Encrypted Future: Microsoft Revamps BitLocker for Speed

As Microsoft moves to enhance BitLocker encryption in Windows, the tech giant has announced hardware acceleration that promises to make the system significantly faster. Though these improvements are poised for future implementation, existing PCs won’t benefit immediately. Starting with the September update of Windows 11 24H2 in 2025 and following with the release of Windows 11 25H2, BitLocker will utilize enhancements in future SoCs and CPUs to improve performance and security for both current and future NVMe drives.

Hardware-accelerated BitLocker encryption will be supported by processors debuting in 2026, requiring a dedicated cryptographic engine. This engine will handle AES-XTS-256 encryption processing, offloading tasks from the CPU’s main cores. Initially, the new feature will target Intel’s vPro platforms with upcoming Core Ultra Series 300 processors. However, Microsoft aims to expand support to additional manufacturers.

Key advancements include:

• Cryptographic Offloading – BitLocker transfers core cryptographic operations from the main CPU to a dedicated cryptographic engine. This shift frees CPU resources for other tasks, enhancing both performance and battery life.
• Hardware-Protected Keys – BitLocker’s bulk encryption keys are hardware-protected, assuming the necessary SoC support. This enhancement boosts security by reducing vulnerability to CPU and memory attacks. It’s an augmentation to the already supported Trusted Platform Module (TPM), safeguarding intermediate BitLocker keys, thereby avoiding the use of BitLocker keys in the CPU and memory entirely.

Performance data indicate that sequential read and write speeds are similar between software and hardware approaches. However, with random operations involving 4K block sizes, hardware acceleration shows significant improvement. In RND4K Q32T1 read-and-write tests, BitLocker hardware acceleration performs 2.3 times faster. For single-queue random read operations, hardware encryption is approximately 40% quicker, and for single-queue random write operations, about 2.1 times faster.

It’s noteworthy that last year, Microsoft enabled default BitLocker encryption for all Windows 11 versions, which adversely affected SSD performance. Remember, just yesterday we explained how to manually activate native NVMe support in Windows 11.