Close

What are you looking for?

cancel
Showing results for 
Search instead for 
Did you mean: 

Original topic:

Samsung SSD 970 EVO Plus drive encryption won't change from Ready to Enable

(Topic created on: 11-04-2021 07:11 PM)
Quitch
Apprentice
Options
Computers & IT

I am setting up a brand new machine with the above drive and have installed a discrete TPM 2.0 header on the motherboard to allow me to use hardware encryption with BitLocker. Windows 10 Pro x64 1903 is in use.

 

I installed Windows and Samsung Magician 6.0 and switched on drive encryption within the Encrypted Drive part of the tool. It shows "Ready to Enable" as a status. I create the Secure Erase tool, but the tool cannot find the drive. Going back into Windows I updated the drive's firmware to 2B2QEXM7. I reboot and run Secure Erase. The drive is successfully detected and the tool reports that it completed successfully. On rebooting the computer cannot detect bootable media, indicating success.

 

I disable Legacy USB and CSM support in UEFI, then boot my Windows 10 USB installer. The drive is showing as empty, no partitions. I create a single disk partition (with Windows creating its standard recovery partitions) and finish the install.

 

After booting into Windows I install Samsung Magician, but Encrypted Drive is still reporting the drive as "Ready to Enable" rather than "Enabled". I try repeating the Secure Erase and installing Windows process, but the status is still "Ready to Enable".

 

I've done this previously (on a different computer) with a Samsung SS 840 EVO, but did not encounter this problem. At this point I am not sure what more I can do. It would seem that Secure Erase is not flipping whatever switch it is supposed to, but it's not reporting any errors and is erasing the drive. The Windows 10 install is on a completely fresh drive.

9 REPLIES 9
JohnMcGerk
First Poster
Options
Computers & IT

I have this problem too. I bought SSD M.2 Samsung 970 EVO Plus and I can't enable hardware encryption. Status of my SSD is "ready to enable". Also I Have 970 PRO and on the same PC is hardware encrypted and work correctly as bootable disk. I asked ASRock (motherboard factory) about this problem. But they tell me about good work of hardware encryption of 970 Evo Plus ( they send me screenshot with the same PC: same motherboard, same BIOS, same CPU). But I see one thing. ASRock use 970 Evo plus with firmware 1B2QEXM7 and older Samsung Magician, but I use firmware 2B2QEXM7 and new Samsung Magician 6.0. I think problem with firmware 2B2QEXM7 and Samsung must to update firmware of 970 EVO Plus. What do you think about it, Samsung?

Quitch
Apprentice
Options
Computers & IT

Under the old firmware, I couldn't get Secure Erase to see the drive.

 

I contacted Samsung support regarding this issue, but got no where. They are blaming the motherboard (an ASUS PRIME X570-P) and suggesting that it may not support hardware encryption for an NVME device, but ASUS say that it does. Samsung also pointed me at Microsoft, though I'm not sure what it is to do with them in this instance.

 

So basically I'm stuck in software encryption at the moment as everyone says it's not them.

0 Likes
JohnMcGerk
First Poster
Options
Computers & IT

You are lucky. I bought SSD with new firmware and I can't dawngrade this firmware. I wrote to Samsung, but they are silent. Very awful support of Samsung.

Can you test speed of SSD with software encryption in crystaldiskmark? I want to check speed with software encryption and without encryption.

0 Likes
Quitch
Apprentice
Options
Computers & IT
I'm afraid I don't have that kind of access to the drive. I did it for family.
0 Likes
TessM
Moderator
Moderator
Options
Computers & IT

Hey @JohnMcGerk and @Quitch ,

 

I suggest contacting our Memory Team to have a look at this with your and provide you with the steps to do this. You can drop them an email at: samsungmemory@hanaro.eu.

0 Likes
Quitch
Apprentice
Options
Computers & IT

I'll drop them a line, but steps to do this isn't a problem, I've done it before on my 840 Evo. Multiple times in fact. Still, let's see if they have a fresh perspective.

0 Likes
slopd0wn
First Poster
Options
Computers & IT

I can clarify a few things here.

First you don't need a motherboard that supports Bitlocker eDrive to change the SSD state from "ready to enable" to "enabled".

I have a Asus Prime X570-PRO motherboard and faced the exact same issue. The motherboard supports hardware encryption, but when it comes to enabling it in the samsung SSD, I am not sure what is happening. I had to put the SSD on another computer (a HP 820 G3 - that does not support bitlocker hardware encryption - and after doing a secure erase on that laptop the Encrypted Drive status switched to Enabled.

Changed the drive back to my Asus motherboard, and was able to install windows and enable Hardware Encryption using bitlocker. Had to set the Group policy to require hardware encryption and enable the fTPM.

But there is a problem changing the Encrypted drive status to enabled. And the drive doesn't require a motherboard that supports bitlocker eDrive to do it.

I performed a PSID revert, and tried to enable the Encrypted Drive on the Asus motherboard again, but it won't do it. I can only do it on my HP 820 G3 that doesn't even support that feature.

BTW is not just Asus, I have the exact same problem on a HP 830 G5 that does support Bitlocker eDrive, but after doing a secure erase it won't change from Ready to Enable to Enabled.

I don't know if it's a Samsung problem, but it happens on completely different motherboards.

My SSD is a 970 Evo Plus btw

0 Likes
denis795
First Poster
Options
Computers & IT

I was dealing with same issue for last two weeks, after inserting brand new 970 EVO Plus into my machine (FW Version 2B2QEXM7). I also do have 3 more SATA SSD in my machine - Samsung EVO 850, EVO860 & Crucial MX500 - all 3 are with enabled Hardware Encryption. But 970 EVO Plus had stuck on "Ready To Enable" in Samsung Magician, and as a result BitLocker was unable to utilize Hardware Encryption on this drive :(.

My MB is Gigabyte H370 AORUS GAMING 3 WIFI (latest F14e BIOS). I do have discrete TPM inserted into MB header and I'm using it. But I guess discrete TPM is not really a must have for enabling HW encryption - most likely PTT (think of it like UEFI software TPM) would also work.

___________

My findings:

It seems what these newer Samsung SSDs are respecting "Block SID" setting in MB UEFI. While it is ENABLED - You can not manipulate Security Features of SSD, hence You can not set "Encrypted Drive" to ENABLED. And without that - BitLocker will not see Your SSD as being "Hardware-Encryption capable". Here some screenshots proving that:

002.JPG

Bitlocker-HW.PNGBitlocker-HW-1.PNG

___________

My Solution:

To enable "Encrypted Drive", I had to temporary disable "Block SID". Now, on some MB this can be done in UEFI (BIOS). But my MB does not has this option. However, I was able to disable "Block SID" with those commands in Windows 10 powershell:

$tpm = gwmi -n root\cimv2\security\microsofttpm win32_tpm
$tpm.SetPhysicalPresenceRequest(97)

After running these commands as Admin and REBOOT I was presented with such screen:

IMG_20210621_224655.jpg

Hit F10 - and that it. "Block SID" is now disabled, and I can manage 970 EVO Plus in usual way:

1. In Magician switch "Encrypted Drive" from "Disabled" to "Ready to Enable"

2. In Magician create bootable USB with "Secure Erase"

3. Reboot to UEFI (bios), disable Secure Boot, enable CSM (otherwise "Secure Erase" won't boot)

4. Boot to "Secure Erase" and erase 970 EVO Plus

5. Reboot to UEFI (bios), enable Secure Boot, disable CSM

6. Boot to windows (at this point Magician will still show "Ready to Enable")

7. Initialize 970 EVO Plus in "Disk Management". NOW Magician should show "Enabled".

8. Enjoy "Encrypted Drive" and HW Encryption:

ENABLED.PNGENABLED--HW.PNG

 

9. Enable back "Block SID" with

$tpm = gwmi -n root\cimv2\security\microsofttpm win32_tpm
$tpm.SetPhysicalPresenceRequest(96)

+REBOOT

+F10 confirmation

 

***You might wonder what those SetPhysicalPresenceRequest() commands are actually doing. It is described in this document : https://www.trustedcomputinggroup.org/wp-content/uploads/Physical-Presence-Interface_1-30_0-52.pdf. Operations 96 & 97 which I was using are on page 51.

 

---------

Some speed tests:

 

970 EVO Plus - NO ENCRYPTION:

970_EVO_PLUS_NO-encr.PNG

 

970 EVO Plus - SOFTWARE ENCRYPTION. This should depend on CPU. Mine is i7-8700  (non-K)

970_EVO_PLUS_SW-encr__i7-8700.PNG

 

970 EVO Plus - HARDWARE ENCRYPTION:

970_EVO_PLUS_HW-encr.PNG

 

...

0 Likes
DragonWolf5589
Navigator
Options
Computers & IT

@denis795  tried this but doesnt work for me, after i do the code in powershell and reboot it says "next boot only" and no matter what its ALWAYS stuck at "ready to enable" any advice?

_________________________________________________________________
Current Phone:
- Galaxy s20+ 128GB with 256GB MicroSD

Other Devices:
- (Possible Samsung Active Watch from the offer with s20+ once claim goes through)
- S6 32GB as spare emergency phone (If I don’t sell my s9+)
- Galaxy Tab A 10 Inch 16gb (rubbish but I got it free 2 years back – its ok to watch tv in bed)
0 Likes