Dell Precision M3800 Owner's Review

I successfully installed 2 samsung SSD drives in my M3800. Carbon fiber base slightly not flush w/alum frame near ports but what can you do? Not bothering me too much

- Drives installed:
C: 500gb mSata 840 EVO (465 GB actual)
D: 512gb 2.5" 840 PRO (477 GB)

- Completed clean install of Win 8.1


Before I proceed with installing drivers and data transfer, have two questions:

1) What is best way to Enable FDE (full disk encryption) on the Samsungs? Both are supposed to have hardware encryption but enabling this is confusing at best. Wondering if anyone has experience.

Checking in Samsung Magician 4.3 shows "Class 0", "TCG Opal" and "Encrypted Drive" options on 840 EVO (C drive w/OS). Says "Encrypted Drive feature provided by Bitlocker Drive Encryption in Win 8" Also indicates that I will need to "Secure Erase" followed by fresh install of operating system.

Strangely only Class 0 option showing on 840 Pro though packaging confirms "AES 256 bit Encryption". Is encryption limited to 1 drive? What is Class 0 anyways?

2) Need to encrypt both as secure as possible while ensuring that chosen encryption can operate outside of this Win8 M3800 in case I need to remove and drop into a backup Win7 laptop (in case of a disaster w/m3800).

Any suggestions?

Thanks!

 

I have a Crucial M500 960GB SSD and a 480GB msata drive, no issues what so ever installing windows (7) on these.

No coil whine, no issues what so ever

 

Ah, the eDrive/BitLocker hardware encryption can of worms. If you haven't researched this, I'll break it down for you here.

Basically there are three types of hardware-level encryption supported by the 840 Evo: Class 0, TCG/OPAL, and eDrive/BitLocker Hardware Encryption. The 840 Pro only supports Class 0. Both SSDs use AES-256 with all encryption methods because the SSD is in fact always encrypting everything, even before any encryption is formally enabled by the user. It's just that until that time, the decryption key is in plaintext on the drive. The only real difference between those 3 methods is how that decryption key is secured and the user/enterprise management capabilities of the application that use those respective standards. But the always-on encryption is why Secure Erase is usable even before formally enabling encryption and also why enabling encryption is instantaneous.

Ordinarily BitLocker Hardware Encryption would be the way to go, but there are currently some glaring issues with it:

#1: As you can see, you have to Secure Erase the drive first to enable it. You could take an image of your system prior to wiping to minimize the pain, but otherwise it's as irritating as it sounds. Windows 8.x tries to work around that by auto-detecting eDrive-capable SSDs during installation and auto-enabling that functionality before even installing itself, in which case you wouldn't need to Secure Erase after installing the OS, but that doesn't always work, and even when it does, auto-enabling that creates problems of its own, discussed below.

#2: Once you enable eDrive, you can't use Samsung's Secure Erase function anymore -- and Microsoft doesn't provide a secure erase function either, even though their eDrive white paper talks about how easy it is to securely erase eDrive disks. It's completely absurd, but at the moment there is no (widely available) mechanism to securely erase an eDrive-enabled drive -- more on that later. The Magician app says to check with Microsoft, and Microsoft is saying vendors should provide their own tools for this purpose.

#3: Once eDrive support is enabled, it can be difficult to disable it again. That statement does NOT mean that it is difficult to disable ENCRYPTION, just that you can't turn off eDrive support again. And as long as eDrive support is on, you can't switch to Class 0 or TCG/OPAL instead (e.g. to continue using hardware encryption in a non-Windows 8 environment or a dual boot environment), nor can you easily perform a secure erase. The only way to reset the drive back to its factory state to open up the ability to use the other mechanisms is to perform what's called a "PSID Revert", which performs a secure erase in the process. A PSID Revert is primarily intended to restore access to an encrypted drive whose password has been lost/forgotten (at the cost of the drive being wiped), and the way it works is that you enter a long string of characters printed on the SSD itself into this little utility. The problem is that neither Samsung nor any other vendors who make hardware encryption SSDs make that utility generally available. I only have Samsung and Crucial's PSID Revert apps because I found a Lenovo thread where someone had posted them to Dropbox. There's no good reason for keeping those tools under wraps (and EVERY reason to make them available to help users), but right now they remain elusive. And to add insult to injury, Samsung doesn't have a BOOTABLE version of the PSID Revert tool, nor will their current tool run in a Windows PE environment, so right now if you need to PSID Revert your SSD, you have to first attach it to another system via USB or something. Again, totally absurd.

So what does that leave? TCG/OPAL is available, but that requires proprietary third-party software, and none of those options are freeware. The other hardware option is Class 0, which uses the old-school ATA hard drive password to secure the decryption key. Note that the SSD does NOT use a tiny little ATA password as the decryption key itself; it's just used to guard the key, so you still get AES-256 encryption. I believe the SSD also slows down responses to successive incorrect passwords to fight brute force attempts, but obviously you still want a reasonably good password. Class 0 also has the benefit of being easily disabled later if you ever want to do so (just remove the password), and it also allows you to use the Samsung utility to secure erase the drive using Magician rather than the enigmatic PSID Revert tool.

And the last option is just to use BitLocker software encryption instead. It's a tiny bit slower, but I don't think it would be noticeable. It also has the benefit of being able to use TPM-only encryption, which means your system is encrypted but you don't have to enter a password at every boot, which is handy if you need to be able to restart your system remotely and count on it coming back up without somebody being there to enter a password. BitLocker can also be configured to require a PIN in addition to the TPM, btw. If you're wondering how TPM-only is at all secure, it's because the TPM only divulges the key if it detects no changes to the system's "state", i.e. motherboard, certain devices, etc. If it detects a problem, you're prompted for a 48-digit Recovery Key to boot the system (so store it somewhere you can access from a smartphone or something). Even a BIOS update is enough to trigger Recovery Mode. So if a thief tried to boot your SSD from another system (or tampered with yours), they'd need the Recovery Key. And if they just booted your laptop, they'd get stopped by your Windows password -- so make sure it's a good one if you use this option.

In terms of the SSD remaining accessible outside the system, if you use BitLocker, you'll need the 48-digit Recovery Key to access it offline. If you use Class 0, you will ONLY be able to access the SSD if you have it attached via SATA/mSATA (not USB) in a system that supports prompting for an ATA password -- which basically any motherboard does these days. Or you could of course just remove the ATA password before removing the SSD itself to connect it elsewhere via USB, in which case it would be available unencrypted just like any other drive.

At the end of the day, Class 0 is by far the easiest option as long as you're ok entering a password at every boot and disabling encryption if you need USB connectivity. If you're not, use BitLocker software encryption.

For the non-system drive, you can't use regular BitLocker software encryption or eDrive BitLocker because those are only for Windows system partitions. You can either use BitLocker To Go (which uses a regular style password like TrueCrypt but also has a Recovery Key in case you forget it), or you can enable Class 0 encryption on that drive as well. If you go Class 0, you'll have to enter TWO passwords every time you boot.

And fyi, drives encrypted by either BitLocker or BitLocker To Go are readable and writable by any version of Windows Vista, 7, or 8 (though only certain versions of Vista, 7, and 8 can ESTABLISH BitLocker encryption). On Windows XP, you can download a Microsoft tool that will give you read-only access to BitLocker drives.

Let me know if you have any questions.

 

Hmm, well it's up for the XPS 15, and prior BIOS releases have become available for both systems at once. I just assumed the M3800 version had been released already. I guess not. Sorry for the false alarm!

 

Holy *&^%!

So 2 passwords at boot plus Win pw would kinda suck considering the m3800 has no fingerprint reader... If not difficult pw's then defeats purpose.

If m3800 dies and I have to remove drives without being able to disable for USB use...? Would be secondary drive in any backup system or through USB adapter.

I have to read this a few more times and let it sink in. Thanks so much for taking all this time jphughan so far. I will have more questions.

 

excuse the double post

 

I decided to opt for a screen replacement and just got mine in today. Did the swap myself and this one is much better. It's not perfect - has one dead pixel, but much better than my original one which had smudges, multiple dead pixels, and a piece of dust. So given that it's pretty hard to get a absolutely perfect screen, I'd say this one is a keeper.

By the way, does anyone know if I should rerun the touchscreen firmware update again with this new one? I did it with the old screen, but not sure if I need to redo it again.

 

If the M3800 dies and you were using Class 0 encryption, then before you could recover data via USB, you'd first need to connect those devices via mSATA/SATA to any system that supports ATA passwords to remove those passwords. That doesn't have to be done on the M3800 itself, but yes it's an extra step and (temporary) connectivity requirement.

As for convenience, honestly I think the best way for you to go is to use BitLocker software encryption on the system drive, use BitLocker To Go on the data drive, and then enable auto-mounting of the data drive. That way there's no boot password (unless you want to add an optional PIN to your BitLocker system drive), and your data drive will auto-mount when your Windows environment boots (but obviously not anywhere else). Any drive protected by BitLocker To Go can be configured to auto-mount as long as the system where you're configuring that has its system drive protected by BitLocker (to avoid the saved keys for the BitLocker To Go volume being compromised by accessing the system drive offline). The only downsides to the setup I'm describing are that you'll lose a tiny bit of performance over only having hardware encryption, and you'll have to keep your system's BitLocker Recovery Key somewhere that's accessible even when your system isn't bootable.

Good luck!

You should run the updater again. If the existing firmware is already current, the updater will tell you that.

 

So went to turn on Bitlocker

Enabled in SS Magician. Says "Ready to Enable"

Went in to Bitlocker setup in Win and says This device can't use Trusted Platform Module. Your administrator must set the "Allow Bitlocker without a compatible TPM" option in the "Require additional authentication at start up" policy for OS volumes

Am I missing something?

 

The "Ready to Enable" in Magician refers to enabling support for hardware-accelerated encryption. If you don't enable that, BitLocker will use software encryption, which you want. But Magician will continue to always show "Ready to Enable" there as a result.

As for the error, sounds like M3800s ship with their TPMs disabled by default. Go into the BIOS, enable it, and then (if it's shown as a separate step) activate it. Save changes and reboot, and then BitLocker should set up just fine.