Hey Dell!! About time for Class 0 HDD encryption for NVMe PCIe drives!!!

Same here, not good as per usual Dell.

I agree that it’s puzzling and I’m all about people having options, but there’s always BitLocker. Modern CPUs have extensions for AES encryption operations that mean software encryption doesn’t create a bottleneck even for NVMe speeds, and BitLocker would be more recoverable since it wouldn’t require the drive to be installed in a system that supported NVMe password prompts (I’m envisioning a scenario where the host system is dead and where possibly an NVMe enclosure is available, even though they’re rare today.) Granted, BitLocker requires a Pro version of Windows to enable (but any version can unlock them), but Pro versions aren’t very expensive especially if selected at the time of system purchase.

Again, not arguing against Class 0 on NVMe, just saying there are viable and perhaps even superior alternatives.

Yeah there's BitLocker, but software encryption is never safer/faster/more flexible than hardware based encryption.

I'm not planning to install my HD on another PC, but I am planning to have other OSes installed.

My 2012 XPS with the 850 EVO was working fine. It can't be that 5 years later a feature so important is removed with little or no notice. I would have chosen a SATA (and a less expensive) laptop if I knew it.

For a multi-boot system, yes Class 0 makes a lot more sense. But be careful about sweeping claims like “software encryption is never safer/faster/more flexible than hardware based encryption” because there are real-world examples that contradict all 3 of those claims. For example:

Safer: If software encryption is open source (which some solutions are) or there’s at least a very detailed white paper on the security design, then it can be audited to ensure safety. SSD vendors that implement Class 0 hardware encryption seldom if ever publish the precise details of what they’re doing. BitLocker when used with a TPM also includes platform integrity validation, which Class 0 does not.

Faster: As long as the main CPU can encrypt/decrypt data faster than it can be read/written on the SSD, which today's CPUs working with today's SSDs can, then software encryption isn’t a bottleneck.

More flexible: BitLocker is WAY more flexible than any Class 0 solution in many ways. You can choose various key lengths and cipher types, add various types of protectors to choose how a partition can be unlocked, use different encryption and/or protectors for different partitions (or deliberately leave certain partitions unencrypted), recover it without needing hardware that can prompt for an HDD password, manage it via Group Policy,  etc etc.

Class 0 is free, works with whatever data is on the disk regardless of OS or file system, and MIGHT be faster in some cases, but that’s about it.

> Class 0 is free, works with whatever data is on the disk regardless of OS or file system, and MIGHT be faster in some cases, but that’s about it.

That is already sufficient to me.

BitLocker is a proprietary solution. It's also rather obscure, as you can see from many threads that complain that it does not inform what encryption schema it's going to use (hardware? Software?). I just found out that my drive is encrypted with XTS-AES 128, instead of the built in AES 256 of the Samsung 960. And, being the boot disk, I'm forced to use only a numeric key so that there are no keyboard compatibility issues.

Class 0 hardware encryption on a Samsung 960 is always faster or equal than software encryption (or no encryption whatsoever), as data on that drive is always encrypted. The only thing that changes is if the encryption key is plain or ciphered. But, apart of that, speed on a NVMe is rarely an issue for most users.

Do you know of any solution to substitute BitLocker that provides FDE (for real) and that is also multi-platform and humanly implementable? (that is, no 3 days of kernel coding to get it working)

Because, honestly, I looked around but found only two alternatives: Class 0 and OPAL. The latter being far more complicated to implement than the Class 0. If no other option is given, I will go with OPAL, but it's really ridiculous.

Class 0 is a proprietary solution too. The only standard is how the password is provided. I get that BitLocker can be a bit “opaque” (it’s hardly “obscure” given that it’s widely deployed), but I don’t consider that a major issue given that the default settings for OS partitions are XTS-AES 128 key and (usually) software encryption. A 256-bit key today is overkill compared to a 128-bit key, even if you assume an attacker with government-level resources, and BitLocker's hardware encryption has its own problems, mostly in how to perform a secure erase.  At least last time I checked (which admittedly was a while ago), Microsoft says that the drive vendor should provide a utility, and drive vendors direct them to Microsoft.

In terms of the BitLocker PIN, unless you plan to use foreign language keyboard layouts on that drive, you can enable alphanumeric PINs if you want. It’s not a problem moving to different keyboards that use the same language layout (otherwise you’d have problems entering the desired character even inside the OS), and Class 0 would have the exact same problem anywhere BitLocker would, since the underlying issue is that different language keyboards sometimes use different scan codes to represent the same character, and that would affect Class 0 entry as well. That said, BitLocker PINs aren’t an integral part of the overall security of the key like regular passwords in other solutions, including BitLocker when no TPM is available. Instead, the TPM has the actual key, and brute force attempts on the PIN are slowed down natively to thwart such attacks — which is why PINs only have a 4-digit minimum by default.

I don’t know of any other multi-platform solutions though, because multi-platform means managed by the hardware and therefore transparent to the software, and I doubt SSD manufacturers are interested in implementing lots of hardware mechanisms that all do essentially the same thing. TCG/OPAL are indeed a pain. We used that for a while at a previous company before BitLocker had gotten better and CPUs had native AES support, so we wanted to use the built-in hardware encryption on the drives we were buying — it was a total nightmare. I don’t think those drives supported Class 0, but I would also argue that Class 0 isn’t appropriate or at least isn’t ideal for corporate/enterprise deployments because of the recoverability concern. BitLocker allows Recovery Keys, including backing them up to Active Directory. On the Dell side specifically, apparently an unknown HDD password can be cleared/changed by entering the BIOS admin password as the current password, but that’s not an industry standard as far as I’m aware, and even that requires maintaining a spreadsheet with BIOS admin passwords or something.

You're right that Class 0 encryption can't be a bottleneck because the data is always encrypted anyway though, and I knew that but obviously hadn't woken all the way up when I wrote that post this morning. Thanks for catching that, editing my previous post now....

I do understand your concerns with other encryption methods, but here BitLocker is not a valid solution to the problem. As it's only my personal laptop and I don't have to maintain multiple machines (for that you can use products such as Dell Encryption, Symantec Endpoint Encryption, the same BitLocker...), class 0 encryption is the perfect fit for both security and ease of use.

What pisses me off really, is that my 2012 XPS had full support of it, and it was removed (or better, not ported to the new BIOSes) in latter models with NVMe drives, with nothing that warned the customer about that.

So now we have 3k+$ of hardware performing worse than some cheaper SATA models. We could have spared money and bought something that fit better our needs, if Dell was more clear to its customers.

DELL?????????