Microsoft wants to fix BitLocker's slowdown with hardware acceleration

[Alfonso Maruccia]

Forward-looking: Originally introduced with Windows Vista in 2006, BitLocker is Microsoft's own solution for managing fully encrypted volumes and storage units. The technology is also notorious for having some reliability, performance, and security issues, but Redmond is now working to fix all these problems at once - provided you are willing to buy some new PC hardware.

Microsoft will soon start "accelerating" input/output (I/O) operations for BitLocker-encrypted volumes on PC systems with compatible hardware components. The company initially introduced the change at the Ignite conference last month, and has now provided some important details about how hardware-accelerated encryption will actually work.

According to Microsoft's Rafal Sosnowski, hardware-accelerated BitLocker solutions are designed to bring a significant improvement in performance and security for encrypted setups. The technology is allegedly going to counter issues emerging with newer Non-Volatile Memory Express (NVMe) storage technology, which can achieve much higher I/O performance levels.

A modern NVMe SSD can quickly move massive amounts of data and files around, pushing BitLocker encryption algorithms to require a higher number of CPU cycles as a consequence. If not properly optimized, Sosnowski said, this additional overhead may become a significant issue in specific applications.

Microsoft quotes professional video editing on large clip files, compilation of massive codebases, and gaming as some of the storage scenarios that may be affected by this potential computational overhead. Hardware acceleration will allegedly help BitLocker reduce its performance impact, offloading the bulk of its cryptographic operations from the main CPU to a dedicated "crypto engine" in the SoC. Furthermore, the feature will also shield encryption keys from external prying eyes with a proper hardware wrapping procedure.

The software components of BitLockeracceleration are already available in Windows 11, starting with the September 2025 update (24H2) and Windows 11 25H2. However, the feature is currently only supported on Intel vPro systems based on the upcoming Core Ultra Series 3 CPUs, but Microsoft is looking into extending support to other vendors and processor platforms.

Microsoft explains that by offloading encryption operations to a dedicated SoC component, BitLocker can achieve some truly eye-opening performance improvements. A hardware-accelerated BitLocker volume is allegedly as fast as an NVMe drive without BitLocker encryption, while the number of CPU cycles required for I/O management is orders of magnitude lower when compared to software-based encryption.

The company said that customers interested in using hardware-accelerated encryption must comply with some specific prerequisites. The feature will only work when volumes are encrypted with the XTS-AES-256 algorithm, and eventually other algorithms supported by the SoC vendor. Furthermore, IT administrators can proactively customize or disable the feature through specific enterprise policies.

Permalink to story:

Microsoft wants to fix BitLocker's slowdown with hardware acceleration

 

[MasterAce]

TPM 3.0, get ready to buy a new computer.

AES-NI is already supported as dedicated CPU instruction and I’m under the impression that the performance hit is only few %

 

[bviktor]

TPM 3.0, get ready to buy a new computer.

AES-NI is already supported as dedicated CPU instruction and I’m under the impression that the performance hit is only few %

This isn't about making it faster, it's about making it less CPU intensive.

 

[Alfonso Maruccia]

TPM 3.0, get ready to buy a new computer.

AES-NI is already supported as dedicated CPU instruction and I’m under the impression that the performance hit is only few %

Nah, they are talking about a new "crypto engine" within the SoC that's capable of completely isolating the encryption keys used by Bitlocker's I/O. The TPM is allegedly only used to protect intermediate keys.

You will NEED to buy a new computer to use this. No gamer or power user in their sane mind would think about using BitLocker anyway :-D

 

[VaRmeNsI]

Microsoft still failing to do what Linux/Mac has done for ages...

 

[GeoffreyA]

Why not improve the existing code and make better use of AES instructions (which one assumes are being used)? Oh, wait, I forgot; this is about selling new computers.

 

[yRaz]

Nah, they are talking about a new "crypto engine" within the SoC that's capable of completely isolating the encryption keys used by Bitlocker's I/O. The TPM is allegedly only used to protect intermediate keys.

You will NEED to buy a new computer to use this. No gamer or power user in their sane mind would think about using BitLocker anyway :-D

Until W11 is end of life and W12 needs it for AI bitlocker integration. Woohoo, W11 EOL October 2027!!!

 

[SRB]

This will probably turn out like Ultra HD Blu-ray. You can watch it on any system, as long as it's made by Intel. Since it's not part of the CPU, it will wind up being proprietary.

 

[brucek]

No gamer or power user in their sane mind would think about using BitLocker anyway :-D

Yes, no need for BitLocker on a computer used 100% as an entertainment PC, if there really is such a thing.

But as soon as there is sensitive data on your PC, BitLocker is a worthy trade off. The performance hit is generally not noticeable outside of benchmarks. Whereas the consequences of say a stolen laptop with your now easily accessible everything could be night and day.

 

[yRaz]

Yes, no need for BitLocker on a computer used 100% as an entertainment PC, if there really is such a thing.

But as soon as there is sensitive data on your PC, BitLocker is a worthy trade off. The performance hit is generally not noticeable outside of benchmarks. Whereas the consequences of say a stolen laptop with your now easily accessible everything could be night and day.

So I might grossly misunderstand the subject, but my private and work laptop use full disk encryption. Linux on my personal laptop and windows 11 on my work laptop. We don't use bitlocker on my work laptop. What advantages does bitlocker have?

 

[brucek]

I'm not an expert on the differences if any between different versions of full disk encryption. My comparison I wanted to make was between any encryption and not encrypted at all. It sounds like you're covered.

btw I think Windows prebuilts now generally come with BitLocker enabled. Personally I would not be quick to encourage anyone to turn it off for a possible few extra frames, unless you were sure all your data now + in the future was worth nothing to you or to anyone else.

 

[hahahanoobs]

Why not improve the existing code and make better use of AES instructions (which one assumes are being used)? Oh, wait, I forgot; this is about selling new computers.

Isn't every company about selling something?
Why is this different? Because it's Microsoft and we should jump on them every time they announce something? Doesn't this get old?

 

[hahahanoobs]

TPM 3.0, get ready to buy a new computer.

AES-NI is already supported as dedicated CPU instruction and I’m under the impression that the performance hit is only few %

So, innovation should only come by the way of brute forcing the old to work with the new, because you don't want to pay for it assuming you even have a use for it? Do you even currently use drive encryption of any kind? These comments aren't making any sense.

 

[hahahanoobs]

No gamer or power user in their sane mind would think about using BitLocker anyway :-D

Source?

 

[DukeJukem]

Bitlocker? you mean that garbage that doesn't do anything at all unless you enforce group policies requiring you to enter a bitlocker key etc during each login? who uses that stuff, people logged into microsoft accounts? I thought we've established people aren't supposed to login to that stuff unless they want to contribute to the ongoing problem of data harvesting right?

what does bitlocker actually do, seriously? it doesn't even enforce the strongest encryption algorithm unless you enforce that through group policy as well thus making it trash. what's the point of it unless you're a power user that knows what you're doing with the group policy editor?

not every windows pro (or better) user knows how to effecively utilize the group policy editor and bitlocker is a paper shield without it.

 

[bandit8623]

Non scsi "native" nvme drivers for windows 11 would be a good start before this.

 

[brucek]

Bitlocker? you mean that garbage that doesn't do anything at all unless you enforce group policies requiring you to enter a bitlocker key etc during each login? who uses that stuff, people logged into microsoft accounts? I thought we've established people aren't supposed to login to that stuff unless they want to contribute to the ongoing problem of data harvesting right?

what does bitlocker actually do, seriously? it doesn't even enforce the strongest encryption algorithm unless you enforce that through group policy as well thus making it trash. what's the point of it unless you're a power user that knows what you're doing with the group policy editor?

not every windows pro (or better) user knows how to effecively utilize the group policy editor and bitlocker is a paper shield without it.

I am relying on BitLocker without any special group policies so your post got my attention, even though it didn't explain the actual problems. So I asked ChatGPT to explain them to me. Here's it's take, let me know where you feel it's mistaken:

1. 1. What BitLocker actually does (at defaults)

On modern Windows (10/11 Pro and higher), BitLocker enabled with default settings provides:

• Full-disk encryption
• XTS-AES encryption (128-bit by default on modern Windows)
• TPM-based key protection
• Decryption occurs before Windows boots, not at user login

If a device is stolen and an attacker:

• Removes the SSD
• Boots from USB or another OS
• Mounts the drive in another machine
• Uses forensic recovery tools

They cannot read the data without the BitLocker recovery key.

For preventing data leakage due to physical theft, this is exactly the problem BitLocker is designed to solve, and it does so effectively out of the box.

1. 2. “It does nothing unless you force a BitLocker key every login” — false

This is a misunderstanding of how BitLocker works. By default, BitLocker uses TPM-only mode. The encryption key is released only if the system boots normally. If the boot chain is altered (USB boot, disk removal, tampered bootloader), the TPM refuses to release the key

• Windows login happens after disk decryption; login is not the security boundary for disk encryption.

A pre-boot PIN is optional and protects against different threats (for example, someone stealing a laptop and booting it as the owner). It is not required to protect against offline data theft.

TPM-only BitLocker is widely used in enterprise environments and is not “paper security.”

1. 3. “It doesn’t use strong encryption unless you change Group Policy” — half-truth

Facts:

• Modern Windows defaults to XTS-AES
• Default key size is typically 128-bit
• Group Policy can be used to switch to XTS-AES-256

Reality:

• AES-128 is not weak
• There are no practical attacks against BitLocker’s XTS-AES-128
• Governments and large enterprises use this configuration at scale

Using 256-bit encryption is fine if desired, but it is a conservative choice rather than a requirement for real-world security. Calling the default encryption “trash” is incorrect.

1. 4. “BitLocker is useless unless you’re a Group Policy power user” — wrong

BitLocker is designed so that:
Non-technical users get strong protection by default

• Administrators can add extra controls if needed
• Enterprises can enforce policies centrally
• Users do not need to touch the Group Policy Editor to get meaningful security

The defaults are intentional and chosen to balance:

• Security
• Reliability
• Recovery
• Risk of user lockout

Optional hardening does not mean the default configuration is ineffective.

Summary:
BitLocker at its default settings provides real, effective full-disk encryption that prevents data access if a device or drive is physically stolen, which is the exact threat most users are trying to mitigate. It encrypts the entire disk using modern XTS-AES, protects the key with the system TPM so it is only released on an untampered boot, and blocks offline attacks such as drive removal, USB booting, or forensic mounting without requiring any Group Policy tuning. Optional features like pre-boot PINs or stronger key sizes are about defending against different threat models, not fixing a broken default. Calling BitLocker “useless” without Group Policy reflects a misunderstanding of how disk encryption, TPMs, and threat modeling actually work.

 

[MasterAce]

So, innovation should only come by the way of brute forcing the old to work with the new, because you don't want to pay for it assuming you even have a use for it? Do you even currently use drive encryption of any kind? These comments aren't making any sense.

Sure, I use LUKS on my work laptop and file server. And in these scenarios, work and fileserver, few percent lost perfomance and few percent CPU time are meaningless.

So I am questioning wether this technology is needed at this point? On an average office laptop? Who uses disk encryption for gaming? Or video editing?

And secondly, I see this as yet another case of M$ deciding for us, what we need and where.

 

[hahahanoobs]

Sure, I use LUKS on my work laptop and file server. And in these scenarios, work and fileserver, few percent lost perfomance and few percent CPU time are meaningless.

So I am questioning wether this technology is needed at this point? On an average office laptop? Who uses disk encryption for gaming? Or video editing?

And secondly, I see this as yet another case of M$ deciding for us, what we need and where.

Keyword: I