You just installed a new self-encrypting drive SSD in your Windows 11 PC and enabled BitLocker. You want to confirm that BitLocker is using the drive’s built-in hardware encryption instead of slower software-based encryption. Hardware encryption offloads the encryption workload to the drive controller, which reduces CPU usage and improves system performance. This article explains how to check whether BitLocker is using hardware encryption on your new SSD and what to do if it falls back to software encryption.
Key Takeaways: Verifying BitLocker Hardware Encryption on a New SSD
- manage-bde -status C: Run this command in an elevated Command Prompt to view the encryption method and hardware encryption status for drive C
- Settings > Privacy & security > Device encryption > BitLocker drive encryption: Navigate to this panel to see the overall protection status but not the encryption type
- Windows PowerShell Get-BitLockerVolume: Use this cmdlet to retrieve detailed encryption method and hardware encryption flag for each volume
What Is BitLocker Hardware Encryption and Why It Matters
BitLocker can use two encryption methods: software encryption and hardware encryption. Software encryption uses the CPU to encrypt and decrypt data, which consumes processing power and can slow down read and write operations. Hardware encryption uses a dedicated encryption engine built into the SSD controller. This engine handles all encryption tasks without involving the CPU, resulting in near-zero performance impact.
For hardware encryption to work, several conditions must be met. The SSD must be a self-encrypting drive that supports the IEEE 1667 standard. The drive must have an eDrive-compatible storage controller. BitLocker must detect that the drive supports hardware encryption at the time encryption is enabled. If any condition fails, BitLocker falls back to software encryption automatically.
Windows 11 does not display the encryption type in the graphical user interface. You must use command-line tools to verify the encryption method. The two primary tools are manage-bde.exe and the Get-BitLockerVolume PowerShell cmdlet.
How BitLocker Detects Hardware Encryption
When you enable BitLocker on a drive, Windows checks the drive’s ATA or NVMe Identify Device data. If the drive reports support for hardware encryption through the TCG Opal or IEEE 1667 protocol, BitLocker attempts to use it. The encryption key is generated by the drive’s internal controller and stored in a protected area. BitLocker then seals that key with the system’s Trusted Platform Module.
Steps to Verify BitLocker Hardware Encryption Status Using manage-bde
The manage-bde command-line tool provides a quick way to check encryption status. You must run it from an elevated Command Prompt or PowerShell session.
- Open Command Prompt as administrator
Press the Windows key, type cmd, right-click Command Prompt in the search results, and select Run as administrator. Click Yes in the User Account Control prompt. - Run the manage-bde status command
Type the following command and press Enter:manage-bde -status C:
ReplaceC:with the drive letter of your new SSD if it is different. - Interpret the output for hardware encryption
Look for the line that says Encryption Method. If the value is Hardware Encryption, BitLocker is using the drive’s built-in encryption engine. If the value is XTS-AES 128-bit or XTS-AES 256-bit without the words “Hardware Encryption,” then software encryption is being used.
The output also shows the Conversion Status (for example, “Fully Encrypted”) and Protection Status (for example, “Protection On”). These do not indicate whether hardware encryption is active.
Steps to Verify BitLocker Hardware Encryption Status Using PowerShell
The Get-BitLockerVolume cmdlet provides more detailed information than manage-bde. It shows the encryption method and a dedicated hardware encryption flag.
- Open Windows PowerShell as administrator
Press the Windows key, type PowerShell, right-click Windows PowerShell in the results, and select Run as administrator. Click Yes in the User Account Control prompt. - Run the Get-BitLockerVolume command
Type the following command and press Enter:Get-BitLockerVolume -MountPoint "C:" | Format-List
This command retrieves all properties for the drive and displays them in a list format. - Check the EncryptionMethod and HardwareEncryption fields
In the output, locate the EncryptionMethod field. If it shows HardwareEncryption, hardware encryption is active. Also look for the HardwareEncryption field. If it shows True, the drive is using hardware encryption. If it shows False, software encryption is being used.
You can also run the command without the | Format-List pipe to see a table view. The table view shows the key properties but may truncate the EncryptionMethod value.
If BitLocker Uses Software Encryption Instead of Hardware Encryption
If the verification shows software encryption, the SSD may not support hardware encryption, or BitLocker may not have detected the capability. Check the following possible causes.
SSD Does Not Support Hardware Encryption
Not all SSDs include a hardware encryption engine. Consumer-grade drives often omit this feature. Check the manufacturer’s specifications for the terms “self-encrypting drive,” “TCG Opal 2.0,” or “IEEE 1667.” If the drive lacks these features, BitLocker must use software encryption.
BitLocker Was Enabled Before the Drive Was Recognized as eDrive
BitLocker detects hardware encryption only at the moment encryption is enabled. If you enabled BitLocker before the drive’s eDrive capabilities were fully recognized, BitLocker defaults to software encryption. The only way to switch to hardware encryption is to disable BitLocker, restart the system, and enable BitLocker again.
Drive Firmware or Driver Issues
Outdated SSD firmware or a generic storage driver can prevent BitLocker from detecting hardware encryption. Update the SSD firmware using the manufacturer’s utility. Ensure the storage driver is the latest version from the manufacturer, not the generic Microsoft driver.
BitLocker Encryption Methods: Software vs Hardware
| Item | Software Encryption | Hardware Encryption |
|---|---|---|
| CPU usage | High during read and write operations | Near zero |
| Performance impact | Noticeable on slower CPUs | No measurable impact |
| Encryption engine location | CPU | SSD controller |
| Supported drive types | Any drive | Self-encrypting drives only |
| Detection method | manage-bde shows XTS-AES 128 or 256 | manage-bde shows Hardware Encryption |
If the Drive Shows Software Encryption After Re-enabling BitLocker
If you disable and re-enable BitLocker and the drive still shows software encryption, the SSD may not support hardware encryption despite the manufacturer’s claims. Some drives advertise eDrive support but fail the Windows certification checks. In this case, software encryption is the only option. The performance difference is negligible on modern processors with AES-NI instructions.
You can also verify the drive’s hardware encryption support using the fsutil command. Open an elevated Command Prompt and run fsutil fsinfo drives to list drives, then run fsutil fsinfo ntfsinfo C: and look for the Hardware Encryption Support field. If it shows 0, the drive does not support hardware encryption.
Now you can confidently verify whether your new SSD uses hardware encryption with BitLocker. Use the manage-bde or PowerShell commands to check the encryption method. If you find software encryption, check the drive’s specifications and firmware. Re-enabling BitLocker after ensuring the drive is properly recognized may activate hardware encryption. As an advanced tip, use Get-BitLockerVolume with the -Verbose parameter to see detailed detection logs during encryption.