Home » Forums » AskWoody support » Windows » Windows 11 » Questions about Windows 11 » Tested: Windows 11 Pro’s On-By-Default Encryption Slows SSDs Up to 45%
- This topic has 22 replies, 10 voices, and was last updated 8 months ago.
Author
Topic
New Reply
Alex5723
AskWoody Plus
October 20, 2023 at 12:45 am #2595568
https://www.tomshardware.com/news/windows-software-bitlocker-slows-performance
BitLocker software encryption slows performance. Here’s how to fix it
There are few things more frustrating than paying for high-speed PC components and then leaving performance on the table because software slows your system down. Unfortunately, a default setting in Windows 11 Pro, having its software BitLocker encryption enabled, robs as much as 45 percent of the speed from your SSD as it forces your processor to encrypt and decrypt everything. According to our tests, random writes and reads — which affect the overall performance of your PC — get hurt the most, but even large sequential transfers are affected.
While many SSDs come with hardware-based encryption, which does all the processing directly on the drive, Windows 11 Pro force-enables the software version of BitLocker during installation, without providing a clear way to opt out…
Software BitLocker Can Seriously Hurt SSD Performance
If you’re not a heavy storage user, perhaps a lot of the above seems like it’s not a big deal. The problem is Microsoft has forced degraded performance on all Windows 11 Pro users, and the added latency will have an impact on system responsiveness. If you’re using Windows 11 Pro on a company-issued laptop, there’s a good chance it’s underperforming thanks to that decision…
5 users thanked author for this post.
Mr. Austin, NaNoNyMouse, O Boogie, pabby, Fred
Reply | Quote
Viewing 11 reply threads
Author
Replies
-
Paul T
AskWoody MVP
October 20, 2023 at 6:10 am #2595609
Alex5723 wrote:
If you’re using Windows 11 Pro on a company-issued laptop, there’s a good chance it’s underperforming thanks to that decision
Tell the company to get you a faster one!
For home use, I always want an encrypted disk on my laptop. It’s my data and I don’t want anyone else getting to it, especially if the laptop “goes missing”.
cheers, Paul
Reply | Quote
-
steeviebops
AskWoody Plus
October 20, 2023 at 6:37 am #2595615
The problem here was Microsoft initially defaulted to hardware encryption in Windows 8, but it was then discovered that some Opal implementations had major security flaws that rendered the encryption useless. So Microsoft decided not to trust it anymore and use software by default.
1 user thanked author for this post.
b
Reply | Quote
-
Ascaris
AskWoody MVP
October 22, 2023 at 4:26 am #2596099
The security flaws in question were indicated in one now-famous study of a small number of by-now older SATA SSD models using the Class 0 (ATA password based) implementation of self encryption, for which at least one manufacturer (Crucial) released an upgraded firmware to remedy. I am not sure if Samsung ever did the same, as the models indicated to have the issue did not include any of my drives, and I didn’t check back with them. Not all Samsung models tested had the flaw, so it is possible that later models were already not subject to that issue. While the drives may have been OPAL capable, they were not using the OPAL mode when they were tested for that paper.
Whether or not the flaws were fixed is a separate question from whether a given drive was ever vulnerable in the first place, but the idea is that if there is a flaw with security, you fix it… you don’t automatically need to dump the entire concept. If there was a flaw discovered in Bitlocker’s software encryption, would that mean the whole of Bitlocker has to be dumped, rather than simply having MS fix the issue?
Hardware encryption is transparent to the underlying OS, has no performance loss, and costs no extra power on laptops, since it is always enabled internally on the drive even if the user has never enabled the locking feature. It also means that the encryption key, once sent to the drive, can be deleted from RAM on the host PC (depending on whether it needs to be stored for resuming from S3 sleep). It can be stored in the TPM to keep it more safely than in RAM for S3, but if the unit uses S0ix/S2idle/”Modern standby,” that’s not necessary.
In a software encryption setup, the encryption key must be in RAM at all times while the drive is being used. That presents an attack surface, of course. RAM in a PC is meant to be read and queried by the host PC, though there are defenses against this like ASLR and address space partitioning that are always being probed by the bad guys. There is no intended means by which the key in the RAM of the SSD can be read or queried by the host PC, and if it were even mapped in to the address space by some exploit, it would also be restricted like the software key, so it’s more protected.
There are other sorts of attacks that can be used to try to keep a SED (self encrypting drive) in the unlocked state (connected to power) while an attacker with physical access tries to transfer it to another unit, if that attacker was able to get ahold of the unit while it was sleeping, but that’s far more easily said than done. If you’re facing an attacker with enough sophistication to pull that off, you’d be better off hibernating the system rather than using a standby mode (with hardware or software encryption).
Dell XPS 13/9310, i5-1135G7/16GB, Kubuntu 24.04
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)Reply | Quote
-
bbearren
AskWoody MVP
October 20, 2023 at 7:18 am #2595619
Alex5723 wrote:
BitLocker software encryption slows performance. Here’s how to fix it
I disable Bitlocker in Services.msc. I started doing that years ago, and after every upgrade (I’m now on Windows 11 Pro) I check Services to be sure that Bitlocker is still disabled; it always is.
Always create a fresh drive image before making system changes/Windows updates; you may need to start over!
We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things. We were all once "Average Users".
Reply | Quote
b
AskWoody_MVP
October 20, 2023 at 9:55 am #2595675
Alex5723 wrote:
https://www.tomshardware.com/news/windows-software-bitlocker-slows-performance
This article contains several false or misleading statements:
Starting with the headline;
Tested: Windows 11 Pro’s On-By-Default Encryption Slows SSDs Up to 45%
It’s not on by default. (Up to 45%, but typically 3%-11%).
The problem is Microsoft has forced degraded performance on all Windows 11 Pro users,
Fake news.
If you bought a prebuilt PC with Windows 11 Pro, there’s a good chance software BitLocker is enabled on it right now.
A-ha! Now there’s only “a good chance” that it’s enabled?
Windows 11 Home doesn’t support BitLocker so you won’t have encryption enabled there.
Device Encryption has been a default on many Windows Home devices for the last eight years.
Reply | Quote
Alex5723
AskWoody Plus
October 20, 2023 at 11:05 am #2595694
Paul T wrote:
For home use, I always want an encrypted disk on my laptop
The problem isn’t with encryption itself but by the method it is created : Software vs Hardware. Software like in Windows 11 Pro degrades PC’s performance. Hardware on the SSD doesn’t.
I suppose it is true for ANY encryption software that doesn’t use SSDs hardware for encryption.
Reply | Quote
Alex5723
AskWoody Plus
October 20, 2023 at 1:22 pm #2595724
b wrote:
Device Encryption has been a default on many Windows Home devices for the last eight years
Device Encryption is not Bitlocker. The post is about Bitlocker.
Device encryption is a feature that exists in Windows 10 & 11. It is available on PCs that are connected to the internet and signed into a Microsoft Account. Your device needs to have a TPM and Secure Boot enabled.
Device encryption is available in Windows 10 & 11 Home, while Bitlocker isn’t available in the Home edition.
BitLocker encryption is available on supported devices running Windows 10 or 11 Pro, Enterprise, or Education.
On supported devices running Windows 10 or newer BitLocker will automatically be turned on the first time you sign into a personal Microsoft account (such as @outlook.com or @hotmail.com) or your work or school account.
BitLocker is not automatically turned on with local accounts, however you can manually turn it on in the Manage BitLocker tool.
Reply | Quote
-
b
AskWoody_MVP
October 20, 2023 at 2:26 pm #2595740
Alex5723 wrote:
Device Encryption is not Bitlocker. The post is about Bitlocker.
Does that make this statement true?
Windows 11 Home doesn’t support BitLocker so you won’t have encryption enabled there.
Reply | Quote
-
bbearren
AskWoody MVP
October 20, 2023 at 4:44 pm #2595760
Always create a fresh drive image before making system changes/Windows updates; you may need to start over!
We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.
We were all once "Average Users".
Reply | Quote
-
b
AskWoody_MVP
October 21, 2023 at 3:47 am #2595880
Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those devices that are Modern Standby, and devices that run Home edition of Windows 10 or Windows 11.
Reply | Quote
-
bbearren
AskWoody MVP
October 21, 2023 at 3:59 am #2595884
b wrote:
BitLocker Device Encryption … BitLocker Device Encryption
I’ve never experienced nor seen “On by default” in any of my systems, all of which are Pro. I disabled Bitlocker in Services very early on, and it has stayed “Disabled” after every upgrade.
Always create a fresh drive image before making system changes/Windows updates; you may need to start over!
We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.
We were all once "Average Users".
Reply | Quote
-
-
-
steeviebops
AskWoody Plus
October 24, 2023 at 2:21 am #2596580
Alex5723 wrote:
b wrote:
Device Encryption has been a default on many Windows Home devices for the last eight years
Device Encryption is not Bitlocker. The post is about Bitlocker.
Device encryption is a feature that exists in Windows 10 & 11. It is available on PCs that are connected to the internet and signed into a Microsoft Account. Your device needs to have a TPM and Secure Boot enabled.
Device encryption is available in Windows 10 & 11 Home, while Bitlocker isn’t available in the Home edition.
BitLocker encryption is available on supported devices running Windows 10 or 11 Pro, Enterprise, or Education.
On supported devices running Windows 10 or newer BitLocker will automatically be turned on the first time you sign into a personal Microsoft account (such as @outlook.com or @hotmail.com) or your work or school account.
BitLocker is not automatically turned on with local accounts, however you can manually turn it on in the Manage BitLocker tool.
It’s effectively a trimmed down BitLocker, you can still use manage-bde to control it.
Reply | Quote
Alex5723
AskWoody Plus
October 21, 2023 at 12:16 am #2595828
b wrote:
Does that make this statement true?
True in regard to Bitlocker. The article isn’t about some other methods of encryption.
Reply | Quote
krism
AskWoody Plus
October 21, 2023 at 8:39 pm #2596065
Uh. On by default? I just updated from 10pro to 11pro 22h2 a few weeks ago. Just checked bitlocker settings and they are set to off.
- ASUS Prime Z790-V WIFI, I9-12900k, Gigabyte 3060Ti, UEFI/GPT, 32GB, Sam 980 Pro 1T M.2 . Win 11 Pro 23H2 . HP laserjets M254dw & 3001dw, Epson 2480 scanner. External monitor Dell S3221QS.
Reply | Quote
-
Paul T
AskWoody MVP
October 21, 2023 at 11:45 pm #2596081
New installations only (possibly only OEM / OOB). Upgrades respect your existing settings (amazingly).
cheers, Paul
Reply | Quote
-
krism
AskWoody Plus
October 22, 2023 at 12:10 am #2596084
Yeah, it is amazing… Or maybe it asked me at some point and I just forgot…
- ASUS Prime Z790-V WIFI, I9-12900k, Gigabyte 3060Ti, UEFI/GPT, 32GB, Sam 980 Pro 1T M.2 . Win 11 Pro 23H2 . HP laserjets M254dw & 3001dw, Epson 2480 scanner. External monitor Dell S3221QS.
Reply | Quote
-
Deeb
Guest
October 23, 2023 at 2:59 pm #2596494
Windows 10, Bitlocker was enabled by Intune policy, Encryption method is XTS-Aes 256. I know the article is about Windows 11 but its on Windows 10 and does that mean the only way to have hardware encryption is to reinstall the OS?
Reply | Quote
-
Susan Bradley
Manager
October 23, 2023 at 3:00 pm #2596499
You can disable bitlocker – by the way when you say “enabled by Intune policy” that policy comes from something setting it. Intune means that some organization has management control over your pc.
Susan Bradley Patch Lady/Prudent patcher
Reply | Quote
Mr. Austin
AskWoody Plus
October 23, 2023 at 10:27 pm #2596550
Interesting. Thanks. I’ll want to have a look at this. I’ve a new Lenovo ThinkPad which has two issues about which Lenovo is nearly clueless. Lenovo’s techs are absolutely untrained on Windows software. So they’ve been all but useless on Windows’ needs: (1.) About half the time the new machine won’t automatically wake up to run scheduled software, including BackupOutlook and R-Drive Image, and,
(2.) R-Drive Image often throws errors saying its write-to drive has gone missing. And, surprise, it’s a Samsung T7 Shield NVme SSD (USB 3.2 Gen 1 methinks) that’s less than a year old. My second write-to drive is a WD (old-school) SSD, and that has zero issues with the new Lenovo box. But R-Drive and the Samsung NVme SSD worked OK on my dearly-departed Windows 10 Pro box. I tested to see if it was Samsung’s cables, and nope, that’s not the issue.
When I checked BitLocker’s settings just now, it’s enabled for only the system drive, and not the two SSDs to which I write my twice-daily images. But this still makes me curious if I could just disable BitLocker and see what happens, or doesn’t, with R-Drive Image.
Reply | Quote
krism
AskWoody Plus
October 23, 2023 at 10:47 pm #2596551
1. (in power settings) sleep = never, and should work fine.
2 No idea, I don’t use R-drive. I back up manually, periodically with terabyte, generally whole ssd. SSD and external are both m.2 NVMe. Quite fast.
3 On mine, bitlocker is off for all partitions it can see. I do not use bitlocker. Personal preference. Unless your laptop is at risk, you might not need it.
hth
I’m on my 3rd Thinkpad.
- ASUS Prime Z790-V WIFI, I9-12900k, Gigabyte 3060Ti, UEFI/GPT, 32GB, Sam 980 Pro 1T M.2 . Win 11 Pro 23H2 . HP laserjets M254dw & 3001dw, Epson 2480 scanner. External monitor Dell S3221QS.
Reply | Quote
ACIT
Guest
January 12, 2024 at 10:31 pm #2625827
After encryption it is understandable that read and write processes would slow down. I have followed Tom’s for 15 yrs or more but was a test done prior to encrypting before to running the bench mark that reports a 45% degrade in performance? I’m guessing there was, but 45% bitlocker degrading point is not accurate. There are way too many variables. Only performance can be measured for same type of critical parts; processors, RAM, SSD chip sets, and MB. I will soon be testing my ASUS with Window 11 Pro S and if bitlocker is already active I will remove it and run a performance test and then encrypt. I’m really happy with the performance I see now; 21 GB RAM, i7 processor and 1TB SSD.
Reply | Quote
-
b
AskWoody_MVP
January 14, 2024 at 8:03 am #2627297
ACIT wrote:
I have followed Tom’s for 15 yrs or more but was a test done prior to encrypting before to running the bench mark that reports a 45% degrade in performance?
Reply | Quote
Viewing 11 reply threads