Microsoft is enhancing the security and performance of its Windows 11 operating system with the introduction of hardware-accelerated BitLocker. This initiative aims to address the increasing demands for efficient data protection while optimizing system performance, particularly for users engaged in resource-intensive tasks such as gaming and video editing.
Advancements in BitLocker Technology
BitLocker, the built-in full-disk encryption feature of Windows, safeguards sensitive data by ensuring that it remains unreadable without proper authentication. Traditionally, during the boot process, BitLocker has relied on the Trusted Platform Module (TPM) to securely manage encryption keys and facilitate the automatic unlocking of drives.
As non-volatile memory express (NVMe) storage technology has evolved, its enhanced performance has brought to light the noticeable impact of BitLocker’s cryptographic operations on system resources. To mitigate this, Microsoft is leveraging the capabilities of system-on-a-chip (SoC) components, which are equipped with hardware security modules (HSMs) and trusted execution environments (TEEs). This shift allows for the offloading of bulk cryptographic operations, leading to significant improvements in performance and reduced CPU usage.
According to Microsoft, devices that support NVMe drives and the new crypto offload-capable SoCs will automatically utilize hardware-accelerated BitLocker with the XTS-AES-256 algorithm. This enhancement applies to various scenarios, including automatic device encryption, manual enablement, policy-driven enablement, and script-based enablement, with a few exceptions noted by the company.
In practical tests, hardware-accelerated BitLocker demonstrated a remarkable reduction in CPU cycles, using approximately 70% fewer cycles per I/O compared to its software-based counterpart. While results may vary depending on specific hardware configurations, the overall trend indicates a substantial performance boost.
Beyond performance enhancements, the new BitLocker implementation also emphasizes security. By utilizing hardware-protected keys, the risk of exposure to CPU and memory-based cyberattacks is minimized. This approach, in conjunction with TPM-based key protection, positions BitLocker on a trajectory toward eliminating the presence of encryption keys from the CPU and memory entirely.
The updated BitLocker feature is available with Windows 11 24H2, provided that the September updates have been installed, and will also be included in Windows 11 25H2. Initial support is set to roll out with Intel vPro systems featuring Intel Core Ultra Series 3 (“Panther Lake”) processors, with plans to expand support to additional SoC vendors over time.
Users interested in verifying their BitLocker mode can do so by executing the command manage-bde -status and checking for the ‘Hardware accelerated’ information listed under the Encryption Method. Microsoft has indicated that BitLocker will revert to software-based mode in cases where unsupported algorithms are detected, key sizes are specified manually, or enterprise policies dictate unsupported configurations.
