cancel
Showing results for 
Search instead for 
Did you mean: 

Hardware Encryption (eDrive) on Maximus X Hero 1003 and Evo 960 anybody?

KeksimusMaximus
Level 8
Have anybody sucesfully enabled Hardware encryption on Maximus X Hero 1003 bios using Samsung EVO 960 as OS boot drive (encrypted drive).

Im fighting over it for several days already and everything i do fails. There are few conditions to meet:
- System needs to be Windows 8/10 Pro
- Windows needs to be in UEFI mode
- eDrive compilant SSD
- SATA ports in AHCI mode (no RAID)
- BIOS needs to run UEFI version 2.3.1 with EFI_STORAGE_SECURITY_COMMAND_PROTOCOL enabled (sent mail to customer suport, waiting for reply)


This is the guide i followed: http://www.ckode.dk/desktop-machines/how-to-enable-windows-edrive-encryption-for-ssds/ but steps are pretty much same in various places:

Have OS on other physical disk than EVO 960
Have drive in uninitalised state (diskpart clean)
Install Samsung Magician, in data security switch "Encrypted drive" to "ready to enable"
In Secure Erase create bootable tool
Reboot PC, launch Secure Erase
After secure erase, reboot PC and go straight to bios, set bios to UEFI boot only, enable secure boot, load default keys, set to Windows UEFI, disable CSM (compatability mode)
Reboot PC and start Windows install in UEFI mode
When install done, enable BitLocker for non-TPM systems (gpedit.msc), verify that system is in UEFI mode (msinfo32)
Attempt to enable drive encryption with BitLocker

And this is where issue happens, every time i redo every step on the list (including PSID reset so every time i Begin drive encryption is disabled and i switch it to "ready to enable") BitLocker like a stubborn idiot offers me only Software encryption (the dreaded screen where it asks wheter i want to encrypt whole drive or just used space).

For ****s and gigle s i tried to enable hardware encryption when my EVO was used as storage drive... and it worked. The problems Begin when drive is used as OS drive.

Anybody got experience with this?
Dargus Maximus
~Explorer ~Engineer ~Guide
My Youtube channel - PC modding, streaming, gaming
12,458 Views
28 REPLIES 28

vslee wrote:
Looks like Lenovo has already solved this issue for their users. It is comfirmed working on the following Lenovo systems (see links below):

Lenovo ThinkPad X1 Carbon 5th Gen

Lenovo T480s

Samsung is now waiting for Asus to contact both Samsung and AMI (or the bios manufacturer) so that Asus can solve the problem for their own users as well


Thanks, as noted by Samsung in that thread:

"Gigabyte and other motherboard manufacters need to communicate with Samsung and their BIOS manufacturer as the issue is not only related to Samsung NVME SSDs, this is something that effects most or all NVME drives when trying to activate encryption. However, to answer your question, Gigabyte should have their internal contacts for Samsung already."

I have already contacted Raja@Asus via direct messaging and have not gotten any response to that or this thread. I'm not sure why.

Outontheporch
Level 7
This thread was opened almost 4 months ago, yet still NO response from Asus. I also PM'd Raja as well quite awhile ago with no response. I've always had good luck and decent service from Asus in the past, but pure silence is not acceptable. I'm a bit suspicious that we haven't heard ANYTHING - not even a "we will look into this, " or "we haven't heard of this" - just nothing.

ASUS? ASUS?

Outontheporch
Level 7
Bump. Asus - any word on whether hardware encryption (eDrive) via NVME is going to be (or is) supported?

Outontheporch
Level 7
Bump. @asus - what is the deal here? To my knowledge this issue still exists even in the latest firmware.

vslee
Level 7
Looks like ASRock has gotten this to work on the ASRock Z390 Phantom Gaming-ITX/AC motherboard. Now just waiting on Asus to get it working on their motherboards as well. https://us.community.samsung.com/t5/Memory-Storage/HOW-TO-MANAGE-ENCRYPTION-OF-960-PRO/m-p/410048/hi...

vslee wrote:
Looks like ASRock has gotten this to work on the ASRock Z390 Phantom Gaming-ITX/AC motherboard. Now just waiting on Asus to get it working on their motherboards as well. https://us.community.samsung.com/t5/Memory-Storage/HOW-TO-MANAGE-ENCRYPTION-OF-960-PRO/m-p/410048/hi...


meanwhile asus, considered a superior company doesn't seem to care too much about providing 100% compatibility with nvme m2 ssds...sad

For whatever it's worth, ASRock's support for eDrive was also wishy-washy. My X370 Gaming K4 was still incompatible as of Julyish when I yanked my board and replaced it with the Strix X470-F.

Aside from the memory compatibility issues on the K4, I also had the inability to use eDrive with my NVME SSD and hoped to kill two birds with one stone by swapping to an Asus board.

Every Asus BIOS update, I decrypt and attempt to encrypt again to see if it's been fixed. Still nothing.

I would fathom that this is a very niche feature and Asus has determined it's not worth the effort to implement, especially given the fact that all of these variables need to be true:

1. SED NVME drive is installed
2. User has put drive in a ready to encrypt state
3. User has wiped the drive via secure erase to enable encrypted drive
4. User meets all requirements for eDrive from a UEFI level (secure boot and the like)
5. User meets all requirements for Bitlocker (TPM, etc etc)
6. User decides to enable Bitlocker

If someone doesn't meet ALL of those requirements, they'd never notice the feature is missing.

TheCrusher6 wrote:
For whatever it's worth, ASRock's support for eDrive was also wishy-washy. My X370 Gaming K4 was still incompatible as of Julyish when I yanked my board and replaced it with the Strix X470-F.

Aside from the memory compatibility issues on the K4, I also had the inability to use eDrive with my NVME SSD and hoped to kill two birds with one stone by swapping to an Asus board.

Every Asus BIOS update, I decrypt and attempt to encrypt again to see if it's been fixed. Still nothing.

I would fathom that this is a very niche feature and Asus has determined it's not worth the effort to implement, especially given the fact that all of these variables need to be true:

1. SED NVME drive is installed
2. User has put drive in a ready to encrypt state
3. User has wiped the drive via secure erase to enable encrypted drive
4. User meets all requirements for eDrive from a UEFI level (secure boot and the like)
5. User meets all requirements for Bitlocker (TPM, etc etc)
6. User decides to enable Bitlocker

If someone doesn't meet ALL of those requirements, they'd never notice the feature is missing.

their bios updates are a joke bubbling about the same evasive change logs like improved stability bla bla or not putting any changelong at all .
My z390 mb was released 1 month ago, they released 3 bios updates, none of them fixed the edrive or the qinstaller feature problem as described here https://www.reddit.com/r/ASUS/comments/9vjad7/asus_qinstaller_stuck/
real problems like edrive can potntially take weeks to fix and that would be a real bios update, the updates that are released look that they are made by some average joe technician that plays for few hours with the bios software and makes useless and insignificant changes only just so they could say some updates were released .Edrive problem is over 1 year old but why fix it when thy can fool arround with useless bios updates.
Btw, you dont need tpm for bitlocker, you can use a pasword instead which is safer than a tpm just less convenient

saddameu wrote:

Btw, you dont need tpm for bitlocker, you can use a pasword instead which is safer than a tpm just less convenient


won't get into the semantics of what is "safer", but I use both tpm and password.