GoNz0
2 Iron

XPS 9560 NVMe hardware encryption support

When will you release a BIOS that supports this as Samsung has implemented this but needs laptop makers to update the BIOS to support this.

0 Kudos
5 Replies
jphughan
5 Rhenium

Re: XPS 9560 NVMe hardware encryption support

Don't hold your breath.  NVMe has been here for a while now and Dell has an official KB article specifically saying it isn't supported, with no mention of any plans to implement it in the future.  That said, I just had a nasty experience helping a friend who had enabled Samsung's encryption.  Not sure if it was Samsung specifically or Dell's firmware, but basically my friend had a Latitude E7440 and he enabled the HDD password to activate Class 0 encryption on his Samsung 850 Evo.  His laptop died, so I installed his SSD into my own laptop (an XPS 15 9530) in order to capture an image backup of his hard drive.  As expected, we saw the HDD password prompt.  He typed the password, and it didn't work.  We tried multiple times, including using an external keyboard, and nothing worked.  I ended up having to find another Latitude E7440 for the password to be accepted.  That was not my understanding of how HDD passwords worked, but he was just lucky I knew someone who had an E7440 that was willing to let me borrow it for this purpose.

All that to say, consider using BitLocker encryption.  Yes, it's software-based, but CPUs for a decade now have had built-in hardware acceleration for AES operations, so even at NVMe speeds, encryption does not introduce a bottleneck -- and there are FAR more options for recovery from other systems, including when installing a drive in an external enclosure, which isn't possible when the drive is protected by an HDD password.
0 Kudos
ThomasXPS15
2 Bronze

Re: XPS 9560 NVMe hardware encryption support

Hello,

 

I have also tried to enable hardware encryption for my new EVO 970 on the brand new XPS 15 9570. What I have done so far:

- change bios setting for storage controller mode from RAID to AHCI to use Microsofts default MVME drivers (after changing this setting you need to reboot with safe settings into Windows 10,  than it will start again without the "Boot device inaccessable" error message)

- EVO 970 made edrive activated (using Samsung Magician, secure erase..), fresh windows installation... -> edrive is acitvated

- try to activate Bitlocker but Hardware encryption is not used. I get following message in the event viewer for Bitlocker: "BitLocker failed to initialize hardware encryption for volume C:. This PC's firmware is not capable of supporting hardware encryption."

- activation of Bitlocker on a non-boot partition on the same EVO 970 drive uses Hardware encryption!

 

-> It seems, that DELL does not have BIOS support for eDrive for NVME as boot drives.

 

Dell: Will are you working on this? When will be get a BIOS update allowing us to use eDrive for NVME boot devices?)

 

Microsoft's documentation says, that following is required do activate eDrive on startup devices:

 

  • The drive must be in an uninitialized state.
  • The drive must be in a security inactive state.
  • The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).
  • The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
  • The computer must always boot natively from UEFI.

 

I think the problem is 

  • The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).

 

Hopefully this will work in the future.

 

Regards,

Thomas.

0 Kudos
ThomasXPS15
2 Bronze

Re: XPS 9560 NVMe hardware encryption support

Hello,

 

My XPS 15 9570 is now e-drive hardware encrypted. This is now possible. I think it was BIOS update 1.5.0 which allows this. I am using a EVO 970 2TB SSD as already described in my previous post.

 

Great!

Regards,

Thomas.

0 Kudos
samos1111
3 Zinc

Re: XPS 9560 NVMe hardware encryption support

Techcrunch: "Security researchers have busted the encryption in several popular Crucial and Samsung SSDs"

0 Kudos
jphughan
5 Rhenium

Re: XPS 9560 NVMe hardware encryption support


@ThomasXPS15 wrote:

Hello,

 

My XPS 15 9570 is now e-drive hardware encrypted. This is now possible. I think it was BIOS update 1.5.0 which allows this. I am using a EVO 970 2TB SSD as already described in my previous post.

 

Great!

Regards,

Thomas.


@ThomasXPS15, eDrive was always available, as was TCG/OPAL.  The hardware encryption mechanism that wasn't and still isn't available is Class 0, which is based on the HDD password -- because Dell systems don't support specifying an HDD password on NVMe SSDs.  However, as the person who posted above me just referenced, some security researchers who looked at a few of these SSDs found that their encryption is basically useless, so you might want to rethink using it.  Granted, they only tested older Samsung SSDs, but on the other hand they found massive problems with 100% of the SSDs they looked at, which doesn't really bode well.  But more to the point, even if hardware encryption worked properly, there is no real benefit to using it.  Software encryption in conjunction with CPU acceleration of AES encryption, which has been available for over a decade now, is fast enough not to create a performance overhead even when using modern NVMe SSDs.  The only possible exception I can see would be dual boot systems where using hardware encryption could allow you to encrypt the entire drive under a single scheme, or if you're running an OS that doesn't have any software encryption solutions available, but even Win10 Home that doesn't have BitLocker has VeraCrypt available, and VeraCrypt is free, open source, and has been successfully audited by actual security experts.

0 Kudos