The sources are their own tests described further down in the article. It mostly describes slowdowns of between 0–20%, but does say:
> But the critical aspect is that software BitLocker dropped random write performance by 45% compared to hardware BitLocker.
I don't think consumers are engaging in a lot of sustained random writes. On the other hand, it might be a reason to avoid software encryption on a database server with a lot of writes.
They show graphs of their tests with PCMark 10 Storage and Crystal Disk Mark. Using Crystal Disk Mark to test random 4k writes and they are massively slower when using software bitlocker.
Better maybe, but you'll never sleep well if you leave your laptop in your car. In fact, none of us can park in peace because people leave laptops in vehicles.
Only if you shutdown. Otherwise tpm is still in memory and everything is unlocked.
Going off how many people compliance have to chase to restart for updates, a lot of people think sleep is fine
Your average thief has no idea how to get into a system which asleep but screen-locked. FDE means your machine gets wiped and resold, or sold for parts...but your data on the system remains private.
That's not how you asses performance at all. Maybe you can saturate the NVMe link with AES in idea circumstances, but you may be killing memory mapping and churning I$.
To say anything interesting about performance on these modern machines, you would have to benchmark some real workload.
Speaking of which, software that doesn’t use the AES-NI instructions is becoming glaringly obvious because the performance difference is so huge.
In the era of mechanical drives and 2 Mbps “broadband” nobody would notice. Now with SSDs and gigabit home internet, people do notice but vendors are still pretending they can just ignore the need to offload encryption.
VPN products and IPsec especially is almost always a disaster in my experience.
When evaluating any kind of network security product like a virtual WAN appliance, tunnel, or whatever, check the throughput. If it can get tens of gigabits for a single stream then it is using some sort of offload. If it seems to hit the wall at around 1.5 Gbps per core, do not buy.
How much does this affect other processes happening at the same time? If I'm playing an open world game that streams the environment off the ssd, how much is this going to contend with my cpu issuing draw calls, doing physics calculations, etc.
I run FDE on all my machines, encryption and sector sizes are aligned, I can still do a 3000MB/s IO no problem. Doesn't affect anything I'm running, even databases like Postgres.
But this is just Windows 11 Pro, though, not Enterprise. I guarantee you gamers (who are probably a big contingent of people who buy Pro but not Enterprise) are going to be turning this off so fast.
FDE's purpose isn't just to prevent you from pulling a disk out and imaging it to get all the data. It also makes it far quicker to do disk wipes. If someone yanks your laptop you can have the IT guy wipe it in a minute or two. Without FDE, whatever bossware is enforcing the device management would have to actually overwrite every sector of the disk, which can take hours and would be extremely noticeable to anyone extracting data off the machine.
Why would it need to wipe every sector of the disk? As ilyt stated, there's no need to encrypt game files. There's also no need to wipe them. Just the directories where important data resides.
FDE means you don't leak data to unencrypted parts of the file system. Temporary files and browser cache are areas sensitive information can be inadvertently left behind. With FDE you can check off the box "encrypted at rest" without having to qualify it with asking if the data is in the right folder or vault, if temp files are overwritten, etc.
Right. But technically "every sector of the disk" isn't necessarily what bossware needs to wipe if an unencrypted laptop is taken. Only eelements which allow access to crown jevels, relevant credentials, etc.
I'm an advocate for FDE across the board (literally all of my devices are on Windows 11 Pro, primarily so I at least have access to Bitlocker across the board), but it's disingenuous to claim that the only alternative to FDE when a device is taken would be to initiate a sector-by-sector wipe. He was responding to ilyt's comment about how only certain data is worth encrypting on pretty much every personal device (and we are talking about Win 11 Pro, not Enterprise).
> But the critical aspect is that software BitLocker dropped random write performance by 45% compared to hardware BitLocker.
I don't think consumers are engaging in a lot of sustained random writes. On the other hand, it might be a reason to avoid software encryption on a database server with a lot of writes.