Microsoft has announced hardware-accelerated BitLocker, a significant security enhancement designed to eliminate performance bottlenecks caused by encryption on modern high-speed NVMe drives.
The new technology addresses growing concerns about CPU overhead as storage devices become faster, particularly for users running intensive workloads such as gaming and video editing.
Performance Challenge with Modern NVMe Drives
As NVMe storage technology advances, these drives deliver high-speed data transfer rates that push system performance to new levels.
However, BitLocker’s traditional software-based encryption requires substantial CPU power to encrypt and decrypt data in real time.
This creates a performance bottleneck on high-speed NVMe drives, where encryption operations consume significant CPU cycles.
| Feature | How It Works |
|---|---|
| Crypto Offloading | Shifts encryption tasks from the main CPU to a dedicated cryptographic engine on the System on Chip (SoC). |
| Hardware-Protected Keys | Encryption keys are “wrapped” and protected directly by the hardware (SoC) rather than sitting exposed in system memory. |
| Default XTS-AES-256 | Automatically selects the robust XTS-AES-256 algorithm on supported hardware (NVMe drive + capable SoC). |
| Admin Verification | The manage-bde -status command line tool has been updated to detect and report this specific mode. |
It can cause noticeable delays during demanding tasks such as extensive video processing, code compilation, or gaming.
Comparison of software BitLocker vs. hardware-accelerated BitLocker architecture showing improved performance through a dedicated crypto engine.
The new hardware-accelerated BitLocker shifts encryption workload from the main CPU to dedicated crypto engines built into modern system-on-chip (SoC) processors.
This approach delivers two critical improvements. First, crypto offloading moves bulk encryption operations to specialized hardware, freeing CPU resources for other tasks and improving battery life.
Second, hardware-protected keys wrap BitLocker encryption keys at the hardware level.
Reducing exposure to CPU and memory vulnerabilities alongside existing Trusted Platform Module (TPM) protection.
Hardware-accelerated BitLocker is enabled with the September 2025 update to Windows 11 24H2 and Windows 11 25H2.
The feature automatically activates on supported devices with NVMe drives and compatible SoCs, using the XTS-AES-256 encryption algorithm by default.
Intel vPro devices with Core Ultra Series 3 processors provide initial support, with additional vendor platforms planned.
Testing shows storage performance with hardware-accelerated BitLocker approaches NVMe speeds without encryption.
The technology delivers approximately a 70% reduction in CPU cycles compared to software BitLocker. This results in better battery life alongside improved storage metrics for sequential and random read-write operations.
Microsoft plans to automatically upgrade key sizes in an early spring update to maximize compatibility. Users can verify hardware-accelerated BitLocker by running “manage-bde -status” in an administrator command prompt.
The encryption method section displays “Hardware accelerated” when the SoC’s crypto capabilities are active.
Enterprise administrators should note that specific policy configurations specifying unsupported algorithms or key sizes may prevent hardware acceleration.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
