Windows 8.1 and eDrive SSDs
Mark PSo I built someone a computer this week, a pretty basic system with Windows 8.1 and a Samsung 840 EVO SSD. I had some vague recollection of a conversation Josh and I had about encryption being enabled by default, so I decided to look into that a bit.
Here's Microsoft's blurb on the subject. Basically, on a clean Windows 8.1 install on a system with a TPM, Secure Boot, UEFI, Connected Standby support, and an eDrive compliant ssd, and probably some other requirements - Windows will automatically enable hardware-based Bitlocker device encryption and upload a recovery key to an associated Microsoft account. You can toggle this protection on or off on supported systems on the PC Settings\ PC Info metro app. Seems to be a pretty cool feature. Seamless and fast security in the event a computer is lost or stolen, although I can see it becoming a problem for anyone who has to support end users, do data recovery, etc., especially as systems supporting this feature become more prevalent.
OK, cool. What's not cool is that Windows 8.1 will, during setup, automatically provision a compatible drive for eDrive without user interaction, thereby locking out the ability to issue ATA security commands to the drive (set ATA passwords, perform secure erase), which sort of sucks, because on many SSDs this is practically irreversible. For most users, this probably won't be too big of a deal, but it might matter for people who want to repurpose or sell the drive.
There is supposed to be a method of resetting the drive back to its factory state by using the PSID number printed on the drive, but most manufactures do not provide a utility to do this. It's a pretty awesome feature, too. Just enter a code and the drive is instantly and securely wiped. As near as I could tell, only Seagate has a tool to do this. Samsung and Crucial don't provide a tool. On their forums, Crucial has users RMAing drives to get around this. Samsung refers customers to Microsoft, who in turn refers them back to Samsung.
eDrive seems like a worthwhile feature, but MS and SSD manufacturers sort of jumped the gun on implementing it without properly documenting and supporting it. I'd like to mess with it once the process is a little more mature, but for the time being, I decided to sidestep the feature by adding a registry key during install:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EnhancedStorageDevices]
"TCGSecurityActivationDisabled"=dword:00000001