Tested: Windows 11 Pro’s On-By-Default Encryption Slows SSDs Up to 45%::Windows 11 Pro defaults to BitLocker being turned on, using software encryption. We’ve tested the Samsung 990 Pro with hardware encryption to show how the various modes impact performance, and how muc

    • Tibert@jlai.lu
      link
      fedilink
      English
      arrow-up
      17
      arrow-down
      2
      ·
      1 year ago

      I’m using windows pro, because of hyperv, and gpu virtualisation. And I don’t need that security feature.

      And windows pro still have some benefits. The group policy, tho most of the changes can still be made in the registry.

        • Tibert@jlai.lu
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          Yep. And the average user doesn’t know what a bios update is.

          Oh and the average user doesn’t know that windows update has bios updates from manufacturers.

          What happens when the bios is flashed? Poof the key disappeared…

          Nice move Microsoft. Not sure if they have something to prevent the loss of the encryption key or some security, but for those people I hope they don’t loose their data due to updates.

    • SteveTech@programming.dev
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      1 year ago

      Windows 11 Home does have BitLocker, it’s just a very simplified version of BitLocker without most of the options. Like it’s basically just on or off in the settings, no way to manually backup the key or anything else. But changing certain things will trigger the enter BitLocker key screen at boot.

    • Chobbes@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Wait… I’ve never been a windows user, so forgive my ignorance… is full disk encryption really not available to all windows users? And most people buy the home version that lacks it?

  • MooseBoys@lemmy.world
    link
    fedilink
    English
    arrow-up
    43
    ·
    1 year ago

    Deliberately using software encryption mode is slow; no shocker there. Their same testing showed no significant difference when hardware encryption mode was used.

    • Spotlight7573@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      There’s a reason they default to software though, the hardware can’t be trusted:

      https://www.tomshardware.com/news/bitlocker-encrypts-self-encrypting-ssds,40504.html

      Those people were actually worse off than anticipated because Microsoft set up BitLocker to leave these self-encrypting drives to their own devices. This was supposed to help with performance–the drives could use their own hardware to encrypt their contents rather than using the CPU–without compromising the drive’s security. Now it seems the company will no longer trust SSD manufacturers to keep their customers safe by themselves.

      Linked from that article:

      https://www.zdnet.com/google-amp/article/flaws-in-self-encrypting-ssds-let-attackers-bypass-disk-encryption/

      Researchers at Radboud University in the Netherlands have revealed today vulnerabilities in some solid-state drives (SSDs) that allow an attacker to bypass the disk encryption feature and access the local data without knowing the user-chosen disk encryption password.

      The vulnerabilities only affect SSD models that support hardware-based encryption, where the disk encryption operations are carried out via a local built-in chip, separate from the main CPU.

    • jvisick@programming.dev
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      1 year ago

      Sure, but I suspect this is the real motivation for the article:

      Windows 11 Pro force-enables the software version of BitLocker during installation, without providing a clear way to opt out

      It sounds like many people may be using software encryption without realizing it, if Windows 11 Pro uses it by default.

      • Spotlight7573@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        1 year ago

        It’s SSD dependent and implementation quality may vary between manufacturers and models. Some may not actually protect your data all that well from someone trying to access your data, hence Microsoft defaulting to software they know works.

    • Still@programming.dev
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      1 year ago

      idk about the drive from the article but I get about 1GiB/s random reads with Luks on my wd sn 750 1tb and about 2 GiB/s without

      sequential is almost identical

    • popemichael@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      That is a life changing program up there with 7zip, gimp, and notepad++

      Its hard to find a better paid replacement

    • PM_Your_Nudes_Please@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      1 year ago

      I mean, Veracrypt takes a while to mount a vault, because it basically has to dig through all the layers of encryption. Veracrypt is great for a lot of things, but speed isn’t the main consideration when you’re dealing with encryption.

      • vividspecter@lemm.ee
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        We’re not talking about mount times here, but read/write speeds. They might be slow too, but that’s a different issue.

      • Send_me_nude_girls@feddit.de
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        1 year ago

        I’m no expert but as far as I know the mounting takes time, but once it’s done, you got to deal with a bit added CPU time, but the read/write stays largely the same.

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    11
    ·
    1 year ago

    This is the best summary I could come up with:


    While many SSDs come with hardware-based encryption, which does all the processing directly on the drive, Windows 11 Pro force-enables the software version of BitLocker during installation, without providing a clear way to opt out.

    While we have results for higher queue depths, note that the QD1 numbers are far more meaningful in the real world, as this is the most common type of file access in typical operating system environments… and that’s where software BitLocker impacted performance the most.

    Lower latency delivers snappier performance in day-to-day use, and it’s the primary reason the industry at large has moved from slow rotating hard drives to faster SSDs.

    Given that this extra layer of latency, albeit at varying degrees, will also be added to slower types of SSDs, like QLC or low-tier drives, this could have a much bigger real-world impact in some systems.

    Windows 11 disk caching might be a factor there, but QD256 is basically fantasy land for storage workloads (remember, low queue depths are the most common), so we don’t put too much weight on it.

    There’s a curious “bump” with the 990 Pro that we’ve noted before on the read speeds, but write performance shows a smoother line with the software BitLocker trailing up until the 256KiB block size.


    The original article contains 2,953 words, the summary contains 212 words. Saved 93%. I’m a bot and I’m open source!

  • TenderfootGungi@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    2
    ·
    1 year ago

    How bad do Macs slow down with encryption? Or can you even turn it off? They do have a dedicated chip, and section of chip, to handle encryption.

    • figaro@lemdro.id
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      34
      ·
      edit-2
      1 year ago

      I don’t know the answer to this, but somehow I trust apple more to get this right. They make money primarily on hardware, so they have a vested interest in making sure it works properly.

      Edit - lol apparently I am wrong

      Except for the fact that I’m right. Apparently I struck some kind of nerve. Apple is good at hardware. I use a pixel and I can admit this. They know what they are doing.

      • hansl@lemmy.world
        link
        fedilink
        English
        arrow-up
        13
        arrow-down
        1
        ·
        1 year ago

        You’re right, but not for the reason you’re citing. Apple has its own T2 Secure Enclave which performs encryption. Microsoft relies on the TPM for hosting the keys, but does not use AFAIK hardware encryption and thus slows down significantly.

        This article: https://eclecticlight.co/2023/03/03/whats-the-overhead-of-using-apfs-encryption/ shows that for an external drive the overhead on MacOS for encryption is insignificant (less than 5%) in most cases. That’s significantly better than Microsoft.

      • sir_reginald@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        doing hardware encryption is not doing encryption right. the user is prone to end with encryption that has unpatchable security issues. of course that it is faster, but if I’m doing encryption speed is not a concern. I just wanted to keep it secure. And software encryption let’s me choose the software and algorithm to do that. Apple doesn’t.

        • figaro@lemdro.id
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          1 year ago

          You aren’t who they are making computers for. They want fast encryption, not something customizable like Linux.

          Apple’s philosophy is “it just works.” Not “yeah it works eventually after you figure out what kind of encryption you want and compromise speed for the sake of security.”

          Like I get what you are saying. For a power user, it is not ideal. But for most people, Apple’s hardware solution is fantastic.

      • bh64@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        they’re downvoting you because your logic was “apple does hardware so they must know better” and trusting a big corp to do your encryption better is kind of innocent.

        anyway, seeing that they do hardware encryption, they are right to downvote you. I’m not with Microsoft either, bitlocker is probably backdoored, but hey, at least you’re not trusting your hardware manufacturer to actually maintain an up-to-date secure firmware.

  • pete_the_cat@lemmy.world
    link
    fedilink
    English
    arrow-up
    19
    arrow-down
    14
    ·
    1 year ago

    I turned this off as soon as I setup the PC, there’s zero need for this on desktops. Once again, Microsoft’s making a stupid move.

      • stifle867@programming.dev
        link
        fedilink
        English
        arrow-up
        27
        arrow-down
        7
        ·
        1 year ago

        Presumably you’re relying on the security of your home, and if that’s broken you’ve got bigger things to worry about.

        • Imgonnatrythis@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          34
          arrow-down
          2
          ·
          1 year ago

          I don’t buy this. If my home security is compromised I have big issues, but my data security is probably one of the biggest. If my desktop gets yoinked or HD plucked, the degree of identity theft that could be pulled off is simply massive. I can think of little better peace of mind than knowing my HD was well encrypted if my home was violated.

          • stifle867@programming.dev
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            1 year ago

            Yeah I do agree and myself run FDE as a defence in depth measure and as a protection against specific threats such as the one you mentioned. I think we agree on that completely.

            In saying that, I would further add that it shouldn’t be relied upon as the only defensive measure as once someone has gained physical access to the device it’s not going to protect you against targeted attacks. If someone has access to your home they could install a camera aimed at the keyboard, or a hardware keylogger, or the good ol’ $5 wrench attack.

            • 601error@lemmy.ca
              link
              fedilink
              English
              arrow-up
              4
              ·
              1 year ago

              I use FDE because my locks are easily pickable. I don’t trust the landlord’s son that lives in the unit above mine. Also the computer is near a big window. Property crime is a popular activity in the area, so the smash-and-grab is a plausible threat. Defence in depth, though, so I still lock the front and interior office doors.

              • stifle867@programming.dev
                link
                fedilink
                English
                arrow-up
                3
                ·
                1 year ago

                Good point. Smash & grabs are definitely a valid threat model that FDE can help mitigate the effects of. Can be more or less prevalent due to location and ease of access. Personally, I live in a high rise, access controlled apartment so the smash & grab is a non issue for me.

                Another specific threat could be protection against government seizure.

          • scottyjoe9@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            Or what if your SSD borks it and you’re unable to do a secure erase on it? Happened to my wife’s laptop. I’m planning on smashing the SSD to ensure the data is destroyed before putting it in recycling.

          • stifle867@programming.dev
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            1
            ·
            1 year ago

            Completely valid point. The kind of non-technical people wouldn’t likely notice any difference in SSD speed anyway. It would be nice if they made it easier for technical people to disable the feature.

          • stifle867@programming.dev
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            1 year ago

            That’s one issue I had with this article. It doesn’t do any actually tests to compare it to other OS implementations. How can we condemn Microsoft for 45% slower speeds (in a specific benchmark on specific hardware) when there’s no context to compare it to? And this claim is specifically only for software encryption where hardware level encryption is not available. Is it Windows 11 that’s specifically causing this, or is it a general problem?

            • setsubyou@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              Comparing to macOS is actually impossible because fde can’t be turned off on Macs at all. Macs (and iPhones etc.) handle encryption of internal storage transparently in hardware at pretty much no overhead and without the CPU even having access to the key. You can only choose whether a login is required for the Secure Enclave hardware to be able to access the key.

              On other platforms it’s pretty much a hardware question too. PC vendors and hard disk vendors could do the same thing Apple is doing regardless of whether the OS is Windows or Linux or whatever. How fast the OS based encryption is only matters on hardware that doesn’t have this functionality.

              • stifle867@programming.dev
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                Exactly right. To me it seems overly clicky baity to specifically condemn Windows 11 for the overhead of software based encryption because the hardware doesn’t support it. The same problem exists across all platforms (hypothetically) if there is no hardware support.

                It would have been another thing if they could show this problem was unique to Windows 11, or if they focused on the fact that it was difficult to disable. Instead they put so much effort into saying Windows 11 runs 45% slower due to Bitlocker.

                • Spotlight7573@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  What was telling for me was the article from the same site from a few years ago about Microsoft disabling the use of hardware encryption by default because they couldn’t trust the drive manufacturers to do it right.

                  Do they want things to be secure or fast?

            • Tibert@jlai.lu
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              3
              ·
              1 year ago

              Did you even read the article?

              The configuration has a powerful cpu and fast ssd. There are multiple benchmark tools used, and 2 encryption methods, software and hardware.

              • stifle867@programming.dev
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                Yes I did and everything you pointed out does nothing to address my comment.

                It doesn’t do any actually tests to compare it to other OS implementations.

                Is it Windows 11 that’s specifically causing this, or is it a general problem?

                How does pointing out that they did tests with different CPUs and SSDs, multiple benchmarking software, and different encryption methods do anything to address my complaint that they did not comment on whether this is a Windows 11 specific issue? Did you even ready comment?

      • pete_the_cat@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        It’s largely useful on mobile devices because you can easily forget them somewhere and all a tech savvy person has to do to get the data is remove the HDD (if it’s a laptop), or if it’s integrated, reset the admin password with something like NT Offline Password Reset. Smartphones are another can of worms I won’t get into, but I’m sure you understand.

        With a desktop, it’s highly unlikely you’re carrying it around and will forget it some place. The only way someone can get the drive is to break into your residence and physically remove the drive, and as someone else said: if someone is breaking into your residence to get a HDD out of your PC, you have bigger problems.

    • SkyeStarfall@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      2
      ·
      1 year ago

      Also, is always encrypting drives even a good or desirable thing for most users?

      I don’t know the details, but what if someone forgets the password, or some PC components get broken, but they still want their data put of there?

      Disk encryption is something that should be a choice, opt-in.

      • serratur@lemmy.wtf
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        but what if someone forgets the password, or some PC components get broken, but they still want their data put of there?

        That is why backup of your data is a necessity regardless of encryption or not.

        • vividspecter@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          almost every home computer you buy is running Windows Home edition

          Windows Education is fairly common on laptops (kind of a hybrid between Pro and Enterprise from what I can tell). But even in the case of Pro it would be up to the OEM if you’re buying a pre-built. This would mostly only affect people who have gone out of the way to install Pro themselves, and don’t know how to bypass it (although maybe some prebuilts have it used as an oversight, or intentional feature).

      • Spotlight7573@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I’d argue it’s similar to the debate over whether HTTPS is needed for most sites (it is and there’s little excuse not to at this point). It also matches what is expected from other devices like phones that are encrypted by default now.

        As for data loss: for Home users at least, a recovery key is backed up to the user’s Microsoft account.

  • OrangeCorvus@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    1 year ago

    What method would be the best to encrypt a Windows 11 Pro workstation? I had my PC at home but now I got an office so I have to rely on its security that it won’t be broken into.

    I am a one man band and I work in video production. If someone would steal my PC/Synology NAS, they would access to my videos and all the invoices/client details. If I would use Bitlocker, I guess I would expect a lot lower performance when editing.

    • Spotlight7573@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      BitLocker can be configured to use the encryption provided by the SSD, so you can still use it, you just need to make sure that the SSD model you have supports it and doesn’t have any flaws/insecurities in its implementation.

      I’m not sure what options are available for that NAS though.

      • OrangeCorvus@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Thanks! I have a 2TB 970 EVO Plus, when the projects are done, I copy them to a 10TB HDD and from there they go to the cloud and NAS. So I would have to encrypt multiple drives/devices.