Microsoft: Windows 10 Bitlocker is slower, but also better

If you encrypt the hard drive of a computer running Windows 7, and then on the same computer running Windows 10, you will notice that the encryption process is faster on Windows 7.

Bitlocker is a built-in disk encryption program that you can use to encrypt data so that it cannot be accessed by third-parties. If you don't encrypt your hard drive, anyone can access the data on it even if the PC is not on.

With Bitlocker and other encryption software, this is prevented.

Side note: Bitlocker may not be as secure as it could be on Windows 10. Windows 10 seems to decrypt data on the drive during feature upgrade processes.

Reasons why Bitlocker is slower on Windows 10

bitlocker management

In Why Bitlocker takes longer to complete the encryption in Windows 10 as compared to Windows 7, Microsoft Support Escalation Engineer Ritesh Sinha describes why Bitlocker encryption is slower on Windows 10.

The answer is a bit technical, but it boils down to improvements made to the encryption process itself, and changes that went into Bitlocker that make it somewhat of a different product than the version for Windows 7.

The big change to the encryption process itself  is a new conversion mechanism that Microsoft calls Encrypt-On-Write. It ensures that all writes to disk are encrypted as soon as Bitlocker is enabled on the operating system. This works for internal drives only at the moment. Microsoft does not use the new conversion mechanism for removable drives for backwards compatibility reasons.

This change is important for data security, as you could not place important data on a drive on older versions of Windows before the Bitlocker conversion process reached 100% due to the fact that the data may not have been encrypted immediately.

The second reason for conversions to take longer on Windows 10 is that Microsoft configured the Bitlocker process to run less aggressively. This improves system performance while the encryption process is ongoing and results in a longer conversion process.

Microsoft notes that other improvements went into Bitlocker on Windows 10. These have no impact on the encryption process but may be beneficial in certain situations.

This includes support for encrypted hard drives, HDD and SSD hybrid disks, new means of administrating Bitlocker, new FIPS-compliance, or Bitlocker Network Unlock.

Closing Words

I have not seen any report on how longer the Bitlocker encryption process takes on Windows 10 compared to Windows 7.

This is obviously not that much of a problem if this is a one-time operation. So, home users may notice the extra time it takes but it is a one-time operation.

The extra time it takes to encrypt drives using Bitlocker on Windows 10 may be an issue however for system administrators who run the operation regularly on company devices.

Now You: Better data security but slower encryption, a good trade off? What's your opinion on this?

Summary
Article Name
Microsoft: Windows 10 Bitlocker is slower, but also better
Description
If you encrypt the hard drive of a computer running Windows 7, and then of the same computer running Windows 10, you will notice that the encryption process is faster on Windows 7.
Author
Publisher
Ghacks Technology News
Logo
Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to Microsoft: Windows 10 Bitlocker is slower, but also better

  1. Tinfoil_Hat January 6, 2017 at 4:33 pm #

    M$ win10 and encryption for data security sounds to me as the most extreme conceivable oxymoron

  2. TimH January 6, 2017 at 5:16 pm #

    Don't forget to change the BL encryption from AES-128 to AES-256 before enabling it. Or, turn BL off, make the changes, then re-enable BL and it will encrypt to the new standard.

    gpedit.msc
    Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption
    Enable "Choose drive encryption method and cipher strength", set to AES-256
    -> Operating System Drives

    While you're there, you can enable allowing non-alphanumerics in the password. Since the PW is max 20 chars, a good idea:
    Enable "Allow enhanced PINs for startup"

    Lastly, since desktops generally don't come with a TPM, you can still allw BL to work just with your long PW:
    Enable "Require additional authentication at startup" and check "Allow BitLocker without a compatible TPM"

    • Martin Brinkmann January 7, 2017 at 8:25 am #

      Tim, did you compare the performance impact of turning on AES-256? Is there one?

      • TimH January 7, 2017 at 4:37 pm #

        If CPU has AES-NI, should be negligible hit for either. The only metric I have is that 4 drives operated as RAID10 under Win 8.1 storage spaces was getting 100MB/s speed copying from SSD to it before applying BL. Getting 65-70MB/s copying to the RAID10 over consumer GigE after, so hitting the network limit not the receiving drives limit.

        This on Z170 chipset. Incidentally, the Intel motherboard RAID5 with 3 drives gave 10MB/s, vs 25MB/s using Win 8.1 storage spaces so I switched to RAID10 with the 4th drive. Need a RAID card for RAID5.

  3. Depraved January 6, 2017 at 6:44 pm #

    The main thing with Bitlocker is that it's a matter of trust. In Microsoft. Nowadays, with Windows 10's privacy precedent. With stupid NSA.

    Bitlocker is closed source, so we'll never see independent audits from the security community.

    I'm not an open source fanatic, but trusting Bitlocker seems a bit odd to me. I don't think there are many kinds of adversaries that lead to someone wishing full disk encryption, but being okay that it is untrustworthy.

    • Anonymous January 6, 2017 at 7:50 pm #

      Bitlocker is convenient and appropriate for its intended use-case; ensuring that when you leave your laptop in a taxi nobody can read your personal information.

      I certainly wouldn't trust it carrying valuable IP or when traveling somewhere like China. It isn't strong protection against a determined skilled adversary.

    • TimH January 7, 2017 at 12:27 am #

      Actually MS has been quite clever pleasing two masters - Gov and corp Windows customers - with Bitlocker. By default, BL has weak settings that Gov can brute force. Corporate customers can change those presets to good encryption, so they are happy.

      • Trevor January 7, 2017 at 5:13 am #

        False, Look at Security Concerns.

        https://en.wikipedia.org/wiki/BitLocker

      • Silas January 7, 2017 at 10:39 am #

        There it is. See Trevor's link. For enterprise customers who pay, Bitlocker's code is accessible under a NDA. Although that means only strict-security companies will be able or willing to invest in doing an audit. (That shit is expensive) In that case, I would still use, as a company concerned with its data, an encryption solution that has public audits available.

        Btw if you have a tendency to leave your laptop alone anywhere public, you have a bigger security problem than weak encryption :P

  4. anon January 7, 2017 at 4:59 am #

    " If you don't encrypt your hard drive, anyone can access the data on it even if the PC is not on."
    I don't get it, Martin.

    • Martin Brinkmann January 7, 2017 at 8:21 am #

      Well, anyone in theory. The date is not protected, so you could simply put the hard drive in another device, and access all files that are on it. Sorry for not making that clearer.

      • LogicDaemon January 7, 2017 at 6:14 pm #

        I'd like to add, that even if one encrypts his drive, malevolent adversaries can still access his data while he is logged on (i.e. via malware).

        Full disk encryption only saves data while system is powered off or locked (and lock only saves when no physical exploit available, like for 1394 or Thunderbolt).

  5. Jimmy James January 7, 2017 at 5:53 am #

    does anyone notice any system speed loss after enabling aes-256bit encryption?

    • Jimmy James January 8, 2017 at 11:39 pm #

      Ahh this is stats on how long it takes to encrypt the drive. I'm talking about system performance after encryption

  6. Mark D. Miller January 7, 2017 at 5:52 pm #

    I think it is a poor encryption program because when upgrading to a newer build, Bit-Locker decrypts the encrypted drive!!!

Leave a Reply