none
Bitlocker Encryption Very Slow on Windows 10 RRS feed

  • Question

  • Anybody know why the encryption on windows 10 takes way longer than on windows 8? I also noticed that during the encryption the free drive space didn't change unlike previous versions where almost all the drive space was used and would then return to normal once the encryption finished.
    Tuesday, July 12, 2016 12:04 PM

Answers

  • Hi.

    Any details to share? Did you try the different OS' on the same hardware? Both under load or completely idle?

    Using the same encryption method (10 has new defaults!)?

    Both using "encrypt used space only"?

    I encrypted all machines in our network while they were on 8.1. But all I did on 10 were fast as well, did not notice much of a difference (SSDs anyway and used space only activated).

    Wednesday, July 13, 2016 9:12 PM
  • Hi,

    Firstly, I would like to know what you choose on how much of your drive to encrypt:

    8

    The first way could be faster than the second.

    Another change I consider will affect the speed of encryption: XTS-AES encryption algorithm. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. Have you choose such algorithm?

    See more about new in Windows 10 Bitlocker: https://technet.microsoft.com/en-us/itpro/windows/whats-new/bitlocker

    Also, for the question about the placeholders, as my tested, it seems to remove when encrypt Data drive.

    To know more about bitlocker in Windows 10:

    https://blogs.msdn.microsoft.com/mvpawardprogram/2016/01/12/securing-windows-10-with-bitlocker-drive-encryption/

    https://technet.microsoft.com/en-us/itpro/windows/keep-secure/bitlocker-overview


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com


    Thursday, July 14, 2016 9:11 AM
    Owner
  • Okay so after logging a call with Microsoft below is the official response.

    This is very likely due to change in conversion mechanism in Win10 and not key size or XTS-AES (for what it’s worth XTS-AES should be marginally faster).

     

    To reiterate / expand upon few points:

     

    1. This affects conversion time (time it takes BitLocker to report 100% conversion). And does not impact performance of actual IO encryption / decryption.

     

    1. The new conversion mechanism (called Encrypt-On-Write) makes immediate guarantee of protecting (encrypting) all writes to disk AS SOON AS BitLocker is enabled on OS or fixed (internal) volumes (removable drives work in older mode for backward compatibility). Pre-Win10 conversion mechanism could only make such claim AFTER conversion reached 100%.

     

    1. If one thinks about it, #2 is pretty significant because:

     

    1. One could never (regardless of BitLocker / Windows version) claim much about data protection for data that existed on drive BEFORE enabling BitLocker – it could have been already stolen/compromised.
    2. Therefore those serious about any such compliance claims would have to wait for older BitLocker conversion process to reach 100% before placing any sensitive data on drive. Which means – in full encryption case – waiting long times proportional to the drive size.
    3. With new method they could safely copy sensitive data as soon as BitLocker is enabled. Which could be many hours and for very large disks many more hours difference.

     

    1. Due to achieving compliance status for all writes immediately upon enabling BitLocker – now, the pressure of reaching 100% conversion status is less and converting all pre-existing data happens at a slower rate (further lessening impact on interactive user).

    • Marked as answer by WDK-SA Friday, July 29, 2016 12:59 PM
    Friday, July 29, 2016 12:59 PM

All replies

  • Hi.

    Any details to share? Did you try the different OS' on the same hardware? Both under load or completely idle?

    Using the same encryption method (10 has new defaults!)?

    Both using "encrypt used space only"?

    I encrypted all machines in our network while they were on 8.1. But all I did on 10 were fast as well, did not notice much of a difference (SSDs anyway and used space only activated).

    Wednesday, July 13, 2016 9:12 PM
  • Hi,

    Firstly, I would like to know what you choose on how much of your drive to encrypt:

    8

    The first way could be faster than the second.

    Another change I consider will affect the speed of encryption: XTS-AES encryption algorithm. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. Have you choose such algorithm?

    See more about new in Windows 10 Bitlocker: https://technet.microsoft.com/en-us/itpro/windows/whats-new/bitlocker

    Also, for the question about the placeholders, as my tested, it seems to remove when encrypt Data drive.

    To know more about bitlocker in Windows 10:

    https://blogs.msdn.microsoft.com/mvpawardprogram/2016/01/12/securing-windows-10-with-bitlocker-drive-encryption/

    https://technet.microsoft.com/en-us/itpro/windows/keep-secure/bitlocker-overview


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com


    Thursday, July 14, 2016 9:11 AM
    Owner
  • Okay so after logging a call with Microsoft below is the official response.

    This is very likely due to change in conversion mechanism in Win10 and not key size or XTS-AES (for what it’s worth XTS-AES should be marginally faster).

     

    To reiterate / expand upon few points:

     

    1. This affects conversion time (time it takes BitLocker to report 100% conversion). And does not impact performance of actual IO encryption / decryption.

     

    1. The new conversion mechanism (called Encrypt-On-Write) makes immediate guarantee of protecting (encrypting) all writes to disk AS SOON AS BitLocker is enabled on OS or fixed (internal) volumes (removable drives work in older mode for backward compatibility). Pre-Win10 conversion mechanism could only make such claim AFTER conversion reached 100%.

     

    1. If one thinks about it, #2 is pretty significant because:

     

    1. One could never (regardless of BitLocker / Windows version) claim much about data protection for data that existed on drive BEFORE enabling BitLocker – it could have been already stolen/compromised.
    2. Therefore those serious about any such compliance claims would have to wait for older BitLocker conversion process to reach 100% before placing any sensitive data on drive. Which means – in full encryption case – waiting long times proportional to the drive size.
    3. With new method they could safely copy sensitive data as soon as BitLocker is enabled. Which could be many hours and for very large disks many more hours difference.

     

    1. Due to achieving compliance status for all writes immediately upon enabling BitLocker – now, the pressure of reaching 100% conversion status is less and converting all pre-existing data happens at a slower rate (further lessening impact on interactive user).

    • Marked as answer by WDK-SA Friday, July 29, 2016 12:59 PM
    Friday, July 29, 2016 12:59 PM
  • No i havent tried different os on same hardware. I have problem with decryption not encryption
    Monday, December 11, 2017 2:08 AM