Home News Reviews Forums Shop


Setting Up Drive Encryption With Samsung 960 PRO NVMe SSD

In depth discussions on hard drives, SSDs, RAID setups and network storage systems.

Setting Up Drive Encryption With Samsung 960 PRO NVMe SSD

Postby Ian on Tue Jan 31, 2017 9:48 pm

So you have a Samsung 960 PRO and want to protect your data using drive encryption. While the drive supports AES encryption and is TCG/Opal compliant, Samsung doesn't tell you how to take advantage of these features. With this post, I'm going to walk through the process of setting up secure boot in the BIOS. In the future, I hope to have some information on how to set things like Bitlocker up in Windows. Maybe some benchmarks too.

The motherboard used is a GIGABYTE GA-Z170X-UD3. I'm guessing that the BIOS will be similar for GIGABYTE's other Z170 motherboards but the interface and/or terminology may be different for other vendors.

So again, I'm using a 512GB Samsung 960 PRO. The BIOS sees it as an NVMe device.

BIOS - Peripherals - NVMe.png
BIOS - Peripherals - NVMe.png (492.04 KiB) Viewed 24124 times


To use secure boot, you will need to boot using UEFI. Any sort of legacy or compatibility boot mode will need to be disabled. Same goes for the compatibility support module or CSM.

BIOS - Config - CSM Disabled.png
BIOS - Config - CSM Disabled.png (668.71 KiB) Viewed 24124 times


From there, I went into the Secure Boot menu and enabled "Attempt Secure Boot".

BIOS - Secure Boot - Mode Standard.png
BIOS - Secure Boot - Mode Standard.png (560.18 KiB) Viewed 24124 times


BIOS - Secure Boot - Setup User Mode.png
BIOS - Secure Boot - Setup User Mode.png (586.91 KiB) Viewed 24124 times


I was a little confused at this point as to what else I needed to do but, after a reboot, I went into the Secure Boot menu and found that it was now enabled and there were a number of keys listed.

BIOS - Secure Boot - Enabled.png
BIOS - Secure Boot - Enabled.png (536.12 KiB) Viewed 24124 times


BIOS - Secure Boot - Keys.png
BIOS - Secure Boot - Keys.png (580.8 KiB) Viewed 24124 times


Installing Windows was straightforward and was done (literally) in a matter of minutes thanks to the 960 PRO's ridiculous speeds. Unfortunately, I wasn't able to enable Bitlocker since my computer is lacking a TPM module. I can get around this by creating a USB flash drive, but this will have to wait for a future update.
"Blu-ray is just a bag of hurt." - Steve Jobs
User avatar
Ian
Grand Poobah
 
Posts: 15127
Joined: Sun Apr 08, 2001 2:34 pm
Location: Madison, WI

Re: Setting Up Drive Encryption With Samsung 960 PRO NVMe SS

Postby Ian on Tue Jan 31, 2017 9:48 pm

Once you have Windows installed, you'll want to enable Bitlocker. To take advantage of the hardware encryption, you'll need to use the Pro or Enterprise versions of Windows 8 or 10.

My desktop doesn't have a TPM module, so I had to go open up the group policy editor and enable "Allow Bitlocker without a compatible TPM".

Bitlocker GPO.png
Bitlocker GPO.png (207.52 KiB) Viewed 24017 times


Bitlocker GPO Details.png
Bitlocker GPO Details.png (143.06 KiB) Viewed 24017 times


Once this is done, you can enable Bitlocker on your drive. The screenshot below is pretty self explanatory.

Bitlocker Enable.png
Bitlocker Enable.png (81.4 KiB) Viewed 24017 times


Instead of a TPM module, you can use either a USB flash drive or password. In this case, I chose to use a USB flash drive. This will need to be plugged into a USB port any time you boot the computer.

Bitlocker Setup 1.png
Bitlocker Setup 1.png (13.27 KiB) Viewed 24017 times


Bitlocker Setup 2.png
Bitlocker Setup 2.png (8.82 KiB) Viewed 24017 times


Bitlocker Setup 4.png
Bitlocker Setup 4.png (16.63 KiB) Viewed 24017 times


Bitlocker Setup 5.png
Bitlocker Setup 5.png (17.98 KiB) Viewed 24017 times


When you're done, Bitlocker will reboot your computer and encrypt your drive. In my case, this took only a matter of minutes.

Bitlocker Status.png
Bitlocker Status.png (45.28 KiB) Viewed 24017 times


Benchmarks coming soon..
"Blu-ray is just a bag of hurt." - Steve Jobs
User avatar
Ian
Grand Poobah
 
Posts: 15127
Joined: Sun Apr 08, 2001 2:34 pm
Location: Madison, WI

Re: Setting Up Drive Encryption With Samsung 960 PRO NVMe SS

Postby HowzThat on Sun Feb 05, 2017 1:45 pm

Thanks for this post.

I've been attempting to enable encryption since I acquired my Samsung 960 PRO but still haven't been able to work it out. I've seen many posts on enabling native disk encryption and as such I've Secure Erased the 960 Pro then configured my UEFI/BIOS with UEFI only (no legacy support), ENABLED Secure Boot, DISABLED Compatibility Boot Support, ENABLED ACHI etc... but still can't seem to work out if encryption is actually being used after using with these settings.
Samsung Magician software (v5) doesn't include any kind of indication as far as I can see and attempting to use Bitlocker after this setup also doesn't seem to recognise hardware full disk encryption is available - it always asks for software encryption.
I also tried just deleting the Secure Boot keys (after backing them up) and was able to boot back into Windows.... so guessing no encryption had really been enabled.

So my question is how do you actually know it using encryption/has been enabled post install?
HowzThat
Buffer Underrun
 
Posts: 2
Joined: Sun Feb 05, 2017 1:35 pm

Re: Setting Up Drive Encryption With Samsung 960 PRO NVMe SS

Postby Ian on Mon Feb 06, 2017 11:22 pm

HowzThat wrote:Thanks for this post.

I've been attempting to enable encryption since I acquired my Samsung 960 PRO but still haven't been able to work it out. I've seen many posts on enabling native disk encryption and as such I've Secure Erased the 960 Pro then configured my UEFI/BIOS with UEFI only (no legacy support), ENABLED Secure Boot, DISABLED Compatibility Boot Support, ENABLED ACHI etc... but still can't seem to work out if encryption is actually being used after using with these settings.
Samsung Magician software (v5) doesn't include any kind of indication as far as I can see and attempting to use Bitlocker after this setup also doesn't seem to recognise hardware full disk encryption is available - it always asks for software encryption.
I also tried just deleting the Secure Boot keys (after backing them up) and was able to boot back into Windows.... so guessing no encryption had really been enabled.

So my question is how do you actually know it using encryption/has been enabled post install?


I hear you. That's one of the things I miss with the new Magician software. There's nothing there regarding encryption. One thing you can try is open a command prompt as an administrator and type this: "manage-bde -status c:" That will type you the encryption method.

I forgot to run that command while playing around with Bitlocker but considering how quickly it encrypted my drive and how well it performed afterwards, I'd like to think it was working.
"Blu-ray is just a bag of hurt." - Steve Jobs
User avatar
Ian
Grand Poobah
 
Posts: 15127
Joined: Sun Apr 08, 2001 2:34 pm
Location: Madison, WI

Re: Setting Up Drive Encryption With Samsung 960 PRO NVMe SS

Postby Ian on Mon Feb 06, 2017 11:51 pm

Okay, it looks like mine was encypting with software too. I'll have to look into this more.
"Blu-ray is just a bag of hurt." - Steve Jobs
User avatar
Ian
Grand Poobah
 
Posts: 15127
Joined: Sun Apr 08, 2001 2:34 pm
Location: Madison, WI

Re: Setting Up Drive Encryption With Samsung 960 PRO NVMe SS

Postby HowzThat on Tue Feb 07, 2017 4:25 am

Well glad to have someone else on-board trying to solve this...

What I've found out so far is the Secure Boot method is not going to work until Samsung update the firmware of the 960 to support IEEE1667 (Microsoft's eDrive).
Apparently it doesn't support it yet at as per TomsHardware review: http://www.tomshardware.com/reviews/sam ... ,4774.html.

So the only option I see is to enable SED via some kind of TCG Opal security management s/w.
I'm still looking for something that: 1) recognises the 960 Pro, 2) allows me to Enable SED (as the old Magician software did) through OPAL.

I just love the way Samsung sell the product with "Advanced Data Protection" but don't provide the software to enable it easily :-)
HowzThat
Buffer Underrun
 
Posts: 2
Joined: Sun Feb 05, 2017 1:35 pm


Return to Hard Drives and Solid State Drives (SSD)

Who is online

Users browsing this forum: No registered users and 2 guests

All Content is Copyright (c) 2001-2024 CDRLabs Inc.