If you use BitLocker on Windows, you may have noticed a fall in its performance once you upgraded to Windows 10 from Windows 7. You may have assumed that this is a bug in the OS, but, as it turns out, it actually isn’t a bug. BitLocker actually takes longer on Windows 10 when compared to Windows 7 due to some of the improvements Microsoft has introduced with the update. This is caused by the new conversion which is being used by BitLocker in Windows 10, known as the Encrypt-On-Write mechanism. In a blog post, Microsoft explained:
- BitLocker in Windows 10 has been made to run less aggressive for its background conversion. This makes sure that you are not experiencing slow performance of the machine while the encryption is in progress.
- This is compensated by the fact that this new conversion model BitLocker now uses (on all client SKUs and any internal drives) ensures that any new writes are always encrypted regardless of where on the disk they land (which was not the case for the original BitLocker watermark-based conversion model).
- The new conversion mechanism, called Encrypt-On-Write, immediately guarantees the protection (encryption) of all writes to disk AS SOON AS BitLocker is enabled on the OS or fixed (internal) volumes. Removable drives work in the older mode for backwards compatibility.
- The pre-Windows 10 conversion mechanism could only make such a claim AFTER the conversion reached 100%.
- If one thinks about it, #2 and 3 are very significant because:
- Regardless of the version of Windows used, without Bitlocker enabled and the drive fully encrypted, you could not guarantee that data wasn’t already compromised or stolen.
- Therefore, those serious about any such compliance claims would have to wait for the older BitLocker conversion process to reach 100% before placing any sensitive data on drive. This means possibly waiting a long time if the drive is large.
- With the new method, they could safely copy sensitive data as soon as BitLocker is enabled and the volume is in the encrypting state.
- Due to achieving compliance status for all writes immediately upon enabling BitLocker, the pressure of reaching 100% conversion status is less and converting all pre-existing data happens at a slower rate (further lessening the impact on interactive user).
Microsoft also introduced a range of improvements to BitLocker with Windows 10 which also contributes to the increased time for encryption to finish:
- New encryption algorithm XTS-AES. The new algorithm provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text.
- This is also FIPS-compliant, which is a set of United States Government standards that provide a benchmark for implementing cryptographic software.
- Bitlocker can be administered through various means such as BitLocker Wizard, Manage-BDE, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices
- Integration with Azure Active Directory for easier online Bitlocker key recovery.
- DMA port protection using MDM policies to block the DMA ports and secure the device during its startup.
- Bitlocker Network Unlock
- Support for Encrypted Hard Drive for faster encryption time.
- Support for classes of HDD/SSD hybrid disks (small SSD used as a non-volatile cache in front of slower spinning HDD, known as Intel RST technology).
As Microsoft noted in the blog post, these improvements affect both Windows 10 and Windows Server 2016. You can find the detailed blog post here.