2

I was wondering if perhaps it doesn't since enabling it slows down drive performance even on a Kabylake CPU.

g491
  • 143
  • 1
  • 4
  • I think you need to increase RAM size, even if it does use this accelerator. – VovCA May 27 '17 at 23:02
  • Are you saying that you enabled Bitlocker, then your performance benchmarks declined? If so, what're the before-and-after numbers? – Nat May 28 '17 at 01:41
  • Worth noting that, even if the CPU can do the cryption in a single clock cycle, that's still extra clock cycles plus data shuffling that should slow things down a bit. The more relevant issue would seem to be exactly how much of a slowdown it is. – Nat May 28 '17 at 01:43
  • 1
    here was mentioned a performance of intel's accelerator, https://github.com/mdaxini/howto-openssl/wiki/OpenSSL-Cipher-Speed – VovCA May 28 '17 at 02:55
  • @Nat it went from 1300MB/s write speed to about 850MB/s – g491 May 29 '17 at 05:36
  • @VovCA Interesting link you posted. Based on that I also read https://software.intel.com/en-us/articles/aes-gcm-encryption-performance-on-intel-xeon-e5-v3-processors and did the benchmark you linked to and the benchmark speeds up 3-4x for aes-128-gcm over aes-128-cbc. I wonder if maybe bitlocker can be set to use aes-128-gcm to get faster performance (assuming it uses hardware acceleration in the first place). – g491 May 29 '17 at 05:41
  • Cbc and ctr modes are the most used in crypto. I wanted to add that at original tests encrypted packets are rather small, and efficiency should be higher at normal circumstances. – VovCA May 29 '17 at 16:16
  • I wonder if caches decrease performance with disk encryption. Basically you need to get data, then decrypt it to be presentable. – VovCA May 29 '17 at 16:27
  • @g491, Bitlocker supports AES-CBC 128 or 256, AES-CBC 128 or 256 with Elephant Diffuser and XTS-AES 128 or 256 – Julian Knight May 29 '17 at 20:43

1 Answers1

1

Bitlocker started offering encryption offloading from Windows 8.

However, it offloads to the drive. That means that your drive has to support the appropriate standards. Few do. The link below refers to a question about Surface Pro 4's but the answers show more detail including the limitations and requirements for offloading encryption to SSD.

Not Able to Enable Hardware Based Bitlocker Encryption On Surface Pro 4 (Windows 10 Pro)

TCG Protocols and IEEE 1667 appear to be requirements. Samsung EVO 840/850 or Crucial m500 are listed as having SSD's that meet the requirements. Lenovo are listed has having configuration options (SKU's).

Julian Knight
  • 7,092
  • 17
  • 23
  • 3
    I think the link you shared might be referring to self-encrypting drives (SED) in particular where encryption is completely offloaded to the drive. This would be in contrast to the opposite end of the spectrum where the CPU does all of the encryption without any special CPU extensions. I'm wondering about the middle of the spectrum where it's not a self encrypting drive but is not completely mundane CPU instructions but rather uses the AES-NI CPU extension for hardware-accelerated AES encryption. – g491 May 30 '17 at 02:20
  • Bitlocker doesn't support that. The article explains what it does support. – Julian Knight May 30 '17 at 13:31