none
Unable to activate sed hardware encryption with Bitlocker RRS feed

  • Question

  • Hi, I am unable to activate hardware encryption/eDrive on a crucial mx200 ssd (which is tcg opal 2.0 compliant) since Bitlocker falls back to software encryption. From Bitlocker logs (eventviewer->applications and services logs->Microsoft->Windows->Bitlocker-API->Management) I can see this warning event

    BitLocker failed to initialize hardware encryption for volume C:.
    Drive is not provisioned for use with BitLocker hardware encryption:
    Hardware-based encryption is not activated on this drive.
    
    
     <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
     <System>
      <Provider Name="Microsoft-Windows-BitLocker-API" Guid="{5D674230-CA9F-11DA-A94D-0800200C9A66}" /> 
      <EventID>798</EventID> 
      <Version>0</Version> 
      <Level>3</Level> 
      <Task>0</Task> 
      <Opcode>0</Opcode> 
      <Keywords>0x4000000000000000</Keywords> 
      <TimeCreated SystemTime="2016-05-27T10:07:46.793697400Z" /> 
      <EventRecordID>20</EventRecordID> 
      <Correlation /> 
      <Execution ProcessID="5664" ThreadID="5232" /> 
      <Channel>Microsoft-Windows-BitLocker/BitLocker Management</Channel> 
      <Computer>DESKTOP-JNKMTNA</Computer> 
      <Security UserID="S-1-5-21-1127144190-2078651957-2321953000-1001" /> 
      </System>
     <EventData>
      <Data Name="IdentificationGUID">{00000000-0000-0000-0000-000000000000}</Data> 
      <Data Name="VolumeName">\\?\Volume{7558ac6f-f41a-4ea8-896e-54984d334cdf}</Data> 
      <Data Name="VolumeMountPoint">C:</Data> 
      </EventData>
      </Event>

    Unluckily it does not state the actual reason but onyl a general message "Drive is not provisioned for use with BitLocker hardware encryption:". Has someone any idea ? Here follows some information about the system:

    - Windows 10 Professional 1511 (build 10586.104)

    - Uefi and SecureBoot are enabled in bios (all default keys provisioned) and they are actually active in msinfo32 (Bios Mode UEFI and Secure Boot Mode On). There is no Compatibility Support Module option in bios, so I hope it's actually disabled (is there any way to check it ?)

    - The laptop has a TPM chip, but it is disabled in BIOS (sealing keys with hardware configuration is not needed, a password prompt at boot is enough). No TPM device is present in Windows devices and the group policy has been changed to Allow Bitlocker without a tpm chip ("Require additional authentication at startup" enabled and checked "Allow BitLocker without a compatible TPM" )

    - Using standard SATA drivers from Microsoft (no intel rapid storage driver). SATA mode in bios is AHCI (not raid)

    - Using hdparm on drive it states that it's in the frozen state (not locked, not enabled) in the security section. Digging in forums someone suggested to SecureErase the drive with its PSID and reinstall it, but I would like to know why since the drive is brand new and it's the first installation of Windows and no password has ever been set before.


    Update: standard opal sedutil-cli works (https://github.com/Drive-Trust-Alliance/sedutil/wiki/Executable-Distributions), here it is there query output

    c:\> .\sedutil-cli.exe --query \\.\PhysicalDrive0
    
    \\.\PhysicalDrive0 ATA Crucial_CT250MX200SSD1                   MU03             1614124E32F3
    TPer function (0x0001)
        ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
    Locking function (0x0002)
        Locked = N, LockingEnabled = N, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
    Geometry function (0x0003)
        Align = Y, Alignment Granularity = 8 (4096), Logical Block size = 512, Lowest Aligned LBA = 0
    SingleUser function (0x0201)
        ALL = N, ANY = N, Policy = Y, Locking Objects = 16
    DataStore function (0x0202)
        Max Tables = 16, Max Size Tables = 94371840, Table size alignment = 1
    OPAL 2.0 function (0x0203)
        Base comID = 0x1000, Initial PIN = 0x0 , Reverted PIN = 0x0 , comIDs = 1
        Locking Admins = 4, Locking Users = 16, Range Crossing = N
    
    TPer Properties:
      MaxComPacketSize = 131072  MaxResponseComPacketSize = 131072
      MaxPacketSize = 129792  MaxIndTokenSize = 126976  MaxPackets = 1
      MaxSubpackets = 1  MaxMethods = 1  MaxSessions = 1
      MaxAuthentications = 21  MaxTransactionLimit = 1  DefSessionTimeout = 240000
    
    Host Properties:
      MaxComPacketSize = 2048  MaxResponseComPacketSize = 2048
      MaxPacketSize = 2028  MaxIndTokenSize = 1992  MaxPackets = 1
      MaxSubpackets = 1  MaxMethods = 1
    

    Hdparam output

    > .\hdparm.exe -I \\.\PhysicalDrive0
    
    \\.\PhysicalDrive0:
    
    ATA device, with non-removable media
            Model Number:       Crucial_CT250MX200SSD1
            Serial Number:      1614124E32F3
            Firmware Revision:  MU03
    Transport: Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5
    Standards:
            Supported: 10 9 8 7 6 5
            Likely used: 10
    Configuration:
            Logical         max     current
            cylinders       16383   16383
            heads           16      16
            sectors/track   63      63
            --
            CHS current addressable sectors:   16514064
            LBA    user addressable sectors:  268435455
            LBA48  user addressable sectors:  488397168
            device size with M = 1024*1024:      238475 MBytes
            device size with M = 1000*1000:      250059 MBytes (250 GB)
    Capabilities:
            LBA, IORDY(can be disabled)
            Queue depth: 32
            Standby timer values: spec'd by Standard, with device specific minimum
            R/W multiple sector transfer: Max = 16  Current = 16
            Advanced power management level: unknown setting (0x00fe)
            DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 udma6 (?)
                 Cycle time: min=120ns recommended=120ns
            PIO: pio0 pio1 pio2 pio3 pio4
                 Cycle time: no flow control=120ns  IORDY flow control=120ns
    Commands/features:
            Enabled Supported:
               *    SMART feature set
                    Security Mode feature set
               *    Power Management feature set
               *    Write cache
               *    Look-ahead
               *    WRITE_BUFFER command
               *    READ_BUFFER command
               *    NOP cmd
               *    DOWNLOAD_MICROCODE
               *    Advanced Power Management feature set
               *    48-bit Address feature set
               *    Mandatory FLUSH_CACHE
               *    FLUSH_CACHE_EXT
               *    SMART error logging
               *    SMART self-test
               *    General Purpose Logging feature set
               *    WRITE_{DMA|MULTIPLE}_FUA_EXT
               *    64-bit World wide name
               *    IDLE_IMMEDIATE with UNLOAD
                    Write-Read-Verify feature set
               *    WRITE_UNCORRECTABLE command
               *    {READ,WRITE}_DMA_EXT_GPL commands
               *    Segmented DOWNLOAD_MICROCODE
                    unknown 119[8]
               *    SATA-I signaling speed (1.5Gb/s)
               *    SATA-II signaling speed (3.0Gb/s)
               *    unknown 76[3]
               *    Native Command Queueing (NCQ)
               *    Phy event counters
               *    unknown 76[12]
               *    unknown 76[15]
                    DMA Setup Auto-Activate optimization
                    Device-initiated interface power management
                    unknown 78[5]
               *    Software settings preservation
                    unknown 78[8]
               *    SMART Command Transport (SCT) feature set
               *    SCT LBA Segment Access (AC2)
               *    SCT Features Control (AC4)
               *    SCT Data Tables (AC5)
    Security:
            Master password revision code = 65534
                    supported
            not     enabled
            not     locked
                    frozen
            not     expired: security count
                    supported: enhanced erase
            2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
    Checksum: correct





    • Edited by fededim Friday, May 27, 2016 1:33 PM
    Friday, May 27, 2016 10:52 AM

Answers

All replies