Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Windows IT Technology

Windows 11 Pro's On-By-Default Encryption Slows SSDs Up To 45% 120

An anonymous reader shares a Tom's Hardware report: Unfortunately, a default setting in Windows 11 Pro, having its software BitLocker encryption enabled, robs as much as 45 percent of the speed from your SSD as it forces your processor to encrypt and decrypt everything. According to our tests, random writes and reads -- which affect the overall performance of your PC -- get hurt the most, but even large sequential transfers are affected.

While many SSDs come with hardware-based encryption, which does all the processing directly on the drive, Windows 11 Pro force-enables the software version of BitLocker during installation, without providing a clear way to opt out. (You can circumvent this with tools like Rufus, if you want, though that's obviously not an official solution as it allows users to bypass the Microsoft's intent.) If you bought a prebuilt PC with Windows 11 Pro, there's a good chance software BitLocker is enabled on it right now. Windows 11 Home doesn't support BitLocker so you won't have encryption enabled there.

To find out just how much software BitLocker impacts performance, we ran a series of tests with three scenarios: unencrypted (no BitLocker), software BitLocker (the Windows 11 Pro default), and with hardware BitLocker (OPAL) enabled. While the software encryption increased latency and decreased transfer rates, hardware encryption and no encryption at all were basically tied. If you have software BitLocker enabled, you may want to change your settings.
This discussion has been archived. No new comments can be posted.

Windows 11 Pro's On-By-Default Encryption Slows SSDs Up To 45%

Comments Filter:
  • Is it worthwhile? (Score:2, Interesting)

    by SmaryJerry ( 2759091 )
    Is there any reason to keep bitlocker enabled if you aren't a business? Even if you are a business is bitlocker really that necessary?
    • by Entrope ( 68843 ) on Friday October 20, 2023 @06:07PM (#63940825) Homepage

      Is there anything on your computer that you would like to protect from an evil maid or equivalent attacker? Browser history, website login details, personal pictures, bank account statements? Having TPM-linked encryption at least makes it possible to keep those details from someone with moderate resources trying to break your privacy. Storing that data in plaintext exposes it. Storing your system executables without at least one of encryption or cryptographic MAC allows your computer to be backdoored.

      • by caseih ( 160668 ) on Friday October 20, 2023 @06:26PM (#63940863)

        The thing about that is most of the time I'm the one who needs to perform an evil maid attack, often on my own hardware. I need to be able to swap hard drives, recover data, etc. This makes that impossible. If a person somehow gets windows all screwed up so it won't boot or hardly runs (which never happens, oh no), there's no way to get the data off the drive the way we've been doing for decades. Sure you can berate them for not doing backups. But that doesn't help things. I guess MS expects everyone to pay for OneDrive.

        • by caseih ( 160668 )

          Also if you want to upgrade your hardware and put the drive in the new machine, you can't, since it was locked to the old machine's TPM and there's no way to transfer the keys. So just plan to format the drive if you do a mainboard update.

          • Comment removed (Score:4, Informative)

            by account_deleted ( 4530225 ) on Friday October 20, 2023 @07:29PM (#63940955)
            Comment removed based on user account deletion
            • by caseih ( 160668 )

              Yup, as long as you can boot windows. If you need to use a Linux LiveCD to rescue a Windows machine, you're out of luck.

              • Re:Is it worthwhile? (Score:4, Informative)

                by itsme1234 ( 199680 ) on Saturday October 21, 2023 @12:30AM (#63941411)

                You can read/mount/do anything bitlocker in Linux with dislocker https://packages.debian.org/si... [debian.org] (it says Vista to Windows 10, there's nothing special with 11 beside not being in the description). I think one of the UIs (Ubuntu?) was even offering it to do it in the GUI (mount disk directly asking for key) when you click the disk icon.

                Not that the installers need work and certainly it would be good to offer all options clearly, sure. See the recent post where Ubuntu ISO with the new fancy installer was pulled (for some other reasons), one of the fancy new features zfs encryption with TPM. Guess what, they took out the option to do zfs encryption with passphrase (or, with anything if you don't have TPM) which was present in the classic install. But the classic install (for the very same version) doesn't offer TPM. Crazy house.

          • Also if you want to upgrade your hardware and put the drive in the new machine, you can't, since it was locked to the old machine's TPM and there's no way to transfer the keys. So just plan to format the drive if you do a mainboard update.

            How to prove to the world that you don't know what you're talking about. When enabling bitlocker you're given an option to back the key up including to your MS account. When you put the drive in another machine and try to open it you're asked for the key which you can retrieve the backup of from your MS account.

            • by caseih ( 160668 )

              Isn't the point of this article that bitlocker isn't optional in Windows 11? And if you don't like MS snooping on you and don't want to use your MS account to log in, you're out of luck. I'm sure you can add the account later and do a backup.

              • At this point you're just playing dumb/trolling. You have the OPTION to save your key to a Microsoft account. You can also print it out, save to a small text file, whatever. Note that it'll be nearly impossible for the regular consumer to opt out from having a Microsoft account with Windows 11, without any relationship with the machine having or not bitlocker, or with the option to save your key in other way(s), including just writing it on a paper or something.

          • Formatting an old drive before putting it in another computer - my god, the horror!

            Are you serious? Do you simply refuse to perform a backup on your data or even do a fresh OS install on new hardware?

        • Bitlocker lets you back up your Bitlocker key to your Microsoft account.

          There are obvious downsides to this - Microsoft is no immune from being hacked - but it is an option.

          Corporate/Enterprise admins can automatically back up client-machine Bitlocker keys.

        • That's horse shit.

          You can ask windows for the recovery key and use that to mount the disk in any other computer. Source: I mount the Windows BL partition on the Linux dual boot just fine without using the TPM to unseal it.

          The default that MS forces on people (most people don't know better) is to back up the recovery key to their MS account, so you can usually ask there too

          Just because you refuse to understand the technology doesn't mean it's bad.

          • Note that it is possible for the key never to be held. If you don't sign into a work domain nor do you have a Microsoft account, it will lose the key.

            That said, Microsoft is very aggressive about seizing any chance to stick a recovery key into some account or another. I have however seen folks manage to have their drive forever lost for lack of an account with a recovery key.

        • I think my work is paying for OneDrive but I refuse to use it. I tried it once (I have a work-issued MacBook Pro) and it choked on Unix-type file names. That made it worthless. I disabled it and will intentionally never use it again. What a waste!

        • You're not locked out of any data until you lose the decryption key, which is stored far out of reach of Windows and the user, if someone competent set it up.

      • by Improv ( 2467 )

        In the past I've occasionally sent mostly-dead disks to data recovery places if I really really needed something back.

        Is this security from outsiders really worth giving up on the potential for that?

        • by Anonymous Coward

          In the past I've occasionally sent mostly-dead disks to data recovery places if I really really needed something back.
          Is this security from outsiders really worth giving up on the potential for that?

          Like all things in life, it literally depends entirely on what the data is and what the computer is used for.

          If you keep your data on a single drive without backups, needing to utilize recovery services, then disk encryption is not suitable to your use case.

          My main PC has my browser cache and some credentials to my NAS on it. Nothing I would need recovered, but not stuff I want others to have access to.
          I'm sure I do have some copies of projects on it I might not want others to have, but completely recovera

          • by mysidia ( 191772 )

            Personally my laptop is nothing more than a VPN client and remote access to my main desktop.
            Probably don't need disk encryption there as it has nothing on it.

            Encryption is still useful to help protect Integrity of the client OS instance - that is the media being encrypted helps establish that nobody used physical access to tamper with files on the device and Installed a keylogger program to capture VPN credentials while you weren't at the machine.

    • Re:Is it worthwhile? (Score:4, Informative)

      by quonset ( 4839537 ) on Friday October 20, 2023 @06:08PM (#63940829)

      Even if you are a business is bitlocker really that necessary?

      Yes. You may lose the machine to theft, but the data is secure. I was involved in a case where a machine was found tossed in a park in a city because the thief couldn't get into it. Why they didn't just remove the drive and install a new one I don't know, but the encryption did its job.

      This assumes the machine wasn't stolen while the user was logged in [theguardian.com]. In that case, everything is fair game.

      • by Powercntrl ( 458442 ) on Friday October 20, 2023 @06:41PM (#63940887) Homepage

        I was involved in a case where a machine was found tossed in a park in a city because the thief couldn't get into it. Why they didn't just remove the drive and install a new one I don't know, but the encryption did its job.

        Probably because the thief lacked the technical skills to swap a drive and just saw it as something they could sell to a fence for some crack money. Chances are if you're a criminal with enough computer savvy to profit from ID theft schemes, you're also probably smart enough to realize breaking and entering and physically stealing computers involves too much risk to life and limb.

        Certainly, businesses might have machines where the risk is worth the reward to a criminal, but the average home user's PC they're likely to just score a hard drive full of furry porn.

        • Probably because the thief lacked the technical skills to swap a drive

          There's a tendency for nerds to notice all the potential holes and then conclude something is useless. Most people, most time will be subject to low effort, low skill crime. Criminals are like everyone else: most of them are average at best at their jobs.

          Certainly, businesses might have machines where the risk is worth the reward to a criminal, but the average home user's PC they're likely to just score a hard drive full of furry porn.

          Mo

        • I was involved in a case where a machine was found tossed in a park in a city because the thief couldn't get into it. Why they didn't just remove the drive and install a new one I don't know, but the encryption did its job.

          You don't need drive encryption to keep a thief from booting your computer. You can just configure the BIOS to require a password or fingerprint scan at power on. Doesn't prevent installing the drive in another computer, but I think most thieves are looking for a useable computer, not for information stored on your drive.

    • Comment removed (Score:4, Informative)

      by account_deleted ( 4530225 ) on Friday October 20, 2023 @06:12PM (#63940837)
      Comment removed based on user account deletion
      • Yes. My personal PC has my tax returns. Whole bunch of other sensitive/confidential information too, won't list it all, and really, does the question need to be asked? I feel like it wouldn't be if the discussion was VeraCrypt or LUKS, but we're here talking about a M$ product, so, different rules.

        Sure, but, that said, you could simply use a utility, like AxCrypt, etc... to just encrypt your sensitive files. I'm sure not everything on the system needs to be encrypted, at least from a sensitively standpoint.

        • Comment removed based on user account deletion
          • I assume you're aware of the memory paging concept?

            Yes. My BSCS specialization was in systems software and operating systems.

            Do you know enough about the internals of your OS'es memory management to say with certainty that no confidential information will be swapped out?

            Yes, or at least I'm aware of the capabilities and limitations. Windows, for example, has a setting to clear the swap space on shutdown. Noting that it makes shutting down the system take *much* longer...

            At my former job, at a *large* defense contractor, one of my projects was the automated, unattended installation (OS and all software), configuration and lock down of Windows, Solaris and Linux systems from bare metal to ready to

          • Comment removed based on user account deletion
      • Indeed.

        I now routinely install all new builds with LUKS because why not? It's safe by default. On the off chance I'm doing something really really really performance sensitive with NVMe SSDs, I guess I could use LVM to make an unencrypted partition just for that data.

        Never needed it.

        My guess is that the result is I pay a slight penalty on boot speeds, which is something I do rarely anyway.

        With that said the penalty seems high. On LUKS it's much lower, and perversely some of the benchmarks actually run faste

        • I actually only do it on my Linux laptops.
          The desktop: not so much.

          Because that heavy desktop is in my house, bolted to the desk en the drives aren't hot swappable from the outside. So you need tools to access it.
          And my windows and doors are strong, with strong locks. And the top on the cherry: visible alarm :)
          • Fair enough.

            I don't have my data drive encrypted, since it's from an older install. It does have non critical data and my borg backups, but those are encrypted anyway.

            My doors and windows aren't as strong as they could be, but neither are my neighbors ones (the appearance of the front of my house is controlled). There are sometimes burglaries, but the most common one is to smash get in and out fast with car keys before anyone can respond to the alarm. Either that or just steal the catalytic converter off a

    • The data partition of my private desktop PC is encrypted (I use dm-crypt). If a burglar breaks in and steals my PC, I lose the hardware but they won't screw me over by accessing my passwords, financial data, etc. that can be recovered from a non-encrypted data disk. Also no risk of data leak if I need to send the ssd back for repair or replacement. My workplace activated the encryption on business laptops several years ago for the same reasons.

      It is useful to activate it by default such that most people wil

      • Comment removed (Score:4, Insightful)

        by account_deleted ( 4530225 ) on Friday October 20, 2023 @07:33PM (#63940961)
        Comment removed based on user account deletion
      • Comment removed based on user account deletion
        • I solved this issue by not having a swap and temporary/runtime files are in tmpfs (my cost is having to consider enough RAM). But you're right as this ste of option is not offered as standard by OSes, FDE is the only safe option for most.

        • by serviscope_minor ( 664417 ) on Saturday October 21, 2023 @05:23AM (#63941665) Journal

          What you say is true, and I certainly do that. However basic encryption on the home drive covers 99.9% of the attack surface.

          The vast majority of the time, people aren't specifically attacking you. If your machine gets nicked it's probably going to be sold for cash to some dodgy bloke for his teenage kid. It'll then get infested with virii and etc and the automatic botnet data scraper identity theft stuff will get the data on the machine (yours) and that's where the problem lies.

          The chance of someone specifically trawling for your data on a stolen machine is low I reckon.

          Someone specifically hunting for keys in a swap partition of a stolen machine to crack a disk they have no idea contains anything is valuable is essentially zero.

          If the machine doesn't just boot it'll be junked or maybe sold to someone who owns one of those weird dodgy tech shops who will wipe it and resell it. As long as whatever you have is enough to trigger that then your data is safe in almost all cases.

          But I do agree, unless you have really really specific performance needs just check the "encrypt fucking everything" box on install. Anything else is pointless fuckery.

        • After checking: /run, where secrets could leak, is tmpfs in linux installs nowadays. Not sure how much information leaks from /var/cache, it did not seem anything important, it's mostly package manager related stuff; also nobody fetches emails into /var/spool/mail/ anymore. So making /tmp as tmpfs is the only step I found necessary to avoid leakages.

    • Yes, your SSD will fail catastrophically and you won't have a chance to wipe it but when it gets recycled in China somebody can use a chip reader to pull your sensitive data (passwords, bitcoin wallet, financials, etc.) and sell it to the highest bidder.

      AES-NI is so fast that most people won't even notice so they're doing the right thing.

    • Really? You can conceive of a few simple scenarios where you'd want to be sure your data was safe?

      How about the highly probable disk failure requiring RMA? If the disk is encrypted your data is safe to RMA. If not the you're SOL and you need to have the drive securely shredded and just buy a new one.

    • Encryption of your personal data is so essential that phones have been doing it very effectively for years. Why is it ok for your laptop to be less secure than your phone?
      • by Z00L00K ( 682162 )

        Because I still run a stationary computer at home.

        With the amount of data I have I'd have to pay a lot for storage in the cloud - with questionable protection of what I have. "Sorry, our AI Bot decided that your family photos were illegal so we deleted all your files to protect you from yourself and we have now notified the police and social services about your questionable content"

    • by tlhIngan ( 30335 )

      Is there any reason to keep bitlocker enabled if you aren't a business? Even if you are a business is bitlocker really that necessary?

      SSD encryption protects you if someone were to remove the SSD and remove the flash chips and read them out. This only really happens during data recovery. Or if you have an Apple Mac.

      BitLocker is a disk encryption system and protects you if someone removes the disk (HDD or SSD) from the computer and moves it to another computer. If it's encrypted, the disk cannot be read and

  • Microsoft Compatibility Telemetry is also evil. It consumes CPU and decreases battery life. Bad software written by incompetent software engineers.

    • What software doesn't consume CPU and decrease battery life? Are you going to tell me that Linux software is beautifully written and efficient? Right.

      • Generally speaking, with Linux you're trading cycles and power for something you want. With Windows, there's tons of stuff burning cycles and power (and bandwidth) for what Microsoft wants... without asking and without an easy way to disable it even if you're aware of it happening.

        • Linux trades CPU cycles only for "what you want" if you happen to be a full-fledged computer nerd. For those who struggle to figure out a TV remote control, not so much. That crowd--the ones who aren't good at technology--they can use Windows to do what they want, right out of the box. They're never going to get Linux to do that, without a technical person first spending a good bit of time setting it up for them.

          And speaking of easy ways to disable things...are you kidding me? Are you suggesting that, on Li

          • Windows starts with everything and makes it difficult to remove what you don't want.

            Linux distro usually start with what you need and you have to add extra. There's usually no need to remove anything.

            • Why would you think the Linux approach is better?

              Install bookkeeping software. Installation fails because you didn't install some subsystem or another. Locate the subsystem and figure out how to install it. Now try installing the bookkeeping software again. Find out that some other component is missing.

              How's that better, exactly?

  • ...and an unencrypted partition/drive for other use. Although it's certainly true that Microsoft needs to make this process far easier to carry out. Average users shouldn't need 3rd party software to manage partitions and disks. Biometrics needs to be present as well, as it is on phones.
  • by RitchCraft ( 6454710 ) on Friday October 20, 2023 @06:37PM (#63940875)

    This has always been the case with Windows. Get a nice shiny new computer only to find it's true power hobbled by Window is some way, shape, or form. The solution used to be to go back one version of Windows. Now the only solution is advance to Linux and never look back.

    • So what happens when somebody steals your nice, fast Linux system? Is there anything on that hard drive that you wouldn't want others to see? Security (encryption) *always* trades security for speed, whatever OS you are using.

    • by AmiMoJo ( 196126 )

      If you buy a new Windows machine the encryption will probably be using the SSD's built in stuff, which has no effect on performance.

      Most SSDs have encrypted data for many years now. It's built into the controller. The key is stored in the SSD. All enabling BitLocker with "eDrive" (Microsoft's name for OPAL v2) does is move the key into the computer's TPM, where on Windows can access it (with an optional PIN or other authentication).

      TFA is talking about people who install their own copy of Windows, rather th

  • I'm sure MSOFT believes most users won't notice and those that do are capable of changing it. I don't understand however why they would enable it out of the box if the drive already supports hardware encryption.
    • Bitlocker is their encryption, the drive's is not. No as easy to "reverse engineer" if you know what I mean.

  • Windows 11 Home doesn't support BitLocker so you won't have encryption enabled there.

    That's incorrect. While "bitlocker" is pro, Windows 11 home supports encryption and most Windows home laptops ship with it enabled. "Bitlocker" but with fewer supported mechanisms for managing the key material.

  • If you are using Windows 11 in a VM on a host that already implements hardware disk encryption, you can disable Windows disk encryption with the following steps:

    1. Open cmd as Administrator
    2. Type manage-bde -off C: (or whatever drive is your encrypted data drive)
    3. Profit

  • I have Windows 11 (Enterprise) at home.

    4x 2TB NVMe drives in RAID0, Bitlocker enabled. I also have i9-12900K and 64GB of DDR5 RAM.

    I'm getting:
    - 17704 MB/s read, 16008 MB/s write (SEQ1M Q8T1)
    - 5933 MB/s read, 7543 MB/s write (SEQ1M Q1T1)
    - 683 MB/s read, 918 MB/s write (RND4K Q32T1)
    - 64 MB/s read, 137 MB/s write (RND4K Q1T1)

    Theoretical max random read should be 28000 MB/s, so I'm only getting 63% of that.

  • by Petersko ( 564140 ) on Friday October 20, 2023 @07:46PM (#63940985)

    Two boxes, clean installs of Windows 11 Pro, neither one has BitLocker enabled. I did not disable it - it was not on by default.

  • There was a reason (Score:5, Informative)

    by stikves ( 127823 ) on Friday October 20, 2023 @08:08PM (#63941033) Homepage

    There was a reason they switched to software encryption:
    https://hardware.slashdot.org/... [slashdot.org]

    Why? Because SSD makers were lazy, and did not implement good crypto. And Microsoft's own software implementation was for most users would be good enough: https://it.slashdot.org/story/... [slashdot.org] (even recommended by our old pal TrueCrypt)

    Now, the article explains how to enable hardware encryption. (Very easy! Just requires a complete wipe and reinstall, using third party tools like Rufus, should be piece of cake for end users), or how to disable bitlocker altogether (Very useful if you use online banking or have other important accounts on your laptop. What could possibly go wrong?).

    What would I recommend instead? Use VeryCrypt to convert your existing Windows install (might require some partition move):
    https://www.makeuseof.com/encr... [makeuseof.com]

    And choose the fastest / most secure combination you want using their benchmark on your own system.

    • or how to disable bitlocker altogether (Very useful if you use online banking

      Bitlocker doesn't protect against online attacks.

    • This. They publicly spanked MS for relying on lazy SSD manufacturers. Now they shame them because encryption is expensive but, for once, they care about their users (even if it's not the most convenient option). I avoid Windows like the plague, but this approach to the change in bitlocker is a bit unfair, like shaming those who publish Retbleed and Spectre mitigations.
  • SSDs are all encrypted all the time whether you use OPAL, Class 0 or not the SSD runs the same crypto operations in all cases.

    Personally a big fan of Class 0 and use it on my laptop to guard against theft. 100% transparent, no overhead, no OS dependencies. If you don't enter passphrase on boot the disk becomes a paper weight and you literally can't read or write a single byte. Only downside is you have to check model/vendor implementation first because some of them store encryption keys anyway and can be

  • Still slowing down even the most modern hardware since the early 1990s
  • My Windows 11 Pro install doesn't have Bitlocker enabled and I never explicitly turned it off. Has this been independently verified?
  • Not for a good, long while.

  • Unless you are doing really sensitive work, there's just no reason to use full disk encryption. If you have a set of sensitive files, use something like Veracrypt to contain the files.

    Encrypting everything - of course that slows things down, it doesn't matter that it's Windows. It also makes it much more difficult to do hardware-level work. For example: maybe your computer dies, and you'd like to move the SSD or disk to another computer.

  • On the same note, why do we keep insuring our house and the stuff we own. It costs a lot of money each month, slowing down our economy by maybe 10%. At least this does not come as a default. That money would be spent better elsewhere! Until the time when your house burns or is flooded, and that insurance policy is ... well, not priceless, but when it represents an amount of money you would not otherwise be able to raise, then somehow it *is* priceless.

    What is the value of keeping your information private, i

  • > Windows 11 Home doesn't support BitLocker so you won't have encryption enabled there.

    If you log in with a microsoft account, and hey if you use windows you probably need to so your things are there, they both home and pro turn on encryption by default.

    Unfortunately the implementation on home is a nightmare since it does not tell you about it and you don't get the key! First you know it that you computer breaks and you cannot access the files on anopther machine. It's called "device encryption" And it i

  • If Microsoft wants to go all-in for business, and encourage encryption that's fine with me, but bogging down a system and making gaming worse sounds pretty dumb.
  • [maybe-joke]Well, there goes the SSDberhood. Whose bright idea was it to enforce something as old as Bitlocker on drives anyway? I suppose M$ is trying to murder themselves.[/maybe-joke]

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...