NVME hardware encryption on XPS 9570

Has anyone been able to activate hardware encryption on M.2 NVME drives on XPS 9570/Precision 5530?
I'm trying on my own Precision 5530 using a samsung 970 evo, but bitlocker will only offer me software encryption.
I have enabled edrive in samsung magician and performed a secure erase followed by a reinstall of windows 10 pro, and samsung magician now shows edrive as "Enabled" but bitlocker only offers software encryption. I have tried with bios sata operation set to "ahci" and "raid on" and performed a new windows install each time, but still only get software encryption.

Have anyone been able to get it working?

 

@GoNz0 is your man for this

Sent from my SM-N950F using Tapatalk

 

Provided you used Samsung's nvme driver version 3 it looks like the precision doesn't support it either, I expected those laptops to support it tbh. Are you on the latest bios?

Sent from my SM-G920F using Tapatalk

 

I'm using the latest bios 1.3.0 and the samsung 3.0 nvme driver when sata mode in bios was set to ahci mode. I did get a new entry in the bios when i replaced the toshiba nvme drive in the machine at delivery with the 970 evo. The new option is under "Security - HDD Security" adding the settings "SED Block SID Authentication" and "PPI Bypass for SED Block SID Command" both unchecked by default.

 

So it does have support in some form then, I would get onto Dell and see if you can find someone with more than one brain cell to help you.

 

I'm no expert, but based on the last 15 minutes of research (which also led me to this post) here's what it looks like:

Disk-Hardware Encryption needs to be enabled in the BIOS (only?) and then on it's transparent. No need to use bitlocker on top of that(?).

To quote (for an older samsung drive):

source

Another post about the 970 EVO says it supports it, but it depends on the computer manufacturer releasing a BIOS update that supports it, which Dell seems to have done - based on your findings:

source


So i guess the question / doubt i have is : If you enable it in the BIOS, does it prompt you for the password as soon as you press the power button? Or does it just remember it in the BIOS, only really protecting the disk if the disk is REMOVED and used elsewhere?

OR is the option shown in the bios, but not really supported for NVMe yet?

 

The way i understand it is that there are 3 types of hardware encryption supported on both sata and nvme ssd's, and that is class0, opal and edrive(encrypted drive). Class 0 have been around for some time, edrive is only on newer drives(850/860, 960 with new firmware and 970). All these ssd's will use hardware encryption all the time, however when people say "activate hardware encryption" what they really mean is to configure unlocking of the drive. Out of the box the ssd is encrypted, but the ssd itself stores the key to unlock it, so it's basically open for everyone. So the steps to activate hardware encryption is to activate class0, opal or edrive in software like samsung magician if it's a retail samsung drive, then perform a secure erase, and then configure class0, opal or edrive.

Class0 is hdd/ssd/boot password prompted by the bios. This is as far as i know not supported for nvme drives on xps/precision laptops. I have not made any attempts to use it.

Opal is normally used using sedutil-cli. A small bootsector is kept unencrypted on the drive, you first boot opal and get a password prompt, then you enter the password and the drive is unlocked, the machine will then reboot and be unencrypted so it can boot the OS. I have tried this and have made it work, the problem was that it first needs to boot the unlocking boot entry, then reboot into the os. This did not work automatically for me, so i had to use F12 on every boot to make it work.

edrive(encrypted drive) is hardware encryption managed by bitlocker. Bitlocker support both software and hardware encryption. For it to work on a boot drive it will need some support in the bios to unlock in order to start booting windows 10. This does not work on precision5530/xps9570. It might work for a non-boot drive, but i have not tried that as i have the 97w battery and can only have one internal drive.

I think those who say "activate opal in bios" is actually meaning "activate class0 in bios". I think the xps/precision machines support class0/opal/edrive for sata disks like the 850 mentioned, but nvme is more problematic as it's a different protocol even thou the encryption types are the same for sata/nvme. So what you mentioned was most likely someone using class0 on a sata drive.

The options i got in the bios came after replacing the original thosiba disk with the 970 evo. The way i understand those two settings is that they can control if a encryption method(class0,opal,edrive) should be allowed to take control of the encryption or not. So it's a protection that can be set after activating encryption to prevent another encryption method of activating encryption on the disk. It can also be used to prevent someone from activating hardware encryption.

One thing to be aware of with the 970evo is that once you activate class0/opal/edrive in samsung magician it can not be changed. I activated edrive in samsung magician and i'm not able to change it to something else. I was however able to get opal working using sedutil-cli after setting edrive in samsung magician, but it still shows edrive as the hardware encryption type set in magican.

I ended up using bitlocker software encryption and hope that support for edrive will come in a bios update. I do doubt that dell will release a bios update with edrive or class0 support for nvme drives.

 

These are the new bios options that appeared after replacing the original thosiba disk with the 970 evo. I think these options are hidden if the drive is not a Self Encrypted Drive(SED). I had both options unchecked when I tried opal and edrive.

 

About the automatic unlocking you mentioned. This has to do with a TPM. I'm no expert, but the way I understand it is that a TPM will store the key used to decrypt the drive and will release the key file if certain conditions are met. I think it normally checks to see if the motherboard, TPM and drive is still the same, if so then it releases the key. This makes it automatic while still having a decent amount of security. So if any of those items change, either by repair or moving the drive to another machine, will prevent the drive from being decrypted unless another method is used to decrypt it, like a password/recovery key.

I don't think class0 support TPM to decrypt a drive(the bios password you mentioned). Some opal software might support TPM, but i did not see any info about it when using sedutil-cli which is the most used free tool for opal hardware encryption. Bitlocker in windows will support TPM for both software and hardware encryption. xps9570/precision5530 have a TPM2.0 chip. Desktop computers usually don't come with TPM chip.