Adding "EFI storage security command protocol" possible?

Hello, I want to use a Samsung 990 Pro NVMe drive with Bitlocker hardware-based encryption (eDrive standard) on an Z77 system. I found detailed guides how to enable it on modern systems, but it doesn’t work on mine. Samsung Magician detects the drive but doesn’t offer the encryption and ‘PSID revert’ functions. I read that the BIOS has to be at least UEFI 2.3.1 and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL.

As far as I found out, the UEFI version of my Asrock Z77 Extreme4 should be recent enough but it probably doesn’t have the security command protocol (I don’t know how to check for it).
Is it possible to add this function? How?

For you to examine, I attach a modded version of the latest BIOS (3.00) with the latest microcode and other updates and the NVMe option ROM from the forum. Also an older beta BIOS (2.90) with OEM NVMe drivers from Asrock - this BIOS I also modded with the latest microcode and other updates. Both work fine with a normal Windows 11 install on the NVMe.

mod_AsrockZ77Extreme4_BIOS.zip (8.6 MB)

The advantage of the hardware based approach over software Bitlocker is said to be a much higher IOPS speed. The Samsung 990 Pro is one of the few consumer drives which support the necessary eDrive IEEE-1667 standard (as TCG Opal alone isn’t sufficient for Bitlocker) but it is quite difficult and laborious to enable, even on modern systems. Here’s a guide if someone is interested in the further steps:

Thanks!

I don’t recommend using hardware encryption. Hardware encryption is disabled by default by Microsoft. And there’s a reason for that.

Microsoft is confident in the security of Bitlocker, but only the disk vendor knows how well the encryption is implemented in the firmware.

For example, Crucial did not protect the encryption key using the user’s password at all. They kept the encryption key unprotected, and the firmware only compared the entered password with the saved one. An attacker with physical access and the appropriate skills could simply read the encryption key bypassing the controller.

Yes, they fixed their firmware. But where is the guarantee that they fixed this in all products? How many more stupid vulnerabilities like this will they make in the future?

Hysteria about “Bitlocker Slows SSDs Up to 45%" started from here. These guys say “Hardware encryption is faster than no encryption, strange, but multiple tests show this.” Doesn’t it occur to them that if the calculator shows that 2*2=5, it’s because the calculator is broken, and not the math? But they don’t even try to explain the absurd result with the speed of hardware encryption, they accept it as truth and move on. What’s also funny is that they are trying to extrapolate the results to slow business laptops. Great, so why not test them then? I’m not even talking about the many minor software inaccuracies in this article. For example, in this text, there are false statements in every sentence:

1 Like

Thanks, I didn’t know that article. I just saw benchmarks in other forums from a few users which showed the IOPS impact.
I know the big questions with the encryption method are, whom to trust and security vs. speed. Some don’t even trust Bitlocker at all and use Veracrypt, which is open source and relies on code that was audited, but it has an enormous performance impact on SSDs because of the specific implementation in Veracrypt (there’s a long discussion about that on their Github repository). Other software-based solutions like DiskCryptor or dm-crypt are much faster, but there’s still some performance impact. I think it’s reasonable to expect that software Bitlocker also has such a performance impact.
I hope that Samsung has learned from the flaws in their first SSDs back then and has a secure hardware-based implementation by now. I think disk encryption has become a bigger topic as those SSDs are marketed for professional use for business clients who have to fulfill requirements of the GDPR etc. so I would expect that they put in more work to get it right. However, with closed source and no independent audit both software Bitlocker and Samsung’s hardware encryption look rather sketchy. For my use case I’m willing to accept that.
I read a forum post that it’s possible to put the NVMe drive in a different computer to enable the encryption in Samsung Magician and do the PSID revert, and then put it back in the other system to install Windows with hardware Bitlocker. But I’m not sure if that’s really true and I don’t have a suitable system available to test it …

Moreover, I read another forum post that it would be more difficult to access a hardware Bitlocker encrypted drive (vs. a software Bitlocker one) on another PC, e.g. for data recovery after a system failure occurred, but I don’t understand why that would be the case if one has the password and recovery keys. I don’t have a TPM and would only use the password method anyway.

If you have a recovery key, then you are safe in any case. Recovery key will allow you to decrypt the drive even if the TPM is lost/broken.

Using TPM alone has disadvantages- decryption of the disk is done automatically wherever this machine is and whoever starts this machine (as long as the bootup configuration and firmware aren’t changed). So it’s again just only username / password what protects the data!

Recommendations are using a PIN / password even with TPM!

Yes, because BitLocker is basically not intended for authorization. Authorization is performed by Windows (login screen). Bitlocker protects against offline attacks (boot from LiveCD, etc.).

However, BitLocker can be used for authorization, especially if there is only one user on the machine. I prefer auto-login to Windows and authorization via Bitlocker (20-symbol PIN), because by the time the Windows login screen appears, too many services are already running and this increases the attack surface.