Why Bitlocker takes longer to complete the encryption in Windows 10 as compared to Windows 7

Hello, my name is Ritesh Sinha and I am a Support Escalation Engineer on the Windows team.  Today’s blog will cover “Why Bitlocker takes longer to complete the encryption in Windows 10 as compared to Windows 7”.

A brief summary of Bitlocker is: Bitlocker is a disk encryption system provided by Microsoft with the Windows operating system. Bitlocker uses a set of protectors (both hardware and software) to encrypt the data on the drive which makes sure that the data is accessible to only the authorized person, and only on the authorized machine.

Recently, we heard from our customers that they are noticing a significant increase in time for the encryption to complete on Windows 10 machines compared to Windows 7 machines.

To understand why Bitlocker takes longer to complete the encryption in Windows 10 as compared to Windows 7, we need to understand the points listed below.

  1. BitLocker in Windows 10 has been made to run less aggressive for its background conversion. This makes sure that you are not experiencing slow performance of the machine while the encryption is in progress.
  2. This is compensated by the fact that this new conversion model BitLocker now uses (on all client SKUs and any internal drives) ensures that any new writes are always encrypted regardless of where on the disk they land (which was not the case for the original BitLocker watermark-based conversion model).
  3. The new conversion mechanism, called Encrypt-On-Write, immediately guarantees the protection (encryption) of all writes to disk AS SOON AS BitLocker is enabled on the OS or fixed (internal) volumes.  Removable drives work in the older mode for backwards compatibility.
  4. The pre-Windows 10 conversion mechanism could only make such a claim AFTER the conversion reached 100%.
  5. If one thinks about it, #2 and 3 are very significant because:
    • Regardless of the version of Windows used, without Bitlocker enabled and the drive fully encrypted, you could not guarantee that data wasn’t already compromised or stolen.
    • Therefore, those serious about any such compliance claims would have to wait for the older BitLocker conversion process to reach 100% before placing any sensitive data on drive.  This means possibly waiting a long time if the drive is large.
    • With the new method, they could safely copy sensitive data as soon as BitLocker is enabled and the volume is in the encrypting state.
  6. Due to achieving compliance status for all writes immediately upon enabling BitLocker, the pressure of reaching 100% conversion status is less and converting all pre-existing data happens at a slower rate (further lessening the impact on interactive user).

Apart from this reason, there are several new feature enhancements which have been made to Bitlocker since Windows 7.  Some of these enhancements are:

· New encryption algorithm XTS-AES.  The new algorithm provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text.

  • This is also FIPS-compliant, which is a set of United States Government standards that provide a benchmark for implementing cryptographic software.
  • Bitlocker can be administered through various means such as BitLocker Wizard, Manage-BDE, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices
  • Integration with Azure Active Directory for easier online Bitlocker key recovery.
  • DMA port protection using MDM policies to block the DMA ports and secure the device during its startup.
  • Bitlocker Network Unlock
  • Support for Encrypted Hard Drive for faster encryption time.
  • Support for classes of HDD/SSD hybrid disks (small SSD used as a non-volatile cache in front of slower spinning HDD, known as Intel RST technology).

To get these enhancements, the whole product has gone through a major design change to make sure that Bitlocker is more secure, the machine stays much more responsive during the encryption process and we provide the latest feature and manageability to the users.

Because Window 10 and Windows Server 2016 share the same kernel base, these changes are applicable to Windows Server 2016 as well.

You may notice significant improvement in Windows 10 Bitlocker encryption time after installing the Windows 10 Creators Update which is expected to release in 2017 but encryption time is also dependent on the hardware you are using as well as the workload on the machine.

I hope this article will help everyone understand that Bitlocker is better than before even though it may seem like it is slower when encrypting existing data on a hard drive.

Ritesh Sinha
Support Escalation Engineer
Microsoft Enterprise Platforms Support