Solved Sandisk Extreme Pro SSD with Bitlocker encryption performance issue

[bohemiansonic89]

Hello,

first off, I hope I am posting this in the right sub-section. If not, I apologize (and feel free to move it to the relevant section).

My general query is to do with SSDs and Bitlocker encryption.

Description:
I recently upgraded my primary SSD (with boot and OS partitions) from an entry-level Kingston 120GB SSDNow V300 to a 240GB SanDisk Extreme PRO SSD, hoping that I would notice some improvement, if not in real-life usage then at least in benchmarks, despite my primary goal for this upgrade being the increase in disk space.

Issue:
The problem is that not only did I not see any improvement, but the results were worse than before.
The only difference between the two disks is that

1. the first had Bitlocker AES-128 with diffuser, and
2. the second has Bitlocker AES-256 with diffuser. Everything else in the build remains unchanged.

I understand that moving to AES-256 means taking a hit in performance, but I assumed that the better (and newer) SSD would compensate for this.

I read through all the relevant threads on this forum (like this one) as well as through other sites on the net. My understanding is that software encryption and SSDs (especially those with a controller that is designed for compression of data, like the SandForce on my original Kingston V300) do not go hand in hand.
However, my Sandisk SSD has a Marvell controller, which I take it does better with data that cannot be compressed (i.e. encrypted), so that should not be the issue.

Basically, I do not know what I am doing wrong. All I want is my PC to be encrypted while taking full advantage of having my system/boot drive be on an SSD instead of a HDD.
Do I change the encryption to 256 without diffuser, 128 with diffuser (Windows default) or other?



Following are benchmark results for comparison:

1) Kingston SSD with Bitlocker enabled, 128-bit with diffuser



2) Sandisk Extreme Pro SSD with Bitlocker DISABLED



3) Sandisk Extreme Pro SSD with Bitlocker ENABLED, 256-bit with diffuser



In addition, my motherboard only has SATA II, so that is why the resuls in 2) are lower than one might expect.

Thank you to anyone for pointing out what I am doing wrong or what I should do the fix the problem.

 

[logicearth]

It is slower because the 256bit encryption requires more time on the CPU. The drive may perform faster, but the CPU/Motherboard is the same and it is your bottleneck, not the SSD.

To get better performance from bitlocker, you need to have an eDrive capable SSD.

 

[cluberti]

If your drive is not an eDrive, then you've simply added more work to the CPU. Stick with 128bit + diffuser if you want performance similar to the previous drive - it would take so long to brute-force a 128bit encrypted drive that the additional protections of 256bit versus the performance hit really aren't worth it unless you're handling top secret data.

 

[bohemiansonic89]

logicearth and cluberti; thank you both for the replies. I completely overlooked the CPU being the bottleneck.

So if I understand it correctly, my options are to either:

1. Downgrade the encryption to something that burdens the CPU less than AES-256
   or
2. Get an eDrive SSD (and everything else needed for hardware-based encryption, like Windows 8)

How about Upgrading the CPU as option 3?
If I want to stick with software-based encryption (for whatever reason), will an upgrade to an AES-NI compliant CPU help out with the issue?

I found a comparison of eDrive vs software encryption and while the software-based encryption takes a bigger performance hit (article mentions -29% for 4k random writes which is what I am experiencing), I still think it is strange to take a 57%/55% performance hit on sequential read/write. [Another performance comparison showing way better results than mine is here]

Also, since the CPU is the bottleneck, is there anything specific about upgrading the motherboard and RAM that one should take into consideration when bitlocker is in play?

 

[cluberti]

It will help somewhat, but again - I reiterate that the insanely long time it would take someone to crack the 128bit AES encryption really nullifies using 256bit unless loss of data on that machine to someone who physically stole the drive would constitute a real emergency that you'd have a hard time handling. It will cost you some time to de-encrypt and re-encrypt at 128bit, but it is free otherwise. That would still be the recommendation.

 

[whs]

You must have special needs to go with encryption. For a desktop that is unusual. Normally one does that with small devices that are being hauled around - and lost at times.

Nevertheless, I would also think that your CPU is the bottleneck. That Phenom CPU is no speedster (PassMark score of 3700) and has pretty poor performance for the amount of electricity it consumes (95W or 125W). Muscular CPUs have a PassMark score around 10.000.

The SSD is OK although the scores are not earthshaking either - but the access time is good and that counts in the random access cases. But 4K writes are really not that much better than your old SSD.

I join the recommendation to go at least with 128 bit if you absolutely have to encrypt. After all this is the OS disk. I can understand if you encrypt a data disk/partition but for an OS disk that has limited value and locks you out also - e.g. you may not be able to recover from an image.

Question - how long does it take you to encrypt/decrypt the SSD.

 

[bohemiansonic89]

I guess going back to AES128 until I upgrade the aging CPU+motherboard combination seems as the best option.

As far as I know, one of the reasons against having the OS drive decrypted is that it stores the encryption keys for all the other drives and I don't want to decrypt my drives manually at each start-up.

Question - how long does it take you to encrypt/decrypt the SSD.

The Sandisk took me about a day to encrypt.


Again, thank you all for helping out. When I upgrade, I'll try to post some updated benchmarks for future reference.