Kernel Confusion » Security

Bitlocker Benchmark – A small test

Christoph Schmidt — Fri, 05 Mar 2010 16:20:16 +0000

Bitlocker is a nice piece of security technology. My company, working mainly in IT consulting, uses only notebooks and of course needs to transport sensitive data from time to time. So, since Vista we use BitLocker to protect our valuable information from theft, e. g. in case of a stolen notebook. We also deployed it for some customers.

One question is always asked: what about the performance loss? I don’t have much knowledge about how exactly BitLocker works under the hood, but I of course had the general experience that BitLocker secured systems are not slow at all. So I got myself a second hard drive for my notebook and ran a small test to clarify this question based on my hardware. This benchmark was mainly intended for me, but I decided to share the data anyway.

The test machine:
Lenovo ThinkPad T61, Intel Core2Duo T7500 2.2 GHz, 4 GB RAM
Hitachi HDD, SATA, 2.5″, 100 GB, 7200 RPM
Windows 7 Enterprise x64

I used ATTO as the benchmarking tool. The test process was simple: two runs without BitLocker, two runs with it.

The Result

For the read-performance there wasn’t a real performance drop, as you can see in the screenshots.
The write-performance dropped by about 4.5%. In my opinion, that isn’t bad at all. I’ve seen worse results for TrueCrypt and others, but I don’t want to compare software here.

Now of course, one has to decide how to interpret the result. Obviously it is limited to the used hardware, but I would say it won’t be any worse on a ThinkPad T500. Then again, this was a synthetic benchmark which does not reflect the normal workload or work-pattern. Anyway, my “feeling”, the performance-loss cannot be high, is backed up.

Bitlocker and the disappearing harddrive

Christoph Schmidt — Fri, 18 Dec 2009 13:11:16 +0000

A customer of mine uses Microsoft BitLocker encryption to protect all it’s computers, both mobile and workstations, as they contain critical financial information of several other companies. When upgrading their client environment to Vista, we already introduced BitLocker for all hard drives and it worked like a charm. As they now move on to Windows 7, an interesting problem occurred for one the workstations when trying to encrypt a secondary drive.

Bitlocker encrypted OS drive

Whenever the administrator deployed the encryption task sequence via ConfigMgr, the hard drive disappeared from the system. There was no sign left at all, no drive letter in explorer, no entry in the management console and no trace in the device explorer. Gone! Looking at the activity LEDs, there was nothing going on. Restarting the system brought the drive back, but it did not continue to encrypt. Restarting the encryption led to the same behaviour. Looking at the drive’s BitLocker status revealed it began it’s work as it showed a 1% encryption. Decrypting it, again, let the drive vanish.

After some resultless research the final solution was to update the SATA Controller’s driver with the most recent one, in this case from the chip manufacturer, not the workstation vendor. After updating it, the encryption worked flawlessly.

The case of the slow smartcard

Christoph Schmidt — Wed, 25 Nov 2009 08:10:17 +0000

Computers tend to get slower over time, the more you use it, the faster this will happen. But is this true for hardware as well? In this case: smartcards? I didn’t believe it until I got my hands on a few cards from employees that complained about very slow read times. Our company enrolled smartcards for Direct Access usage (and I love this Windows Server 2008 R2 feature!).

vSEC:CMS Key Tool

In the logon screen, it took Windows nearly 45 seconds to read the slowest card and ask for the PIN. Wow! There was no evidence against the card reader, nor the other hardware, as a slow card was slow on all test systems.

But what can you do? Format C! And C stands for “card”. The simplest answers are the best! A short “bing” later, I found a tool named vSEC:CMS Key Tool, provided freely by Versatile Security. With it you can set the smartcard’s PIN and AdminPIN, unblock the user’s passcode and manage certificates. In this particular case, I deleted the original cert and reissued it. And guess what: as good (fast) as new!