BitLocker is a fairly important security feature in Windows that you can use to encrypt your PC"s hard drives. Although it was optional and primarily meant for professional SKUs of Windows initially, Microsoft make BitLocker encryption the default configuration for clean installation following Windows 11, version 24H2. While there are ways to turn it off, you may not want to after checking out Microsoft"s latest announcement.
The Redmond tech giant says that it has always tried to offer the highest level of security with minimal impact to device performance, which is why BitLocker"s performance overhead has always been below 10%. However, with NVMe technology getting even better, I/O operations are faster, and consequently, BitLocker struggles to keep up without taking a bigger chunk of CPU cycles. This means that there is a significant performance impact due to the bottleneck that customers notice and obviously don"t appreciate.
To work around this problem, Microsoft recently announced hardware-accelerated BitLocker, which will leverage upcoming system on chip (SoC) and CPU capabilities, in addition to maintaining existing support for UFS Inline Crypto Engine technology. There are two new upcoming capabilities that hardware-accelerated BitLocker is focused on:
- Crypto offloading: BitLocker shifts bulk cryptographic operations from the main CPU to a dedicated crypto engine. This capability frees up CPU resources for other tasks and helps improve both performance and battery life.
- Hardware protected keys: BitLocker bulk encryption keys, when necessary SoC support is present, are hardware wrapped, which helps increase security by reducing their exposure to CPU and memory vulnerabilities. This is an addition to the already supported Trusted Platform Module (TPM), which protects intermediate BitLocker keys, putting us on a path to completely eliminate BitLocker keys from the CPU and memory.
Below, you can see how the current implementation (left) differs from the new one (right):
In Microsoft"s own benchmarks, the performance differences between the two variations of BitLocker are massive, with hardware-acceleration outperforming software on storage operations like sequential read-writes and random read-writes across the board. There is also a 70% savings in CPU cycles on average when using hardware-accelerated BitLocker as compared to software-based BitLocker, making it almost as good as using your device without BitLocker enabled. The tech firm claims that these saved CPU cycles also result in better battery life for your PC.
You can check out a demo of hardware-accelerated BitLocker below:
As can be seen above, in CrystalDiskMark performance tests, software BitLocker had a read speed of 1632.52MB/s on SEQ1M Q1T1 compared to 3746.55MB/s for hardware BitLocker on the test machine. That"s more than a doubling of performance in terms of sequential single-threaded data transfer rate clearly indicating the alleviation of CPU bottlenecking. Write speed also exhibited improvements of 3530.82MB/s compared to 1513.43MB/s. The other random metrics showcased significant speed boosts too.
Microsoft is bringing initial support for hardware-accelerated BitLocker through upcoming Intel vPro devices featuring Intel Core Ultra Series 3 processors, but as the technology matures, it plans to bring these enhancements to all "capable" PCs. This variant of BitLocker leverages the XTS-AES-256 algorithm by default and requires Windows 11 versionb 24H2 or later. However, it will not work in certain other scenarios too, you can check them out here.