Is it better to use Bitlocker or the built-in-drive-encryption that my ssd offers?
2014-07
Eddie
System: Intel i7 4790 ( has AES-NI function ) ASUS Z97-PRO mobo Samsung 250GB EVO ssd ( with built in encryption option ) Windows 7 x64
If i just want to encypt my boot drive with AES256 or similar, what would be the difference / faster performance / more secure? flip windows Bitlocker on and not use the ssd encryption, or enable the built-in drive encryption that the ssd offers, and dont worry about bitlocker?
Im thinking it might be better to offload the encryption to the ssd by using the Evo's encryption option, so that the processor doesnt have to do any encryption, this might be better for i/o performance and give the CPU a breather? Or since this CPU has AES-NI it might not matter?
I'm new to Bitlocker and this ssd encryption option, so any help is much appreciated.
Cestarian
Hardware based encryption is supposedly far superior to software based encryption in performance. However there are known vulnerabilities to be aware of (so you can avoid them; Don't use sleep/suspend, and don't leave your computer on when it is not in use). Both software and hardware based encryption have unique strengths and weaknesses however if both use the same encryption algorithm, the encryption is equally good (as in software aes-256 vs hardware aes-256 is the same kind of encryption, so any weakness of aes-256 would be shared by the two)
To be honest if encryption and secrecy are more important to you than the performance, you should be using both, the hardware encryption and a software encryption using another algorithm for maximum security (meaning the two can't be cracked the same way and make sure to use different passwords).
Also, I wouldn't trust Bitlocker, it's from Microsoft and it's proprietary. Try encfs or bleachbit if you want to add a software encryption layer beneath your hardware encryption.
Sean Edwards
I'm running a partition with bitlocker on a Windows 7 Ultimate machine, which contains secure data that I have to recover infrequently. Unlocking it to access the data is obviously no problem, but is there a way to re-lock the partition when I'm done? The best I've found so far is this: http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/41607938-7452-440d-8253-67fe8657bc0f
Currently I have a .bat script on that drive that I can run as administrator, and that re-locks the drive, but it feels like kind of a hackish solution. Does anyone have anything better? Any idea when Microsoft might release a fix for this?
8088
How I solved it:
- Click on the Start orb
- Enter "cmd" in the search field
- Right-click on "cmd" and "Send to" -> "Desktop"
- Right-click on "cmd" and then click on "Properties"
- In the tab "Shortcut" click on "Advanced / Enhanced"
- Check "Run as Admin"
- Click "OK" - "Apply" - and "OK"
Optional steps:
- Give the short-cut the name "BitLocker"
- Right-click on "Properties" and again under "short-cuts" click on "Change Symbol..."
- Click on "Search" and at the pull-down "Symboldata" choose "All Data"
- Choose a random file, that definitely has no icon (e.g. a picture) and click "Open"
- Confirm the error message by clicking "OK" and choose a nice icon
- Drag the icon oto the task bar
After that just enter:
manage-bde -lock E:
(E: just stands for a random HDD, choose the right one)
nonsensical101
There is no way to lock a drive using BitLocker GUI tools. The only two supported methods are using manage-bde -lock X: as has been mentioned or using the Win32_EncryptableVolume::Lock method of the BitLocker WMI interface.
What is the threat you're trying to mitigate by re-locking the drive? The drive will lock automatically when the system shuts down, so it's not as though your data is vulnerable forever until you manually re-lock the volume. An attacker would have to somehow grab the decryption key out of memory from the running system to be able to access the data on your encrypted volume.
The moderator of the forum you linked to is incorrect. This is not a "security bug." It is simply a UX decision to only expose an advanced option through command line and WMI interfaces rather than GUI interfaces.