none
BitLocker with Self Encrypting Drives RRS feed

  • Question

  • Hi,

    Has anyone tried to use Hardware SED disks with Windows 2012 BitLocker ?

    We have a couple of Seagate SED disks we are testing and i was expecting BitLocker to detect they are hardware based encrypting drives but they just seem to be being picked up as normal disks, So i am unsure if we are getting the benefits of the hardware encryption .

    Can someone tell me if this is normal behaviour in Windows Server 2012 or should i be seeing something else ?

    Thanks

    Wayne


    Wayne Hollomby

    Thursday, January 17, 2013 4:14 PM

All replies

  • Hi Wayne,

    Encrypted Hard Drive device type will be recognized in Windows 8/2012. Please see:

    What's New in BitLocker

    http://technet.microsoft.com/en-us/library/hh831412.aspx

    See the "Support for Encrypted Hard Drives for Windows" Part:

    BitLocker: BitLocker Control Panel will enable users to manage Encrypted Hard Drives in the same manner as full volume encrypted drives

    You could also communicate with Seagate to see if there is any firmware or update needed for SED disks to working with Windows 2012.


    TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.

    Friday, January 18, 2013 9:30 AM
    Moderator
  • Hi Shaon,

    What i was after is how should i expect these disks to be displayed in Windows 2012 a screenshot example would be useful

    Cause they just look the same as the standard disk when we enable BitLocker for them so that's why i think they are not being detected correctly as SED disks.

    We are in process of checking with Seagate too

    Thanks for the reply

    Wayne


    Wayne Hollomby

    Friday, January 18, 2013 10:08 AM
  • Hello - I realise the thread is a bit old, but this is a very difficult subject to find information on.

    Did you ever get an answer about whether Bitlocker works with SEDs?

    I am trying to use it with W8P to utilise the hardware encryption on a Seagate Constellation.2 but there is nothing to indicate that it sees it as anything other than a normal drive. An attempt to encrypt it results in software encryption.

    Is this something to do with the misnomers 'encrypted hard drive' and 'self-encrypting drive'? I see there is a 'cryptic' comment about it in the MS blurb.

    Bob

    Sunday, July 14, 2013 5:59 PM
  • Hi Bob,

    I did got a answer from a technical lead at Seagate in the end that confirmed that the constellation ES.2 and ES.3 drives will not be able to be used as hardware encryption with bitlocker on Windows Server 2012/8 they will just show as normal hard disks as your seeing and then you can use Bitlocker software encryption.

    The reason they don't work is because Windows Server 2012/8 requires a OPAL 2 compliant drive and the Seagate constellation ES.2 and ES.3 drives are not OPAL 2 compliant drives. This is common across all vendors at the moment I was told, so until someone releases a OPAL 2 compliant drive you will only be able to use bitlocker software encryption.

    Hope this helps

    Regards

    Wayne

     


    Wayne Hollomby

    • Proposed as answer by trivelino Monday, July 15, 2013 8:01 AM
    Monday, July 15, 2013 7:28 AM
  • Thanks Wayne - I've wasted hours and hours on this (and, it turns out , quite a lot of money), but I'm really very glad to have a definitive answer. At least I know where I am (stranded!)

    Cheers/Bob

    Monday, July 15, 2013 8:01 AM
  • Hello Wayne.

    I thought you might be interested to know that I got this working using an OPAL2 drive.

    I got hold of a Seagate ST500LT025, which is, sadly but not irretrievably, a 2.5" 5400rpm thin drive. It's readily available and quite cheap. I note that this is also compliant with MS edrive specs, but I don't know how important that is, or what the differences are.

    By googling 'Microsoft edrive' I found stuff (mostly from gamers) about utilizing SEDs which I hadn't found before. Amongst this was the comment that all the new Windows 8 features could only be guaranteed to work with Windows 8 'certified' boards. The factor of the boards that was important was that it should be UEFI compliant, although it's not clear which version.

    I then got an MSI B75MA-P45 motherboard which met the criteria. Gigabyte (which I would have preferred) have Windows 8 'ready' boards but I couldn't find anything that confirmed whether this was the same thing (I think not, although IT semantics are obscure at best). None of them say which version of UEFI they are compliant with.

    I put the W8Pro drive in (W8 seems to move quite happily between different Intel platforms) and right-clicked on it to turn Bitlocker on and it worked. It has to restart, but it doesn't ask if you want to encrypt the whole drive or just part before it does it, and this is the only indication of an SED being present. When it returns after restart, it's just working. The drive symbol has a lock on it and right-clicking offers the Bitlocker management system.

    The option to use TPM is supported with this board (with a plug-in module) but it's not necessary for this to work. I am just using a password logon, which is all I need.

    I note also that I put the constellation.2 drive in and it didn't work, confirming what you said.

    You may be interested to know that I put the W8 drive in a new Novatech laptop and it worked in there too. There is no indication that the Novatech is W8 certified (it was loaded with W7), but it has Secure Boot available  in the BIOS and I think, although this is something separate, it is an indication that the laptop meets the Windows 8 requirements.

    Might be able to get on with some work now.

    Cheers/Bob

    Friday, July 19, 2013 11:28 AM
  • i think most u dont understand what these drives do or what is required, fisrt what is required tpm, unfi parttion.

    2ed encripton is only for a power down drive, once drive power on encription is unlock say hacker 

    hijackes my account they take the infromation it will be unencrpted.  u can not tell these drives are encrpted 

    there no way to tell seetools is requred in part to talk to drive, bitlocker works with the sed to encrpt

    as long as drive is on log on to or can be log in to any one can take the information

    there is some warrnings, one if u plan remove drive remove bitlocker.

    know this only works for drives that stolen out the pc it dose no proteck a drive online

    nor dose bitlocker and also note microsoft dose upload all keys to your drive, 

    i have contacked seagate to change firmware doing file by file decription, all files lock untill used

    if my account  hijack files useless. raid, domain vpn i have told seagte how fix all this

    to microsoft we know u stelling data called wiretaping, if seagate uses my idea be no longer possable to steel any data, and your 30 some name servers that u use to collet data becomes useless

    u all must keep in mind that there is no program dose file by file encription decyton keeping files lock untill needed as long as your pc is on internet your data can be solen 

    i hope  seagate uses part if not all my ideas if so be impossable to steel data even if online, time that data theft ends, 

    Tuesday, May 9, 2017 4:47 PM
  • sed harddives not even seagate understands how they work, i have work with over 40 of them,  this what not told to u , one sed drives will only work if u have tpm enable computer or server, and must be turn on, that there no way to tell if drive is encripted or not, bitlocker by default uploads all keys to microsoft weather u want them have them or not, i know this for fack, now how dose sed drives work, they dont work in raid, they never have, seagate never learn how to get them to work, now bitlocker must be turn on, now some things most dont know i dont care how drive is encripted once log in drive is unlock any one can get on your local account take the information unencripted,  there was a time that this was not true that drive could not be hack, but nsa started takeing busness to cort that had no trascripts no recored cort was even done, busness was force to comply with this nsa wanted access to all computers , google nsa microsoft hacking, to bouth admit that they done this, now i know how microsoft takes the information and with 7000 data centers, they go on and off line, putting them in host file dosent work, back to seagagte how they supose work is once they decteck tpm they was to set up a partiion that store the keys but this only help if drive was stolen, it gives no defence agest online attacks, throw if u want make hard take data, what i learn do use the sed drive enabale bitlocker then put on VeraCrypt and encript them again, i found what ever reason that files cant be taken and not be have tag encripted so if stolen they become useless, i discover this as some one try break the veracrypt drive over the internet, was no reason unless drive contents was not readable, again they cant be put in raid, doing so sed is turn off, now unless seagate updates the firmware to chage this as it is very simple change, i talk to them make the drives for 9 hrs, we went over all aspecks of what would come up how drives would handle it and how stong the encription should be,  we went over domains, vpn every thing needed to make drives work,  so no u drives will not work in raid and sed will be turn off if put in raid, u still use bitlocker, but do it off line, take pc off the internet, there is no sever software that will do what u want keep in mind microsoft is still stelling data, they want have access to the drives, why lot this use to work back in 2000 but now nsa distoryed most all information on what is called file by file encription decription that files only unlock if it is used and must be used local, now with remote access u got keep in mind if u have access to it so do all hackers, and it is unlikey that u stop them unless u get smart keep servers on diffvernt vlan then internet, but computer still being able access bouth,  i rain all server software throw 2016 microsoft dose not dectect the sed component in the drives, so software has no clue it is even installed, and no way to know if it even working, seagate gave no tool to tell us if drives are working as they should,  they also diffrent lev of sed drives, some are ack shelded these are drives to get now i do not know if newest drives have over come the limtations and no way to know so we stuck not knowing and none them at seagete can help u, and microsoft cant help nor will they,  keep in mind sed is hardware commponent dose not require software to work, it dose require tpm to be working, what is not clear if bitlocker is must turn on or not and seagate dose not even know this, i do use the sed drives i did find it is harder for data be stolen if it encripted all 3 ways, now i testing them in raid, but have redo the install something lock out i cant rename folders, and its a os probem mostliky update mess something up, but as microsoft has more control over windows 8 i force use windows 7, as securty is better if u know how to force the 256 k encription on the drives 

    Wednesday, September 18, 2019 1:44 AM