Setup of Hardware Encryption on Crucial ® SEDs via Bitlocker
Windows® 8.1 and newer automatically support encryption key management of SEDs through an application called BitLocker®. Before enabling Bitlocker hardware encryption, the requirements below must be met (encryption software other than BitLocker might have further or modified requirements).
Please Note The following steps will allow you to enable hardware encryption using BitLocker on Crucial SED's that support Microsoft® eDrive. Not all Crucial SED's support Microsoft eDrive so it is important to confirm if your drive supports this specification prior to following the steps in this guide. If you follow these steps on a drive that does not support Microsoft eDrive you will only be able to enable software encryption using Bitlocker and not hardware encryption. If you have a Crucial MX500 series or older SED then you can continue on with the steps below. If you have a Crucial M.2 NVMe SED you will need to follow the information we have provided under article Enabling Hardware Encryption for Crucial NVMe® SSDs.
Requirements
- TPM Module: BitLocker supports only TPM version 1.2 and 2.0 (or newer). In addition, you must use a Microsoft-provided TPM driver (Please note, BitLocker can also work without a TPM, but it will need a USB flash drive to set the password instead). Please contact your system manufacturer if you need help identifying your TPM availability.
- UEFI 2.3.1 or greater: The host computer should be at a minimum of UEFI 2.3.1 and should have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. This enables security protocol commands to be sent to and from the SED. Please contact the manufacturer of your host computer if you are not sure this requirement is met.
- Secure Boot: In the system BIOS setting Secure Boot must be enabled, most Windows 8.1 and greater systems will come with this automatically enabled. Please contact your system manufacturer for assistance enabling this.
- Opal 2.0 support: The system needs to support Opal 2.0 security standards. The Opal 2.0 standard is not backwards compatible; Crucial SEDs are not compatible with Opal 1.0. Contact your system manufacture if need help verifying your system’s Opal compliance.
- Microsoft eDrive: A security specification used by Microsoft to enable hardware encryption on SED's using BitLocker or group policies and is based on the TCG OPAL and IEEE 1667 standards. This is only required on a SED when attempting to enable hardware encryption using BitLocker or group policies within the OS. Third party solutions may not strictly require this feature to enable hardware encryption.
- UEFI Mode: The host computer must always boot from UEFI. Any “compatibility” or “legacy” boot mode must be disabled. We recommend putting the system in UEFI-only mode before installing the Crucial SED. CSM (compatibility support mode) needs to be disabled as well. Contact your system manufacture for help with these settings.
- Two partitions (one not encrypted): The SSD must have two partitions (drives with Windows installed generally do anyway) and the main partition to be encrypted must be NTFS. This secondary unencrypted partition need to be at least 1.5GB in size. This partition is used for authentication purposes and is required for encryption to work.
- Basic Disk: Dynamic disks are not supported by BitLocker. Windows 8 and Windows 10 drives will come configured as a Basic disk with GPT partition layout, which is required to use hardware encryption.
Setup
It is recommended that the host system UEFI be configured to properly accept the SED before physically installing it, as outlined in the example below. Details of the system setup will vary from system to system, as will the names of various functions. However, they are similar enough that a single example should be sufficient. For details on specific UEFI setups, contact your computer's manufacturer.
- Enable Secure Boot. Microsoft Secure Boot is a requirement to run any Windows 8.1 or newer system. Any computer that has been configured from the factory for Windows 8.1/10/11 (as shown by a Windows 8/10/11 sticker) will already have Secure Boot enabled. If the host system was originally configured for Windows 7 or a previous operating system, check to ensure that Secure Boot is enabled, as shown below.
- UEFI Boot Mode/CSM Support. The host computer system must be in UEFI-only mode, as shown below. Typically, the CSM will be automatically disabled in UEFI-only mode; however, this should be verified and the CSM should be disabled if necessary.
- Install Windows 8.1/10/11. The most straightforward method of implementing hardware encryption is to perform a clean, new installation of the operating system. BitLocker versions in the Windows 8.x, 10, and 11 Enterprise and Professional editions support hardware encryption on SEDs. No special steps are needed for this function; follow the normal OS installation process described by Microsoft. After the OS is installed, proceed to the Enable BitLocker section.
Note:In the BIOS boot priority settings, the system must be set to boot to your SSD first, you cannot have USB or CD options before it. - System cloning. Because Crucial SEDs support eDrive, activating BitLocker creates special partitions, which are required to put the eDrive features in effect. When an eDrive-activated SSD is cloned, these special partitions might not be properly copied to the target drive. The target drive may function, but this is not considered a valid process and it might cause latent performance problems. If the source disk has been encrypted using the software encryption in Bitlocker, first ensure that BitLocker is turned off before initiating the image clone to a Crucial SED. If using BitLocker in software encryption mode on the source system, a decryption process will be required to turn off BitLocker. This can take several hours, depending on the amount of user and OS data on the drive.
Enable Bitlocker
- Press the Windows key (usually between <Ctrl> and <Alt>); then type This PC and press Enter.
- Right-click on the icon for the system drive and select Turn on BitLocker from the pop-up menu.
- Next, a status box confirming that BitLocker is configuring will display, along with a status bar. This will complete momentarily.
- Select one of the options for saving your recovery key outlined by Microsoft. While Crucial has no preferred option here, do not neglect this step. In some circumstances, this may be the only way to recover data from your SSD. Crucial has no factory backdoor methods by which to recover data if an authentication key or password is lost. After the key is saved, select Next to continue.
- BitLocker will ask, Are you ready to encrypt this drive? After you click Continue, a system restart will be required to complete the process.
- After the reboot is complete, you will see from the BitLocker padlock icon on your system drive that BitLocker is enabled.
The video below illustrates the process in full.
©2024 Micron Technology, Inc. All rights reserved. Information, products, and/or specifications are subject to change without notice. Neither Crucial nor Micron Technology, Inc. is responsible for omissions or errors in typography or photography. Micron, the Micron logo, Crucial, and the Crucial logo are trademarks or registered trademarks of Micron Technology, Inc. Microsoft, BitLocker, and Windows are trademarks of Microsoft Corporation in the U.S. and/or other countries. All other trademarks and service marks are the property of their respective owners.