I recently got a new Samsung 850 Pro SSD (the 256GB version), and after installing it on my computer, I wanted to fully encrypt it.
You see, the newer Samsung SSDs (840 EVO, 850) have support for hardware-accelerated encryption, reducing the encryption overhead from ~15% to almost nothing. However, it appears that the encryption process is barely documented.
After successfully installing Windows 8.1 Pro on my new SSD, I installed Samsung’s proprietary drive management software ‘Samsung Magician’. Through Magician I was able to find a ‘Data Security’ feature, which presented me with several different options for drive encryption.
I was obviously interested in the ‘Encrypted Drive’ option, which is backed by BitLocker on Windows 8.1. I thought that enabling that option would do something like activate the ability to provide hardware-acceleration, which in return would allow BitLocker to function with no extra overhead.
So I went ahead and enabled it, restarted my computer, and proceeded to enabling BitLocker. However, to my surprise, BitLocker prompted me with a couple of different encryption options (namely, partial or full encryption), signifying that it couldn’t detect that the drive had support for hardware-accelerated encryption.
“Where did I go wrong?”, I thought.
I re-launched Magician and checked the Data Security tab, confirming that the Encrypted Drive feature was indeed enabled, and it was. I was confused and clueless, and a quick Google search yielded no helpful results, so I decided to dig a bit deeper into the technical specification documents for this feature, and that’s when I finally saw it.
According to Samsung, I had to perform a ‘Secure Erase’ on my drive before being able to use full drive encryption.
“That should be easy.”, I thought, so I created a bootable USB stick with their Secure Erase software, booted from it, and attempted to erase my drive.
The first few tries weren’t successful, but not because of the software, rather because of my lack of attention. You see, when trying to erase the drive, the software was prompting me with a message stating the it was in a ‘frozen state’ and that I need to unplug it and re-plug it. So I opened the case of my computer, unplugged the SATA cable, plugged it back in and retried. I had absolutely no success. The software would keep presenting me with the same message over and over again.
And then I noticed…
The prompt was asking me to unplug the SATA power cable, not the data cable (which is what I had been doing for the past 10 minutes). To my relief, unplugging and re-plugging the SATA power cable made the prompt go away, and the software proceeded to successfully erase my drive.
With my drive now erased I promptly proceeded to re-install Windows, but after re-installing Magician, confirming that the Encrypted Drive feature was enabled, and trying to enable BitLocker, I was prompted with the encryption options again.
“Screw this!”, I said, and went to take a shower, giving myself time to empty my brain and think of what could have gone wrong.
The shower didn’t prove of much help, so upon returning to my computer I decided to give Google another try, and to my surprise I actually managed to find a fellow soul on the internet that had the exactly same issue as me, and that had also found a solution to it.
It would appear that this particular feature of BitLocker requires Windows to be installed on a UEFI-enabled system, in UEFI ‘mode’.
After reading that, I proceeded to making a new bootable UEFI USB stick containing my Windows 8.1 installer, booting from it in UEFI mode, and installing Windows like I normally would. When the installation finished, I re-downloaded Magician, re-checked encryption was on (it was), and attempted to enable BitLocker.
And it worked!
After specifying my security settings I was presented with a confirmation page which allowed me to ‘Start Encryption’ (instead of the encryption options page I was previously getting). Clicking on the ‘Start Encryption’ button caused windows to make a weird error-like sound, closed the encryption wizard, and it was done!
In one instant, encryption was enabled, my drive was fully encrypted, and I was finally starting to feel happy.
But being me, I wanted to verify, so I opened PowerShell (yes, PowerShell, people need to stop using cmd), entered ‘manage-bde -status C:’, and to my relief I was prompted with a status log stating that my hard drive was fully encrypted with the encryption method ‘Hardware Encryption – 220.127.116.11.1618.104.22.168’!.
Finally, everything in the world was good and happy again!