Encrypting Samsung SSDs with Bitlocker (or other software)

My desktop PC has an 840 Evo SSD, which was my original boot drive, and a 960 Evo SSD, my current boot drive. Before I bought the 960 Evo, I was thinking of encrypting my 840 Evo drive until I found an article, explaining that Samsung had screwed up the implementation of the built-in opal encryption on those drives. Hackers could break the encryption easily. In addition, if you encrypted the drive with Bitlocker, it would simply default to the opal encryption, and you would end up with an insecurely encrypted drive.

Does anyone know if later Samsung SSDs have this same issue? - I am particularly asking about 960 Evo.

This article mentions the issue I am referring to with 840 Evo SSDs and encryption https://www.tomshardware.com/news/crucial-samsung-ssd-encryption-bypassed,38025.html

When I mentioned Opal encryption before, I am just talking about the built-in hardware encryption. I honestly don't know if Opal is security software, an encryption standard, or what.

The 960 EVO is claiming compliance with a TCG Opal specification:

Source (Samsung itself): Samsung_SSD_960_EVO_Data_Sheet_Rev_1_2.pdf

User report that Windows does not recognize the drive as being Opal compliant, but Linux does: Solved: SSD 960 EVO not TCG/Opal Compliant? - Samsung Community - 746506

Dry material, but the TCG Opal Standard here (from TCG itself): TCG Storage Security Subsystem Class: Opal (trustedcomputinggroup.org)

Enabling BitLocker is not a perfect solution: (IEEE paper on how BitLocker will cede to the drive's built-in encryption mechanism: 310.pdf (ieee-security.org)

On the one hand, the drives that were reverse engineered were from 2014 to 2018. The Opal standard continues to be modified. Keep your SSD firmware as up-to-date as possible.

I don't think we can say that Opal is "bad." It is an evolving standard, by a neutral party, and offers a better guarantee than no guarantee and no standard at all. But, it just goes to show that no solution is perfect.

Here is a link from a Western Digital drive where they specifically released a firmware update to address such a situation: WDC-19006 SanDisk X600 SATA SED SSD | Western Digital

The good news is that Windows 10 (and Windows 11) no longer trusts hardware encryption and uses software encryption https://www.pcworld.com/article/398130/bitlocker-windows-built-in-encryption-tool-no-longer-trusts-your-ssds-hardware-protection.html

Thanks for the responses. I think the specific issue with the 840 Evo and some of the other drives was that you could either read the drive's password in plaintext, or bypass it with a default password - I read up on it a long time ago. Seems like something that Samsung would have fixed in later drives, but never saw any confirmation.

I would only be interested in doing hardware encryption, because there is no performance loss. What confuses me is how to encrypt your boot drive, since I think the drive has to be un-initialized for the hardware encryption to be enabled. Link for reference https://docs.microsoft.com/en-us/windows/security/information-protection/encrypted-hard-drive

Edited by yu gnomi, 05 May 2022 - 11:09 PM.

Based on these instructions, you would need to clean install Windows. If you are concerned about performance for software encryption, keep in mind that the impact would be minimal on modern CPUs as they have AES instructions

Edited by Chiragroop, 06 May 2022 - 05:39 PM.

If you look at the data in the Anandtech article linked in the article you posted, I wouldn't call the performance hit "minimal." (-13.9 % performance on Raw System Storage, vs -1.2% for Encrypted Drive and -29% performance on Random Write, vs -0.7% for Encrypted Drive)

I guess to do what I want, I need to create installation media, use Samsung Magician to enable Encrypted Drive, and then boot to installation media to format drive and install Windows. Not something that I'm going to do this weekend, maybe next weekend.

The good news is that Windows 10 (and Windows 11) no longer trusts hardware encryption and uses software encryption https://www.pcworld.com/article/398130/bitlocker-windows-built-in-encryption-tool-no-longer-trusts-your-ssds-hardware-protection.html