There are few things more frustrating than paying for high-speed PC components and then leaving performance on the table because software slows your system down. Unfortunately, a default setting in Windows 11 Pro, having its software BitLocker encryption enabled, could rob as much as 45 percent of the speed from your SSD as it forces your processor to encrypt and decrypt everything. According to our tests, random writes and reads — which affect the overall performance of your PC — get hurt the most, but even large sequential transfers are affected.
While many SSDs come with hardware-based encryption, which does all the processing directly on the drive, Windows 11 Pro force-enables the software version of BitLocker during installation, without providing a clear way to opt out. (You can circumvent this with tools like Rufus, if you want, though that's obviously not an official solution as it allows users to bypass the Microsoft's intent.) If you bought a prebuilt PC with Windows 11 Pro, there's a good chance software BitLocker is enabled on it right now. Windows 11 Home doesn't support BitLocker so you won't have encryption enabled there.
To find out just how much software BitLocker impacts performance, we ran a series of tests with three scenarios: unencrypted (no BitLocker), software BitLocker (the Windows 11 Pro default), and with hardware BitLocker (OPAL) enabled. While the software encryption increased latency and decreased transfer rates, hardware encryption and no encryption at all were basically tied. If you have software BitLocker enabled, you may want to change your settings (more on that below).
How to Tell Whether You Have BitLocker Enabled
To see if you have a problem, you need to know if you have software BitLocker enabled in the first place. If you are on Windows 11 Home, it's not enabled in most cases (though it seems some laptops might still turn it on). If you're on Windows 10 Pro, it's probably not enabled (but it doesn't hurt to check).
For that matter, even if you're running Windows 11 Pro, if you're using a PC you assembled yourself, or one from a smaller boutique builder, there's still a good chance BitLocker is turned off. That's because there are specific requirements for Microsoft's policy of auto-enablement of BitLocker to happen, and most non-OEM PCs don't tend to tick every box.
To check your drive's encryption status, launch an elevated command prompt (run CMD as an admin) and then enter the command: manage-bde -status. You'll see a screen like the one below.
So here you need to look at two fields: Conversion Status and Encryption Method. Conversion Status will tell you if you have encryption enabled at all and Encryption Method will tell you if it's hardware or software encryption. If the method says "XTS-AES" like in the shot above, it's software BitLocker. If it says "Hardware Encryption," you have hardware encryption.
If you get a message saying your drive(s) are "Fully Decrypted" and "Protection Off," you're not currently using BitLocker. For home PCs, that's probably fine, though on laptops that could be more easily lost/stolen, you may want to reconsider. There are good reasons for having BitLocker enabled.
Testing Windows 11 BitLocker Performance
We tested with a Samsung 990 Pro 4TB, using the latest release of Windows 11 Pro (22H2, all patched with the latest updates). Our testbed had a Core i9-12900K with 32GB of DDR4 memory, our standard storage test PC.
After installing Windows 11, we also ran a sustained write workload using Iometer to condition the drive, thus assuring repeatable results. The SSD is 4TB, so we ran 1MiB writes for four hours straight to ensure all the flash had been touched. This resulted in about 30TB worth of written data for each of the test scenarios.
In retrospect, while the results we'll show do indicate a potentially significant loss of performance — random IO was hit particularly hard; sequential IO, not so much — part of that is likely due to our high-end desktop PC. The Core i9-12900K is no slouch when it comes to performance, and while it's no longer the fastest chip around, it's fast enough that software-based BitLocker encryption wasn't as massive of a problem as you would see with lesser CPUs that don't have as much processing power. Regardless, the impact is surprising even with our high-end processor, and we suspect laptops, which is what a lot of businesses running Windows 11 Pro will be using, will be hit much harder.
We ran a slightly limited suite of tests than what we use for our SSD reviews, and because the testing required a clean Windows 11 Pro install, results aren't 100% directly comparable to our normal SSD benchmarks. We also can't speak to precisely how BitLocker will impact other SSDs, with or without hardware OPAL encryption support. But let's check the numbers that we do have for the Samsung 990 Pro.
PCMark 10's Storage Benchmark uses trace testing of popular applications and tasks to measure storage performance. It gives a good overview of the impact you can expect and a taste of things to come.
Curiously, the hardware-based encryption (OPAL) performed slightly higher than even unencrypted (no BitLocker) mode. We repeated the tests multiple times, and the results were reasonably consistent. With OPAL hardware encryption, we saw scores of around 620 MB/s (±10 MB/s); no encryption was nearly as fast at 607 MB/s (again, ±10 MB/s).
However, using software-based BitLocker resulted in 490 MB/s (±10 MB/s). That's a potential 21% drop in performance, and while the drive still felt reasonably fast, people don't buy top-of-the-line hardware only to give up 20% of the potential performance. Put another way, the Samsung 990 Pro dropped from class-leading performance in PCMark 10 down to merely adequate — with software BitLocker, it's about as fast as the Netac NV7000.
Next, we have CrystalDiskMark 8, a synthetic storage performance test. While we have results for higher queue depths, note that the QD1 numbers are far more meaningful in the real world, as this is the most common type of file access in typical operating system environments... and that's where software BitLocker impacted performance the most.
Random read IOPS dropped by 20% again compared to the hardware BitLocker and unencrypted results. Latency for reads also jumped from just over 40 us (microseconds) to nearly 51 us, 25% higher. Lower latency delivers snappier performance in day-to-day use, and it's the primary reason the industry at large has moved from slow rotating hard drives to faster SSDs. Given that this extra layer of latency, albeit at varying degrees, will also be added to slower types of SSDs, like QLC or low-tier drives, this could have a much bigger real-world impact in some systems.
Curiously, write IOPS at QD1 again were slightly higher with OPAL than without — perhaps some caching or command batching is happening in the Samsung controller. But the critical aspect is that software BitLocker dropped random write performance by 45% compared to hardware BitLocker.
That's massive. QD1 random writes were basically half as fast with BitLocker enabled. There are plenty of things you might do that don't hit storage that hard, but again, you don't want to give up a huge portion of your potential SSD performance if you don't have to.
The other results aren't necessarily as bad, and in one case at least (QD256 random 4K writes), software BitLocker consistently generated superior results. Windows 11 disk caching might be a factor there, but QD256 is basically fantasy land for storage workloads (remember, low queue depths are the most common), so we don't put too much weight on it. Plus, random reads are more important than random writes, and the loss in read performance was still 30%.
Sequential read and write speeds were a lot closer, and QD1 reads were actually the fastest with software BitLocker. QD1 writes meanwhile had software BitLocker trailing by 20% again. In general, CrystalDiskMark confirms the PCMark 10 results that show some significant performance degradation.
Turning to a real-world workload where we copy or read 50GB of data using DiskBench, read and copy performance for the unencrypted drive was best, followed by the hardware encryption. In this case, we do need to note more variability between runs than we'd like, so we report the median of five runs. The read speeds were more consistent, but copy speeds still showed a wider spread.
Part of that is due to the nature of DiskBench's testing options. You can do write tests of entire folders, and copy tests using entire folders, but the read test will only use a single file. Our copy test consists of 50GiB of data (53,738,970,410 bytes, occupying 53,798,830,080 bytes of disk space), with 31,241 files and 3,607 folders. About half of the data represents large files (100MiB or larger), while the other half consists mostly of thousands of smaller images. Of the two tests, we'd put far more emphasis on the copy results.
Overall, the software BitLocker showed an 11% drop in performance for file copies compared to hardware BitLocker encryption. Read speeds (for a single large 50GB file) were only 3% slower, though we'd expect significantly larger margins if we were reading lots of small files.
Wrapping up our performance results, we have ATTO read and write speeds at varying block sizes. While peak throughput with larger block sizes isn't affected too much, smaller sizes show the software BitLocker consistently behind the hardware BitLocker and unencrypted lines. There's a curious "bump" with the 990 Pro that we've noted before on the read speeds, but write performance shows a smoother line with the software BitLocker trailing up until the 256KiB block size.
Software BitLocker Can Seriously Hurt SSD Performance
If you're not a heavy storage user, perhaps a lot of the above seems like it's not a big deal. The problem is Microsoft has forced degraded performance on a lot of Windows 11 Pro users, and the added latency will have an impact on system responsiveness. If you're using Windows 11 Pro on a company-issued laptop, there's a good chance it's underperforming thanks to that decision.
For PC enthusiasts who want maximum performance, it's potentially even worse. Not all SSDs have hardware encryption support, but even if you have it, unless you jump through extra hoops to get it turned on before installing Windows 11, you're going to end up with degraded storage performance. We strongly suspect anyone going out to purchase a drive like the Samsung 990 Pro — or even the previous generation Samsung 980 Pro — didn't buy the drive with the intent to give up 20% or more of the maximum performance. But that's exactly what has happened, if your PC ticks the right boxes to get BitLocker turned on, or if you want to turn it on manually for security reasons.
Microsoft's decision to enable software-based BitLocker as a default option even if hardware-based encryption is available is a bit complicated. The short summary is that there have been issues in the past (starting in 2019) where it was possible to recover the encryption keys on some hardware-encrypted storage solutions. While those flaws were fixed, it's possible future flaws will be discovered. The crux of the issue appears to be that Microsoft is not fully in control of the code and implementation of hardware encryption solutions for BitLocker. With software BitLocker, Microsoft is in charge of the keys and security, and it apparently prefers to keep things that way.
But when did Microsoft start enabling BitLocker by default? That's a bit trickier. It actually started back in 2016, with Windows 8.1 Pro and Windows Server 2012 R2. The catch is that it was only enabled if the system supported TPM, Secure Boot, and Modern Standby/HSTI — and these all had to be enabled, which wasn't usually the case until Windows 11 enforced the TPM requirement. Also, if you do a local account rather than a Microsoft account (which also means if you set up a PC without an active network connection), BitLocker is left off. So having BitLocker software encryption automatically enabled really only became a regular occurrence with Windows 11 in the last couple of years.
Even now, in our testing, there are many motherboards (all enthusiast class) that won't automatically turn on BitLocker. But Microsoft's stance is clear on this: It thinks BitLocker should be on by default for Windows Pro users. Don't be surprised if future updates start enabling the feature on more PCs.
Do You Need SSD Encryption?
Having your storage drive encrypted provides great protection against theft so it's particularly helpful for laptops. If a thief gets ahold of your computer and can't otherwise boot into Windows, they can still remove your SSD, connect it to another computer and attempt to read the data on it.
If the drive is encrypted and the thief doesn't have the encryption key, they can't read the drive. If it's not encrypted, then they can use any SSD enclosure to turn it into an external storage drive and gain full access to your files. If you are working with a desktop PC in your home and you feel really confident that nobody's going to have unauthorized physical access to the computer, you might want to do without encryption.
Disabling BitLocker Encryption
If you don't feel like you need encryption, the easiest thing to do is just to turn BitLocker off. Switching to hardware encryption, which we detail below, requires a complete reinstallation of Windows and all of your applications, a huge hassle.
To turn off BitLocker, all you need to do is launch an elevated command prompt (launch CMD as administrator) and enter manage-bde -off C: — replace the C: with a different drive letter if your encrypted drive is not C. (You can also do this, for individual drives, via the BitLocker control panel: Control Panel -> System and Security -> BitLocker Drive Encryption — or type "manage BitLocker" in the Start Menu search box.)
Switching to Hardware BitLocker Encryption
The real bad news is that if you already have a Windows 11 Pro install running, with or without software BitLocker enabled, you're out of luck. If you have an SSD that supports hardware encryption and you want to use it, you'll need to start fresh with a new OS install — no imaging or other shenanigans will fix what Microsoft broke!
First, you'll need to boot Windows 2 Go (or install the SDD as a secondary drive in a PC — it can't be the OS drive), install Samsung Magician (or a similar utility for other SSDs), and enable encryption on the drive. Then secure erase the drive, generate a new Block ID, create a Windows 11 installation device without BitLocker being enabled (using Rufus USB), and then install Windows 11 Pro. Once installed, open the Group Policy Editor and turn on hardware encryption support for BitLocker.
Reboot, and now if you enable BitLocker, everything should work out, and you'll have hardware encryption from your SSD. The easiest way to check is to open an elevated command prompt (type CMD in the Start Menu, right-click, and select Run as administrator) and then type: manage-bde -status
If everything goes properly, you'll get a screenshot like the one below indicating that hardware encryption is enabled. If it says anything else, like XTS-AES 128... well, you're still in software BitLocker mode. Time to try again with a fresh install.
Here are the full instructions to get hardware BitLocker working that we used, which work for Samsung 980 Pro and 990 Pro (and possibly other Samsung) SSDs. We also used the referenced PDF at the bottom of that page for some additional details. Getting hardware encryption working on non-Samsung drives should follow a similar process, just with a few changes specific to the drive manufacturer's software.
Bottom Line
We reached out to several OEMs, and Dell, HP, and Lenovo told us they ship systems with Windows 11 Pro with software-based encryption unless a user orders an SSD that has hardware-based encryption available. It's not clear if they always enable hardware encryption on every SSD that supports the feature, but if you don't pay extra for such a drive, you'll likely end up with reduced storage performance. We haven't received a response from several other OEMs yet, but we suspect most have similar policies in place.
For those who install their own Windows 11 Pro operating system from scratch on any system, the performance-sapping software-based encryption is the default policy, but many motherboards still don't appear to conform to Microsoft's requirements. Local accounts, lack of network during installation, improperly configured Secure Boot, or other BIOS options or hardware, can all result in BitLocker being off, at least in our own testing. Even if you don't have BitLocker enabled, if you later want to turn it on, you'll be force to use software encryption unless you took steps prior to the installation of Windows 11 Pro.
The simple solution to regain storage performance for anyone currently using software BitLocker is to turn it off. Depending on how full your drive is, it can take a while to unencrypt everything, and of course, that means your files are no longer protected from prying eyes.
If you have a drive with hardware BitLocker support, and you want to use that, you'll need to first copy off all the files you want to keep to a backup drive, then go through the necessary steps to enable hardware BitLocker support on a new Windows 11 installation before copying all your files back — and reinstalling any games or other applications. It's tedious for sure, but if you don't want reduced storage performance caused by the use of software encryption, that's the only real option. Whether an SSD with hardware encryption is actually as secure as BitLocker software encryption is a different matter, and only time will say for sure which drives may have issues.
