Tested: Windows 11 Pro’s On-By-Default Encryption Slows SSDs Up to 45%

Topic

New Reply

https://www.tomshardware.com/news/windows-software-bitlocker-slows-performance

BitLocker software encryption slows performance. Here’s how to fix it

There are few things more frustrating than paying for high-speed PC components and then leaving performance on the table because software slows your system down. Unfortunately, a default setting in Windows 11 Pro, having its software BitLocker encryption enabled, robs as much as 45 percent of the speed from your SSD as it forces your processor to encrypt and decrypt everything. According to our tests, random writes and reads — which affect the overall performance of your PC — get hurt the most, but even large sequential transfers are affected.

While many SSDs come with hardware-based encryption, which does all the processing directly on the drive, Windows 11 Pro force-enables the software version of BitLocker during installation, without providing a clear way to opt out…

Software BitLocker Can Seriously Hurt SSD Performance

If you’re not a heavy storage user, perhaps a lot of the above seems like it’s not a big deal. The problem is Microsoft has forced degraded performance on all Windows 11 Pro users, and the added latency will have an impact on system responsiveness. If you’re using Windows 11 Pro on a company-issued laptop, there’s a good chance it’s underperforming thanks to that decision…

5 users thanked author for this post.

Mr. Austin, NaNoNyMouse, O Boogie, pabby, Fred

Reply | Quote

Replies

Alex5723 wrote:

If you’re using Windows 11 Pro on a company-issued laptop, there’s a good chance it’s underperforming thanks to that decision

Tell the company to get you a faster one!

For home use, I always want an encrypted disk on my laptop. It’s my data and I don’t want anyone else getting to it, especially if the laptop “goes missing”.

cheers, Paul

Reply | Quote

The problem here was Microsoft initially defaulted to hardware encryption in Windows 8, but it was then discovered that some Opal implementations had major security flaws that rendered the encryption useless. So Microsoft decided not to trust it anymore and use software by default.

1 user thanked author for this post.

b

Reply | Quote

The security flaws in question were indicated in one now-famous study of a small number of by-now older SATA SSD models using the Class 0 (ATA password based) implementation of self encryption, for which at least one manufacturer (Crucial) released an upgraded firmware to remedy. I am not sure if Samsung ever did the same, as the models indicated to have the issue did not include any of my drives, and I didn’t check back with them. Not all Samsung models tested had the flaw, so it is possible that later models were already not subject to that issue. While the drives may have been OPAL capable, they were not using the OPAL mode when they were tested for that paper.

Whether or not the flaws were fixed is a separate question from whether a given drive was ever vulnerable in the first place, but the idea is that if there is a flaw with security, you fix it… you don’t automatically need to dump the entire concept. If there was a flaw discovered in Bitlocker’s software encryption, would that mean the whole of Bitlocker has to be dumped, rather than simply having MS fix the issue?

Hardware encryption is transparent to the underlying OS, has no performance loss, and costs no extra power on laptops, since it is always enabled internally on the drive even if the user has never enabled the locking feature. It also means that the encryption key, once sent to the drive, can be deleted from RAM on the host PC (depending on whether it needs to be stored for resuming from S3 sleep). It can be stored in the TPM to keep it more safely than in RAM for S3, but if the unit uses S0ix/S2idle/”Modern standby,” that’s not necessary.

In a software encryption setup, the encryption key must be in RAM at all times while the drive is being used. That presents an attack surface, of course. RAM in a PC is meant to be read and queried by the host PC, though there are defenses against this like ASLR and address space partitioning that are always being probed by the bad guys. There is no intended  means by which the key in the RAM of the SSD can be read or queried by the host PC, and if it were even mapped in to the address space by some exploit, it would also be restricted like the software key, so it’s more protected.

There are other sorts of attacks that can be used to try to keep a SED (self encrypting drive) in the unlocked state (connected to power) while an attacker with physical access tries to transfer it to another unit, if that attacker was able to get ahold of the unit while it was sleeping, but that’s far more easily said than done. If you’re facing an attacker with enough sophistication to pull that off, you’d be better off hibernating the system rather than using a standby mode (with hardware or software encryption).

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Alex5723 wrote:

BitLocker software encryption slows performance. Here’s how to fix it

I disable Bitlocker in Services.msc.  I started doing that years ago, and after every upgrade (I’m now on Windows 11 Pro) I check Services to be sure that Bitlocker is still disabled; it always is.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Alex5723 wrote:

https://www.tomshardware.com/news/windows-software-bitlocker-slows-performance

This article contains several false or misleading statements:

Starting with the headline;

Tested: Windows 11 Pro’s On-By-Default Encryption Slows SSDs Up to 45%

It’s not on by default. (Up to 45%, but typically 3%-11%).

The problem is Microsoft has forced degraded performance on all Windows 11 Pro users,

Fake news.

If you bought a prebuilt PC with Windows 11 Pro, there’s a good chance software BitLocker is enabled on it right now.

A-ha! Now there’s only “a good chance” that it’s enabled?

Windows 11 Home doesn’t support BitLocker so you won’t have encryption enabled there.

Device Encryption has been a default on many Windows Home devices for the last eight years.

Reply | Quote

Paul T wrote:

For home use, I always want an encrypted disk on my laptop

The problem isn’t with encryption itself but by the method it is created : Software vs Hardware. Software like in Windows 11 Pro degrades PC’s performance. Hardware on the SSD doesn’t.

I suppose it is true for ANY encryption software that doesn’t use SSDs hardware for encryption.

Reply | Quote

b wrote:

Device Encryption has been a default on many Windows Home devices for the last eight years

Device Encryption is not Bitlocker. The post is about Bitlocker.

Device encryption is a feature that exists in Windows 10 & 11. It is available on PCs that are connected to the internet and signed into a Microsoft Account. Your device needs to have a TPM and Secure Boot enabled.

Device encryption is available in Windows 10 & 11 Home, while Bitlocker isn’t available in the Home edition.

https://answers.microsoft.com/en-us/windows/forum/all/what-is-device-encryption-and-should-i-use-it/9edaea86-63f2-4ba8-ad57-b4e8ad91b9b8

BitLocker encryption is available on supported devices running Windows 10 or 11 Pro, Enterprise, or Education.

On supported devices running Windows 10 or newer BitLocker will automatically be turned on the first time you sign into a personal Microsoft account (such as @outlook.com or @hotmail.com) or your work or school account.

BitLocker is not automatically turned on with local accounts, however you can manually turn it on in the Manage BitLocker tool.

https://support.microsoft.com/en-us/windows/device-encryption-in-windows-ad5dcf4b-dbe0-2331-228f-7925c2a3012d

Reply | Quote

Alex5723 wrote:

Device Encryption is not Bitlocker. The post is about Bitlocker.

Does that make this statement true?

Windows 11 Home doesn’t support BitLocker so you won’t have encryption enabled there.

Reply | Quote

Overview of BitLocker device encryption

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those devices that are Modern Standby, and devices that run Home edition of Windows 10 or Windows 11.

Reply | Quote

b wrote:

BitLocker Device Encryption … BitLocker Device Encryption

I’ve never experienced nor seen “On by default” in any of my systems, all of which are Pro.  I disabled Bitlocker in Services very early on, and it has stayed “Disabled” after every upgrade.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Alex5723 wrote:

b wrote:

Device Encryption has been a default on many Windows Home devices for the last eight years

Device Encryption is not Bitlocker. The post is about Bitlocker.

Device encryption is a feature that exists in Windows 10 & 11. It is available on PCs that are connected to the internet and signed into a Microsoft Account. Your device needs to have a TPM and Secure Boot enabled.

Device encryption is available in Windows 10 & 11 Home, while Bitlocker isn’t available in the Home edition.

https://answers.microsoft.com/en-us/windows/forum/all/what-is-device-encryption-and-should-i-use-it/9edaea86-63f2-4ba8-ad57-b4e8ad91b9b8

BitLocker encryption is available on supported devices running Windows 10 or 11 Pro, Enterprise, or Education.

On supported devices running Windows 10 or newer BitLocker will automatically be turned on the first time you sign into a personal Microsoft account (such as @outlook.com or @hotmail.com) or your work or school account.

BitLocker is not automatically turned on with local accounts, however you can manually turn it on in the Manage BitLocker tool.

https://support.microsoft.com/en-us/windows/device-encryption-in-windows-ad5dcf4b-dbe0-2331-228f-7925c2a3012d

It’s effectively a trimmed down BitLocker, you can still use manage-bde to control it.

Reply | Quote

b wrote:

Does that make this statement true?

True in regard to Bitlocker. The article isn’t about some other methods of encryption.

Reply | Quote

Uh. On by default? I just updated from 10pro to 11pro 22h2 a few weeks ago. Just checked bitlocker settings and they are set to off.

Reply | Quote

New installations only (possibly only OEM / OOB). Upgrades respect your existing settings (amazingly).

cheers, Paul

Reply | Quote

Yeah, it is amazing… Or maybe it asked me at some point and I just forgot…

Reply | Quote

Windows 10, Bitlocker was enabled by Intune policy, Encryption method is XTS-Aes 256.  I know the article is about Windows 11 but its on Windows 10 and does that mean the only way to have hardware encryption is to reinstall the OS?

Reply | Quote

You can disable bitlocker – by the way when you say “enabled by Intune policy” that policy comes from something setting it.  Intune means that some organization has management control over your pc.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Interesting. Thanks. I’ll want to have a look at this. I’ve a new Lenovo ThinkPad which has two issues about which Lenovo is nearly clueless. Lenovo’s techs are absolutely untrained on Windows software. So they’ve been all but useless on Windows’ needs: (1.) About half the time the new machine won’t automatically wake up to run scheduled software, including BackupOutlook and R-Drive Image, and,

(2.) R-Drive Image often throws errors saying its write-to drive has gone missing. And, surprise, it’s a Samsung T7 Shield NVme SSD (USB 3.2 Gen 1 methinks) that’s less than a year old. My second write-to drive is a WD (old-school) SSD, and that has zero issues with the new Lenovo box. But R-Drive and the Samsung NVme SSD worked OK on my dearly-departed Windows 10 Pro box. I tested to see if it was Samsung’s cables, and nope, that’s not the issue.

When I checked BitLocker’s settings just now, it’s enabled for only the system drive, and not the two SSDs to which I write my twice-daily images. But this still makes me curious if I could just disable BitLocker and see what happens, or doesn’t, with R-Drive Image.

Human, who sports only naturally-occurring DNA ~ oneironaut ~ broadcaster

Reply | Quote

1. (in power settings) sleep = never, and should work fine.
2 No idea, I don’t use R-drive. I back up manually, periodically with terabyte, generally whole ssd. SSD and external are both m.2 NVMe. Quite fast.
3 On mine, bitlocker is off for all partitions it can see. I do not use bitlocker. Personal preference. Unless your laptop is at risk, you might not need it.
hth
I’m on my 3rd Thinkpad.

Reply | Quote

After encryption it is understandable that read and write processes would slow down. I have followed Tom’s for 15 yrs or more but was a test done prior to encrypting before to running the bench mark that reports a 45% degrade in performance? I’m guessing there was, but 45% bitlocker degrading point is not accurate. There are way too many variables. Only performance can be measured for same type of critical parts; processors, RAM, SSD chip sets, and MB. I will soon be testing my ASUS with Window 11 Pro S and if bitlocker is already active I will remove it and run a performance test and then encrypt. I’m really happy with the performance I see now; 21 GB RAM, i7 processor and 1TB SSD.

Reply | Quote

ACIT wrote:

I have followed Tom’s for 15 yrs or more but was a test done prior to encrypting before to running the bench mark that reports a 45% degrade in performance?

Up to 45%, but typically 3%-11%.

Reply | Quote