Microsoft is rolling out hardware-accelerated BitLocker in Windows 11 to address growing performance and security concerns by leveraging the capabilities of system-on-a-chip and CPU.
BitLocker is the native full-disk encryption feature in Windows that protects data from being readable without proper authentication. During normal device boot, it relies on the Trusted Platform Module (TPM) to securely manage encryption keys and automatically unlock the drive.
Microsoft states that as non-volatile memory express (NVMe) storage has become more performant, BitLocker's cryptographic operations have a more noticeable performance impact for gaming and video editing activities.
With hardware acceleration, bulk cryptographic operations can be offloaded to system-on-a-chip (SoC) components equipped with hardware security modules (HSMs) and trusted execution environments (TEEs), significantly improving cryptographic performance. This will naturally reduce CPU usage and improve overall system performance.
"When enabling BitLocker, supported devices with NVMe drives along with one of the new crypto offload capable SoCs will use hardware-accelerated BitLocker with the XTS-AES-256 algorithm by default," Microsoft explains.
"This includes automatic device encryption, manual BitLocker enablement, policy driven enablement, or script-based enablement with some exceptions."
In actual tests, hardware-accelerated BitLocker had around 70% fewer CPU cycles per I/O compared to software-powered BitLocker, although results vary per hardware.
In addition to performance gains, BitLocker now utilizes hardware-protected keys, minimizing their exposure to CPU and memory cyberattacks and enhancing overall security alongside Trusted Platform Module (TPM)–based key protection.
Microsoft says this puts the mechanism on the path to eliminating BitLocker keys from the CPU and memory.
.jpg)
The new BitLocker is available starting with Windows 11 24H2, if September updates are installed, and on Windows 11 25H2.
Initial support will arrive with Intel vPro systems using Intel Core Ultra Series 3 (“Panther Lake”) processors, but other SoC vendors will be added progressively.
Users can verify their BitLocker mode by running the command manage-bde -status and checking for 'Hardware accelerated' info under Encryption Method.
Microsoft notes that BitLocker defaults on software-based mode if unsupported algorithms are used, key sizes are manually specified, enterprise policies dictate unsupported key size or algorithm, and when FIPS mode is enabled and the SoC does not report FIPS-certified crypto offload and key-wrapping capabilities.
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
Comments
RexvimilZuzakzmo - 3 months ago
Isn't disc encryption hardware accelerated for ages?
I do recall testing it more than decade ago to confirm if it is fast enough not to affect speed of any I/O operations, and it worked seamlessly, and all that without a noticeable CPU footprint... (although it is true that these days NVMe loads can be occasionally spotted on CPU charts - still barely small fraction of a single core)
Ps. Moving it onto some mysterious chip also reminded me of "solution" like that with the past - it offered virtually no protection as anyone with access to system had access to encrypted data by default, and any/most of chip (or storage) issues caused all data contained there to be lost...
However things were technically encrypted, so if all you wanted to tick a checkbox - they had your back :p
Raj09 - 3 months ago
Who cares about encryption? Anyone who's doing any meaningful work needs all the CPU. Gaming or video editing or coding. I disable bitlocker and exercise proper security.
RexvimilZuzakzmo - 3 months ago
> Who cares about encryption?
Well it is nice way to ensure that if your stuff get stolen or disposed of incorrectly - it won't come after you for decades afterwards through all identity theft and abuse opportunities that would allow, and that assume you don't own/posses anything digital of value...
> Anyone who's doing any meaningful work needs all the CPU.
> Gaming or video editing or coding.
As I said there is barely any performance impact, and even beyond that you can easily configure encryption and volume structure in such a way even that is gone. Gaming is a perfect example - "meat" of my games (useless to the thief) is stored unencrypted just for cleanliness reasons (and so I can pimp my drives more easily).
> I disable bitlocker and exercise proper security.
Likely a good idea, as I am under impression it is pushed/used like a prod to punish those of the "cattle" that did not migrated onto their cloud service (it is hard for me to imagine at this point MS folk still think of windows users as: customers). Punishment introduced through users occasionally loosing all their data to encryption functionality they were not aware was present on their machines or one they simply do not understood...
Although I would recommend figuring out another solution. Truecrypt used to be fine, not sure now. It wouldn't be a problem for most people if agencies like CIA were the only one with those security holes - but then those seem to leak out periodically, and right into open arms of every scum there is out there. So (legal) software that criminals are frequently using would likely have a better options (and said agencies have noone but themselves to blame for that). Corporate options are also there, but those often come with too big of downsides (price is first one that comes to mind).