none
BitLocker with Self Encrypting Drives

    Question

  • Hi,

    Has anyone tried to use Hardware SED disks with Windows 2012 BitLocker ?

    We have a couple of Seagate SED disks we are testing and i was expecting BitLocker to detect they are hardware based encrypting drives but they just seem to be being picked up as normal disks, So i am unsure if we are getting the benefits of the hardware encryption .

    Can someone tell me if this is normal behaviour in Windows Server 2012 or should i be seeing something else ?

    Thanks

    Wayne


    Wayne Hollomby

    Thursday, January 17, 2013 4:14 PM

All replies

  • Hi Wayne,

    Encrypted Hard Drive device type will be recognized in Windows 8/2012. Please see:

    What's New in BitLocker

    http://technet.microsoft.com/en-us/library/hh831412.aspx

    See the "Support for Encrypted Hard Drives for Windows" Part:

    BitLocker: BitLocker Control Panel will enable users to manage Encrypted Hard Drives in the same manner as full volume encrypted drives

    You could also communicate with Seagate to see if there is any firmware or update needed for SED disks to working with Windows 2012.


    TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.

    Friday, January 18, 2013 9:30 AM
    Moderator
  • Hi Shaon,

    What i was after is how should i expect these disks to be displayed in Windows 2012 a screenshot example would be useful

    Cause they just look the same as the standard disk when we enable BitLocker for them so that's why i think they are not being detected correctly as SED disks.

    We are in process of checking with Seagate too

    Thanks for the reply

    Wayne


    Wayne Hollomby

    Friday, January 18, 2013 10:08 AM
  • Hello - I realise the thread is a bit old, but this is a very difficult subject to find information on.

    Did you ever get an answer about whether Bitlocker works with SEDs?

    I am trying to use it with W8P to utilise the hardware encryption on a Seagate Constellation.2 but there is nothing to indicate that it sees it as anything other than a normal drive. An attempt to encrypt it results in software encryption.

    Is this something to do with the misnomers 'encrypted hard drive' and 'self-encrypting drive'? I see there is a 'cryptic' comment about it in the MS blurb.

    Bob

    Sunday, July 14, 2013 5:59 PM
  • Hi Bob,

    I did got a answer from a technical lead at Seagate in the end that confirmed that the constellation ES.2 and ES.3 drives will not be able to be used as hardware encryption with bitlocker on Windows Server 2012/8 they will just show as normal hard disks as your seeing and then you can use Bitlocker software encryption.

    The reason they don't work is because Windows Server 2012/8 requires a OPAL 2 compliant drive and the Seagate constellation ES.2 and ES.3 drives are not OPAL 2 compliant drives. This is common across all vendors at the moment I was told, so until someone releases a OPAL 2 compliant drive you will only be able to use bitlocker software encryption.

    Hope this helps

    Regards

    Wayne

     


    Wayne Hollomby

    • Proposed as answer by trivelino Monday, July 15, 2013 8:01 AM
    Monday, July 15, 2013 7:28 AM
  • Thanks Wayne - I've wasted hours and hours on this (and, it turns out , quite a lot of money), but I'm really very glad to have a definitive answer. At least I know where I am (stranded!)

    Cheers/Bob

    Monday, July 15, 2013 8:01 AM
  • Hello Wayne.

    I thought you might be interested to know that I got this working using an OPAL2 drive.

    I got hold of a Seagate ST500LT025, which is, sadly but not irretrievably, a 2.5" 5400rpm thin drive. It's readily available and quite cheap. I note that this is also compliant with MS edrive specs, but I don't know how important that is, or what the differences are.

    By googling 'Microsoft edrive' I found stuff (mostly from gamers) about utilizing SEDs which I hadn't found before. Amongst this was the comment that all the new Windows 8 features could only be guaranteed to work with Windows 8 'certified' boards. The factor of the boards that was important was that it should be UEFI compliant, although it's not clear which version.

    I then got an MSI B75MA-P45 motherboard which met the criteria. Gigabyte (which I would have preferred) have Windows 8 'ready' boards but I couldn't find anything that confirmed whether this was the same thing (I think not, although IT semantics are obscure at best). None of them say which version of UEFI they are compliant with.

    I put the W8Pro drive in (W8 seems to move quite happily between different Intel platforms) and right-clicked on it to turn Bitlocker on and it worked. It has to restart, but it doesn't ask if you want to encrypt the whole drive or just part before it does it, and this is the only indication of an SED being present. When it returns after restart, it's just working. The drive symbol has a lock on it and right-clicking offers the Bitlocker management system.

    The option to use TPM is supported with this board (with a plug-in module) but it's not necessary for this to work. I am just using a password logon, which is all I need.

    I note also that I put the constellation.2 drive in and it didn't work, confirming what you said.

    You may be interested to know that I put the W8 drive in a new Novatech laptop and it worked in there too. There is no indication that the Novatech is W8 certified (it was loaded with W7), but it has Secure Boot available  in the BIOS and I think, although this is something separate, it is an indication that the laptop meets the Windows 8 requirements.

    Might be able to get on with some work now.

    Cheers/Bob

    Friday, July 19, 2013 11:28 AM
  • i think most u dont understand what these drives do or what is required, fisrt what is required tpm, unfi parttion.

    2ed encripton is only for a power down drive, once drive power on encription is unlock say hacker 

    hijackes my account they take the infromation it will be unencrpted.  u can not tell these drives are encrpted 

    there no way to tell seetools is requred in part to talk to drive, bitlocker works with the sed to encrpt

    as long as drive is on log on to or can be log in to any one can take the information

    there is some warrnings, one if u plan remove drive remove bitlocker.

    know this only works for drives that stolen out the pc it dose no proteck a drive online

    nor dose bitlocker and also note microsoft dose upload all keys to your drive, 

    i have contacked seagate to change firmware doing file by file decription, all files lock untill used

    if my account  hijack files useless. raid, domain vpn i have told seagte how fix all this

    to microsoft we know u stelling data called wiretaping, if seagate uses my idea be no longer possable to steel any data, and your 30 some name servers that u use to collet data becomes useless

    u all must keep in mind that there is no program dose file by file encription decyton keeping files lock untill needed as long as your pc is on internet your data can be solen 

    i hope  seagate uses part if not all my ideas if so be impossable to steel data even if online, time that data theft ends, 

    Tuesday, May 09, 2017 4:47 PM