    I can't seem to find any way to disable encryption, so it seems to me that this feature is simply transparent.

    I don't know if you're using a TPM or not, but I can't find any info on whether or not a TPM is required for use with an SED. But it's possible that may be.

    FYI, that comment in the docs about a difference between an EHD and SED, it's BS. All enterprise drives are now TCG compliant, so it's not a big deal. What they're talking about are those self-encrypting USB sticks that were out a few years ago. You don't really have to worry about those anymore, and SED is really the term that has become in common use, EHD never quite caught on.
      My System SpecsSystem Spec

  3. #3


    Posts : 5
    Windows 8 Pro


    Thanks for that. It has made things a lot clearer. But, as usual with these things, made it more difficult.

    I think you're right about probably needing TPM - this does not seem to be stated anywhere, but is implied in a couple of other places. Unfortunately none of my motherboards have TPM, so I will either have to get a new motherboard or a TPM module (not much cheaper) to fit an existing board, just to check.

    I thought about putting the drive in a brand new Novatech laptop I have (although I note that the Constellation is rather thick and probably won't fit), so checked the BIOS for TPM but found UEFI Secureboot, which I think is completely different (but possibly complementary) and just seems to make life even more complicated. I assume Bitlocker wants TPM. But maybe it works with Secureboot. I would have to go to a lot of trouble reinstalling and setting it up on the laptop and am worried that at some point the drive will give up and lock itself.

    I find it truly bizarre (but in keeping with IT practice) that SEDs are not just de facto standard drives and that it's not easy to set up.

    I'll have to take this to its illogical conclusion, so I'll sort out checking it with TPM and post back the results. Then I guess I'll have to try and work out what l have to do to make it work with laptops that do and don't have TPM.

    ADDENDA1 - I just picked up a message from the MS technet forum which says that this only works with OPAL2 compliant drives, which the Constellation.2 is not. The thread is here... BitLocker with Self Encrypting Drives

    ADDENDA2 (19/7/13) - I got this working with an MSI board and an OPAL2 drive in case you're interested. The thread is here... BitLocker with Self Encrypting Drives


    Thanks again for your help
    Last edited by trivelino; 19 Jul 2013 at 06:34. Reason: update
      My System SpecsSystem Spec

  4. #4


    Posts : 1
    Windows 8


    Hi -- Anyone with BitLocker (Windows 8) experience, please help me out with any recommendations if you can. . . .
    I want to turn on BitLocker without TPM, but before doing that, I need to understand what happens when you suspend BitLocker temporarily to download a Windows update, but--as sometimes unexpectedly happens with a large update--the Windows update makes a couple of restarts? Would the restarts trigger a BitLocker recovery or other action that would screw-up or stop the download? And what about defragging? Do you simply stop defragging drives that utilize BitLocker? Any thoughts would be appreciated.
      My System SpecsSystem Spec

  5. #5


    Posts : 5
    Windows 8 Pro


    Um, this thread was really to do with self-encrypting drives.

    Having said that, if you google Bitlocker and defrag, there seem to be a lot of posts saying it will work OK.

    WRT windows updates under suspend and restarts, this seems to apply... Suspend-BitLocker
      My System SpecsSystem Spec

  6. #6


    Quote Originally Posted by trivelino View Post
    I thought about putting the drive in a brand new Novatech laptop I have (although I note that the Constellation is rather thick and probably won't fit), so checked the BIOS for TPM but found UEFI Secureboot, which I think is completely different (but possibly complementary) and just seems to make life even more complicated. I assume Bitlocker wants TPM. But maybe it works with Secureboot. I would have to go to a lot of trouble reinstalling and setting it up on the laptop and am worried that at some point the drive will give up and lock itself.
    BitLocker (W8) does work with UEFI Secureboot, quote from the link:
    To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.
      My System SpecsSystem Spec

  7. #7


    Posts : 5
    Windows 8 Pro


    CR00zng:
    Thanks for that information. If you look further up the list, you'll find that I've managed to do what I was trying to.

    The language used in that bit of the MS FAQ is typically confusing for someone without specific knowledge. I assume it's talking about the instruction set for SEDs because it doesn't make much sense otherwise. For someone like me trying to build a system, it takes you off on meandering paths that have no relevance. On the other hand, the FAQ as a whole is very helpful.

    I was confused about TPM and Secure Boot to begin with, but, since I've had to write a short description of security issues to people who have little technical knowledge, I've come to understand them better. While interesting, they are not particularly relevant to what I am trying to achieve - my concern was that they might have to be present (however illogical that may seem) for Bitlocker to work with the SEDs.

    The problem with buying motherboards and laptops for this, is that they don't specify the level of UEFI compliance. Often, the documentation/information just mentions the existence of UEFI and says no more, or only in connection with something like dual-booting, leaving one wondering exactly what they do comply with. The only specification that I found I could tentatively rely on was that the boards/laptops must be Windows 8 certified.
      My System SpecsSystem Spec

  8. #8


    Posts : 1,925
    Windows 8.1 Pro


    I'm glad you got this working. I also found this article on Anandtech where he gets SED working with an m500, and apparently you have to make sure everything is configured correctly along the security chain, or it just silently doesn't work. That means your UEFI must have CSM disabled, and it must meet minimum requirements.. etc..

    AnandTech | Hardware Accelerated BitLocker Encryption: Microsoft Windows 8 eDrive Investigated with Crucial M500

    And yeah, Opal 2 is required.
      My System SpecsSystem Spec

  9. #9


    Posts : 5
    Windows 8 Pro


    Thanks. All extra information about this is useful. I can't remember off-hand if I actually disabled CSM when I installed (I think the board offers both or either - the manual says nothing about it), so I'll check. I think I may also try moving the drive and make sure the data is unreadable.
      My System SpecsSystem Spec

Bitlocker, Windows 8 and self encrypting drives
Related Threads
Add "Lock Drive" to Unlocked BitLocker Drives Context Menu in Windows 7 and Windows 8 To lock an unlocked fixed data drive (ex: internal hard drive) encrypted by BitLocker, you would normally restart the computer. To lock an unlocked removable data drive (ex: USB drive) encrypted by...
How to Turn On or Off BitLocker for Fixed Data Drives in Windows 8 BitLocker Drive Encryption provides protection for operating system drives, fixed data drives, and removable data drives that are lost or stolen. BitLocker does this by encrypting the contents of drives and requiring users to...
I am posting here because I have seen the most relevant information about bitlocker. I have no idea why but two different fixed SSD drives are being listed as to go under bitlocker. I have no idea why or what to do about it. One is a Samsung 840 EVO, the other a Crucial Mx100. A third SSD,...
Recently upgraded to Windows OS 8.1 Pro and cannot encrypt my HP external hard drive. Encryption pauses and states that disk has errors and please run chkdsk. Ran chkdsk and no errors found. Had no difficulty encrypting the C drive with the OS. Any suggestions?
Solved Encrypting File System Problem in General Support
I have an external drive which was used with a Vista PC, and which contains some folders encrypted using the Encrypting File System feature. My Vista PC crashed, so I bought a Win 8 PC. This PC doesn't have the Encrypting File System feature, and so will not let me access these files. Is there...
How to Turn On or Off BitLocker To Go for Removable Data Drives in Windows 8 BitLocker Drive Encryption provides protection for operating system drives, fixed data drives, and removable data drives that are lost or stolen. BitLocker does this by encrypting the contents of drives and...
Eight Forums Android App Eight Forums IOS App Follow us on Facebook