none
BitLocker - Far Slower under Windows 10 RRS feed

  • Question

  • What has happened to the BitLocker Technology included with Windows 7 Ultimate?

    For 500GB (encrypted / decrypted) being encrypted again for a new application, it has taken 24+ hours to perform the action.

    Under Win 7 Ultimate x64 it took only a few hours.

    The drive technology is the same. The location where the drive is installed remains the same. The CPU remains the same. The RAM remains the same. The Motherboard remains the same. Every single component of the platform remains the same.

    If all is the same, then it must be the OS.

    Which drives me to the suspicion that the OS has introduced some very new features. For example, is BitLocker now more scoped and embedded with back-doors? Allowing for more intrusions without having to own/know the decrypt keys?

    Windows 10 is known to be far more open (just check the privacy settings) and the only reason I can think of is that the BitLocker Technology underwent a significant re-write to accommodate security levels below what they were before.

    Does anyone have an answer for this? Should I search for a more robust and supportive security technology; getting rid of BitLocker entirely?

    It seems to be out of alignment with the objectives for BitLocker. No one has 24, 48, 72, 96 or more hours to sit and wait for BitLocker to finish encrypting 512GB, 1TB or more.

    I'm sure hoping someone has the answer as to why the underlying technology for encryption changed so radically.


    Jim - Mastiffs are the greatest!

    Saturday, February 6, 2016 2:40 PM

Answers

  • What mode are you using for bitlocker?

    There are three modes in Windows 10 plus you can use either 128 or 256 bit keys.

    1. AES encryption (fastest)
    2. AES with a Diffuser algorithm (Slowest)
    3. XTS-AES (new - middle speed)

    You will see different results in speed depending on which mode you use. You also get different security but your personal data is secure in all 3.

    You may have an onboard AES encryption support to speed your encryption. This might not support the XTS-AES and that could be where you are seeing the slow down.

    Optional security info:

    BitLocker supports a Diffuser algorithm to help protect against ciphertext manipulation attacks, a class of attacks in which changes are made to the encrypted data in an attempt to discover patterns or weaknesses.

    Monday, February 8, 2016 6:28 PM
  • Brian, the diffuser method got deprecated already in win8.
    • Marked as answer by Jim.Low Saturday, March 25, 2017 5:52 PM
    Tuesday, February 9, 2016 8:25 AM

All replies

  • Hi.

    "If all is the same, then it must be the OS." - it could be the drivers, especially for the SATA controller. You need to check for an updated driver that is meant for windows 10, for example use device manager to get it automatically.

    Win10 version 1511 has introduced a new encryption method, right. It's AES-XTS. So far, I have not seen a performance decrease with it and I have encrypted maybe ten hard drives on 10 and hundreds on 8.1 (and a few on 7).

    In a recent thread, someone had to wait several (20+) hours for an encryption of a mechanical hard drive to complete, it was 1 TB I guess. You'd expect the encryption to run at at least 30 MB/s on a modern mechanical hard drive, just for the record.

    Now for the best part: win10 may use an option not to encrypt the drive in full but only the used data and that is the default which speeds things up. Did you de-select that option?

    Saturday, February 6, 2016 4:06 PM
  • Hi,

    I am seeing the same thing so we started using Pre-provsion of bitlocker when we do OS deployment through sccm so it encrypts the disk with used space only encryption before the OS image is layed down on the disk.

    It assumes you are using either MDT or SCCM or another tool to deploy the OS.

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Saturday, February 6, 2016 8:27 PM
  • there is currently a problem with Bitlocker in Windows 10 not correctly using hardware encryption on Opal / eDrive SSD's, which might explain the difference. What drive are you using?

    Surface Pro 3/Bitlocker: Unable to run hardware encryption, MSED reporting SSD not OPAL/eDrive compliant

    Sunday, February 7, 2016 2:32 PM
  • With 1511 hardware encryption does not even start, so it has nothing to do with speed.
    Monday, February 8, 2016 8:26 AM
  • Thank you for your guidance and the ideas you have brought up. I've examined the drivers for all devices in the data-chain (SATA III; HDD firmware; CPU; Mobo, etc.) and they all appear to be the most recent/active releases for my platform.

    As to time, 1TB = 20+ hours, that would have been nice for me since that would imply only 10+ hours to do my 512GB 10,000RPM drive.

    There is one thing though that was not revealed in my original post. The drive is using a GPT Partition Style setting.

    The reason for this is the use of two 4TB data drives, and it is used just as a matter of course to keep all drives consistent.

    The encrypted space was a 512GB partition, while the HDD itself was purposed for other tasks not requiring encryption.

    Could this be a factor in how Win 10 encrypts data for a drive?


    Jim - Mastiffs are the greatest!

    Monday, February 8, 2016 12:53 PM
  • from the post I linked:

    "Bitlocker starts encrypting without reporting an error (strange!) and does so very long. . Obviously eDrive/OPAL is not working anymore."

    This somehow contradicts your statement that "the encryption does not even start".

    Monday, February 8, 2016 2:59 PM
  • Jim,

    the driver for "SATA III" - what should that be? The drive or the controller? It has to be the controller driver that should be updated.

    As for GPT or not, it does not matter.

    You can do tests with the old encryption method (AES128) which was the default on win7, now it's AES-XTS256. Maybe the old one runs faster?

    Best would be to backup the data, clear the drive (wipe/overwrite with a tool) and encrypt it in an empty state, that will be ready in about 5 seconds. Then, restore your data to it (file copy, not image-restore).

    @EckiS: Did you try it? I was involved in that thread you linked and tested it here, extensively, I know what that is about :)

    Monday, February 8, 2016 3:27 PM
  • What mode are you using for bitlocker?

    There are three modes in Windows 10 plus you can use either 128 or 256 bit keys.

    1. AES encryption (fastest)
    2. AES with a Diffuser algorithm (Slowest)
    3. XTS-AES (new - middle speed)

    You will see different results in speed depending on which mode you use. You also get different security but your personal data is secure in all 3.

    You may have an onboard AES encryption support to speed your encryption. This might not support the XTS-AES and that could be where you are seeing the slow down.

    Optional security info:

    BitLocker supports a Diffuser algorithm to help protect against ciphertext manipulation attacks, a class of attacks in which changes are made to the encrypted data in an attempt to discover patterns or weaknesses.

    Monday, February 8, 2016 6:28 PM
  • Brian, the diffuser method got deprecated already in win8.
    • Marked as answer by Jim.Low Saturday, March 25, 2017 5:52 PM
    Tuesday, February 9, 2016 8:25 AM