Ddos 
A diagram comparing a software BitLocker to hardware accelerated BitLocker | Image: Microsoft
Many users are now aware that Windows 11 PCs enable device encryption by default. When a system is equipped with a TPM 2.0 trusted platform module, encryption is automatically activated during installation. This “device encryption” is essentially a subset of Microsoft BitLocker: it enhances security, but encryption has traditionally implied a potential performance penalty.
For years, both Microsoft’s and SSD vendors’ encryption mechanisms have relied primarily on software-based cryptography. In practice, this means the CPU bears the full burden of encryption and decryption, consuming processing cycles and, in some cases, significantly degrading storage performance. This is precisely why some gamers choose to disable encryption manually—doing so can indeed yield measurable performance gains in certain games.
According to Microsoft’s latest blog post, the company formally unveiled hardware-accelerated BitLocker at its Ignite conference. This new approach allows the system to offload heavy cryptographic workloads from the CPU to dedicated hardware engines within the storage controller, freeing CPU resources and delivering substantial performance improvements. Under the traditional model, BitLocker operations depend almost entirely on software execution by the CPU. Even as modern processors grow more powerful, large-scale, real-time encryption still consumes significant clock cycles, often reducing random read and write performance—an effect that is especially pronounced on high-end storage devices.
The core of Microsoft’s new solution is cryptographic offload. With this technique, encryption and decryption tasks are delegated to specialized hardware within the storage controller, much like graphics rendering is handed off to a GPU. The result is markedly higher efficiency. Performance impact is close to negligible: because cryptographic operations no longer tax the CPU, users can enjoy near-native SSD read and write speeds during video rendering, large-scale code compilation, or the loading of massive games.
Security is strengthened as well. The new design incorporates hardware-based key protection, storing cryptographic keys in an isolated, hardware-secured environment. This significantly improves resistance to physical and side-channel attacks targeting system memory.
Power efficiency and battery life also benefit. Dedicated cryptographic hardware is far more energy-efficient than a general-purpose CPU. For mobile devices such as laptops and tablets, this translates into longer battery life during intensive data read and write workloads.
Hardware-accelerated BitLocker is not something that can simply be enabled on older devices via a software update. It requires tight coordination across the hardware and software stack. On the hardware side, systems must include NVMe storage controllers that support cryptographic offload, as well as next-generation SoCs with the necessary instruction sets and security features.
On the software side, hardware-accelerated BitLocker is integrated into Windows 11 versions 24H2 and 25H2. The operating system will automatically detect compatible hardware and enable hardware acceleration by default. Major chip manufacturers are expected to begin shipping compliant hardware in early 2026. While NVMe storage controllers are part of the requirement, the technology ultimately relies heavily on modern CPUs that integrate dedicated cryptographic engines. Supported platforms already include select Intel Core Ultra, AMD Ryzen, and Snapdragon X processors.
This technology also depends on support from the modern NVMe protocol. As a result, neither mechanical hard drives nor SATA SSDs are eligible; only contemporary NVMe SSDs will be able to take advantage of hardware-accelerated BitLocker in the future.
Donate