Solved New 500GB NVMe Gen.4 SSD encrypted by ASUS.

windoc · Jul 30, 2023

Dru2 said:
Where consumer laptops are concerned (and none I know of being sold with Education, or Enterprise versions of Windows... unless specifically requested) .... Regardless of OS, the key will be backed up when first logged into the PC via Microsoft account. I've two laptops (Asus, Lenovo) both shipped with "Pro" versions of Windows, and this is how it was.

Read this article and scroll down to the part where it says, "How to generate your own encryption key" about 2/3 of the way down the page. It clearly states that Windows Pro, and Enterprise users have the option not to backup the key to Microsoft servers.

Let's also clear up that Windows HOME version does not use BitLocker. Instead, it uses a product called Device Encryption, which is enabled by default, and does not give you many configuration options.

Windows Pro, and Enterprise Versions don't have BitLocker Encryption enabled by default. Once you enable it, you are given the option on how to back up your, key....

windoc · Jul 30, 2023

Fabler2 said:
Found this,

Why Microsoft stores your Windows Device Encryption Key to OneDrive

Learn how to delete Windows Device Encryption Key key and generate your own. Microsoft stores the encryption key on OneDrive, when you use Microsoft Account.

www.thewindowsclub.com

Interestingly on this laptop had Home initially installed then upgraded to Pro. Never used Bitlocker but keys still generated. Have one generated for Home and two for Pro. I suspect because I'm dual booting. Interestingly a date showing 2013 must be from a now defunct machine long gone to the recycling bin.
Edit: Those two drives showing for this laptop is for Removal Drive Volumes. I encrypted two Flash drives previously so it even keeps a copy for those external drives. That's good.

View attachment 66221

It's hard to tell how your Windows Pro keys ended up on their servers because you originally started with HOME version. So you either approved of this, or it's the result of the upgrade process from HOME to Pro.

Dru2 · Jul 30, 2023

As I said, the keys are stored in you MSA. And yes, it keeps keys until you delete them.

windoc · Jul 30, 2023

Dru2 said:
As I said, the keys are stored in you MSA. And yes, it keeps keys until you delete them.

Let me help you. Here is a quote from the above article I just posted. "Windows 10 Pro and Enterprise users can generate new encryption keys that are never sent to Microsoft." Read the full article for more details.

Dru2 · Jul 30, 2023

windoc said:
Read this article and scroll down to the part where it says, "How to generate your own encryption key" about 2/3 of the way down the page. It clearly states that Windows Pro, and Enterprise users have the option not to backup the key to Microsoft servers.

First let me clear up any misunderstandings of my knowledge you appear to have.

I'm fully aware of the key storage options you have on Pro and Enterprise, as 1) have both Windows 11 Pro and Education (a derivative of Enterprise), and 2) Not only do I use BitLocker, but I've done exactly what the article said you can do... store your keys elsewhere.

My point is with store bought laptops that are ALREADY encrypted. For the purpose of the OP's post and their "laptop" that's what I'm focused on. Here the key is stored for you in your Microsoft account. That's my point!

Yes, there are other options the end user can take as well.

Peace

Movin on, Not going to get caught up in the silliness of "mines bigger than yours".

windoc · Jul 30, 2023

Dru2 said:
First let me clear up any misunderstandings of my knowledge you appear to have.

I'm fully aware of the key storage options you have on Pro and Enterprise, as 1) have both Windows 11 Pro and Education (a derivative of Enterprise), and 2) Not only do I use BitLocker, but I've done exactly what the article said you can do... store your keys elsewhere.

My point is with store bought laptops that are ALREADY encrypted. For the purpose of the OP's post and their "laptop" that's what I'm focused on. Here the key is stored for you in your Microsoft account. That's my point!

Yes, there are other options the end user can take as well.

Peace

Movin on, Not going to get caught up in the silliness of "mines bigger than yours".

O.K. Thank you for clearing things up. I just wanted to make sure that users were aware of their options. :wink:

FrankW · Jul 31, 2023

Dru2 said:
If the OP has a Microsoft account, and logs into the machine with it, I'd bet that's where the key got stored.

Hi Dru
I do have an online MS account but never login to my laptops, no offline passwords, I believe TPM is managing this.
There is a fingerprint reader with the KB Power Button, but my Windows Hello has not been activated. I have W11 Home without BitLocker but apparently, I can decrypt and encrypt with this version. I make monthly backups and those images are not encrypted (according to Windows Backup warnings). I don't look forward to spending several hours decrypting and possibly ending up with some errors that I cannot fix as this is a brand-new system that I would like to keep intact as long as I can, the only issue I have is when going into sleep mode and close the lid it creates a minor Power Manager conflict (Win32K error) probably something to do with my BIOS Modern Standby protocol. I decided leaving my drive encrypted for the time being. Thank you all for the discussion, really appreciate to hear your views.

FrankW · Jul 31, 2023

windoc said:
Encrypting your drive, even if you only use your laptop at home, adds an additional layer of security. The main purpose of drive encryption is to protect the data on your drive from unauthorized access in case your laptop gets lost or stolen. Encryption makes it incredibly difficult for someone to access your data without the encryption key.

As for performance, modern SSDs (especially NVMe drives like your Micron_2450_MTFDKBA512TFK) and CPUs are well-equipped to manage encryption and decryption tasks without any noticeable performance loss for most users. The performance impact of drive encryption has been significantly reduced with modern hardware. Even on older systems, the impact was typically less than 10%, and on newer systems, it is often even less noticeable. This is due to features such as Intel's AES-NI instruction set that are built into modern CPUs to accelerate encryption and decryption tasks.

As for why your ASUS Vivo book came with an encrypted drive, it is part of a trend towards more secure defaults. Many computer manufacturers are now shipping their devices with encryption enabled to better protect their customers' data.

Decryption could indeed take some time (not days for 150GB, but possibly several hours), and during this process, you will want to ensure that the laptop has a constant power source to avoid any potential data corruption.

That was my question, what is the point of encrypting if the laptop is not protected by a password, I believe anyone can access my data if I lose my laptop or it gets stolen (but both cases are highly unlikely). I now get 37 GByte/s average (44 Gbyte/s writing) speed with my 3200 MHz RAM (Dual Channel) so I am not worrying much about encrypting slowing me down.

FrankW · Jul 31, 2023

Fabler2 said:
That's what I wanted to know if it is done automatically. If these OEMs encrypt the drive automatically will less experienced users know about it and what it entails. Do they actually notify the new user ?

They don't and I complained to ASUS about that.

Fabler2 · Jul 31, 2023

FrankW said:
They don't and I complained to ASUS about that.

I believe that Macrium handles encrypted drives ok (someone will have to verify that) for an image. As for Aomei Backupper it will 'image' the drive but only sector by sector, meaning the size of the data will be the same on the backup as on the original drive. That's Something else to consider.
Good that you complained.

EDIT: didn't explain that well, with Aomei if you want to backup a 1TB drive it will have to be on a 1TB destination drive.

Dru2 · Jul 31, 2023

FrankW said:
Hi Dru
I do have an online MS account but never login to my laptops, no offline passwords, I believe TPM is managing this.

How did you initially lo into the PC???

Also, whoever said you need to decrypt before backup is wrong. I do backups all the time and never decrypt. Period.

I think things are being made complicated where it isn't required.

windoc · Jul 31, 2023

FrankW said:
That was my question, what is the point of encrypting if the laptop is not protected by a password, I believe anyone can access my data if I lose my laptop or it gets stolen (but both cases are highly unlikely). I now get 37 GByte/s average (44 Gbyte/s writing) speed with my 3200 MHz RAM (Dual Channel) so I am not worrying much about encrypting slowing me down.

As I stated in another reply "In the OP's scenario, the boot drive is indeed encrypted and decrypted using a private key stored in the Trusted Platform Module (TPM). The TPM is used to securely store the encryption key, which is released during the boot process and does not directly depend on user login. The key unseals only if the early boot files and boot configuration data remain unaltered, thus validating the integrity of the boot process."

So, although your password is not directly used for decryption, it is used for part of the boot process. Hence, as long as no one knows your password, it's unlikely that they would be able to recover your data.

glasskuter · Jul 31, 2023

Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those devices that are Modern Standby, and devices that run Home edition of Windows 10 or Windows 11. Source Overview of BitLocker Device Encryption in Windows - Windows Security

Find your BitLocker recovery key - Microsoft Support

Learn how to find your BitLocker recovery key in Windows.

support.microsoft.com

glasskuter · Jul 31, 2023

The fact that Bitlocker and Bitlocker device encryption are not exactly the same thing doesn't help folks to get a better bead on things. With Bitlocker the user can choose which drives to encrypt. With BL device encryption, ALL drives are encrypted.

Solved New 500GB NVMe Gen.4 SSD encrypted by ASUS.

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

aka Mama Glass

My Computers

aka Mama Glass

My Computers