When you enable BitLocker in Windows, you gain a lot of peace of mind… but you've probably also noticed that your PC runs a bit slower, especially if you're using a very fast SSD. That small performance drag This has always been the price to pay for encrypting the entire disk, especially on computers with modern NVMe drives.
Microsoft has stepped up its game and completely redesigned how its disk encryption works. With the arrival of Hardware-accelerated BitLockerThe operating system is able to take advantage of cryptographic engines integrated into the processor or the SoC, reducing the workload of the CPU and bringing the performance of an encrypted disk closer to that of an unencrypted drive.
What is BitLocker and why did it affect performance so much?
BitLocker is the solution to full disk encryption built into WindowsAvailable in Pro, Enterprise, and corporate editions, its purpose is to protect data stored on the computer against loss, device theft, disk removal, or improper disposal of computers in businesses.
To achieve this protection, BitLocker encrypts all the contents of the drive using modern algorithms such as AES-XTS-256so that the data can only be read if the correct keys are available, usually protected by TPM (Trusted Platform Module) and secure boot policies.
Until now, the traditional implementation of BitLocker in Windows 11 relied almost entirely on software encryptionIn other words, the general-purpose CPU was responsible for encrypting and decrypting each block of data that entered or left the disk, relying on AES-NI instructions (in Intel) or their equivalents in AMD and other manufacturers.
With mechanical hard drives or even SATA SSDs, the bottleneck was in the storage itself, so the additional cost of encryption wasn't too noticeable. However, the massive arrival of high-speed NVMe drives, especially those of PCIe 4.0 and 5.0 generations, has completely changed the landscape.
The BitLocker problem in the NVMe era
Modern NVMe drives are capable of moving data at brutal speeds, with very high I/O rates per second (IOPS), especially in random operations of small blocksIn this scenario, the CPU has to work much harder to encrypt and decrypt in real time all that data traffic passing through the PCIe bus.
Microsoft engineers have explained that, in internal tests, the impact of software-based BitLocker is very significant. Without encryption, a typical input/output operation can require on the order of 400.000 CPU cyclesWith BitLocker running solely via software, that same operation can consume around 1,9 million cycles, which represents an increase of approximately 375% in computational load.
This increase in CPU cycles translates into higher latency, higher energy consumption, and lower fluidity in everyday tasks. Where it's most noticeable is not so much in large sequential copies, but in the constant access to small blocks of data: opening programs, loading game levels, compiling code, working with large video or audio projects, etc.
In some real-world cases, users and businesses reported that BitLocker could slow down an SSD by up to 45% in certain scenariosFor those who depended on every millisecond of response time—for example, on video editing workstations, large-scale software development, or gaming PCs—the usual solution was to disable BitLocker, sacrificing security for performance.
Why is Microsoft redesigning BitLocker now?
With the popularization of NVMe SSDs and the leap to increasingly faster generations, BitLocker went from being an "invisible" component to a very obvious bottleneckThe encryption was no longer hidden behind the slowness of the disk; now, the brake was the CPU that had to encrypt data at a speed that was not intended when the original architecture was designed.
At conferences like Microsoft Ignite, the company has acknowledged that, although they had managed to keep BitLocker overhead around a single percentage digit in certain scenariosThe growth of NVMe drives increased the relative weight of cryptographic operations on the total available CPU cycles.
With the arrival of Windows 11 and its commitment to stricter security requirements (TPM 2.0, secure boot, security virtualization, etc.), one very important loose end remained to be tied up: offering full disk encryption without significantly impacting performanceAnd that's where BitLocker with hardware acceleration comes into play.
Hardware-accelerated BitLocker: an architectural shift
The new BitLocker implementation introduces a profound architectural change: encryption no longer resides primarily in the general-purpose CPU and moves to dedicated cryptographic engines integrated into the SoC (System on a Chip) or into the processor microarchitectures themselves.
Instead of processing each block of data using cycle-intensive software routines, Windows 11 offloads bulk encryption and decryption operations to a fixed-function cryptographic engine integrated into the hardware. These blocks are specifically designed to perform AES-XTS-256 operations with minimal latency and significantly lower energy consumption.
The key is in two big ideas that define hardware-accelerated BitLocker:
- Crypto offloadingThe operating system offloads encryption work from the main CPU to a dedicated engine, freeing up computing resources for other applications, reducing the workload on the cores, and improving battery life on laptops.
- Hardware-protected keysThe master keys used by BitLocker are encapsulated ("hardware wrapping") within the SoC itself, strengthening protection against attacks that attempt to extract them from memory or exploit vulnerabilities in the CPU or operating system.
This approach brings BitLocker closer to the solutions of native hardware encryption that have been traditionally used in data centers and enterprise environments, where there are dedicated cards or controllers to handle encryption with minimal impact on overall performance.
How does the new AES-XTS-256 encryption work outside the CPU?
In practice, what the new BitLocker does is use a cryptographic engine integrated into the SoC to run the AES-XTS-256 algorithm, which remains the default standard for full disk encryption in Windows 11 on modern configurations.
Thanks to this work referral:
- The CPU stops executing intensive cryptographic routines that previously consumed millions of cycles per I/O operation, allowing the cores to be dedicated to user tasks or other system functions.
- The encryption keys are managed and protected directly in the hardware.reducing exposure to techniques that attempt to extract them from RAM, CPU registers, or system dumps, and complementing what the TPM already does.
- Latency is reduced in input/output operationsespecially in small random accesses, which are what determine the feeling of agility of the operating system on a daily basis.
From the user's perspective, all of this is transparent: they still see BitLocker as always, managing it from the same Windows tools. The difference is that, under the hood, encryption is no longer a heavy CPU burden, but a specialized work on a dedicated hardware block.
Performance gains: from bottleneck to smoothness
Microsoft's internal tests show that the difference between classic software-based BitLocker and the hardware-accelerated version is enormous. In certain scenarios, hardware encryption achieves significantly better performance on the encrypted drive. virtually indistinguishable from that of an unencrypted SSD.
In specific metrics, the following have been observed striking improvements in operations that were traditionally the Achilles' heel of encryption:
- 4K Random Operations with a depth 32 queue (RND4K Q32T1)They can be up to 2,3 times faster with hardware-accelerated BitLocker compared to the purely software version.
- Single-queue 4K random readsThey show performance increases of around 40% compared to traditional BitLocker, significantly reducing perceived latency.
- Single-queue 4K random writes: the results can be doubled, achieving improvements of approximately 2,1 times compared to classic encryption.
Regarding sequential speeds (copying large files, continuous video playback, etc.), the differences between software and hardware encryption are smaller; there, the bottleneck is usually still the SSD itself. Even so, the CPU usage is reduced by more than 70% in BitLocker-linked loads, which has clear benefits in energy consumption and temperature.
In extreme scenarios, where software-based BitLocker created a very severe bottleneck, reports have surfaced improvements of up to 375% in effective performanceThis is not an average improvement across all uses, but rather a specific case where, previously, the CPU was completely saturated by encryption.
Direct impact on gaming, video editing, and intensive workloads
Those who benefit most from hardware-accelerated BitLocker are precisely those who previously suffered the most from its effects. gaming equipmentThe new approach allows maintaining full disk encryption without game load times skyrocketing or background CPU usage increasing.
In environments of professional video editing Or in studios working with large files, the constant read and write flow on the SSD is no longer so limited by cryptographic operations. The editing timeline, previews, and rendering processes can run with minimal impact from encryption.
The same thing happens in software development and bulk buildswhere many random read/write operations of small files are performed: with hardware acceleration, encryption stops stealing critical CPU cycles needed to compile, link and run tests.
In laptops, the benefit is also noticeable in the battery life and CPU temperatureBy reducing the number of cycles dedicated to encryption, the processor works at 100% for less time, which cuts power consumption and can make the computer run cooler under heavy use.
Enhanced security: keys encased in hardware
The improvement isn't limited to performance. The new design also aims to reinforce the security against physical and forensic attacksBy encapsulating the encryption keys within the hardware itself, their exposure to techniques that attempt to retrieve information directly from memory or through system vulnerabilities is reduced.
BitLocker keys already had the protection of the TPM and secure boot policies, but now an extra layer is added: hardware wrapping within the SoC, which stores and manages those keys in an environment that is more difficult to manipulate, even for attackers with physical access to the device.
This trend of moving critical security functions from software to hardware is spreading throughout the industry. The goal is for components such as the key management, integrity verification, or encryption of data at rest are encased in silicon blocks specifically designed to withstand increasingly sophisticated attacks.
Availability on Windows 11 and server versions
Hardware-accelerated BitLocker is being progressively incorporated into Windows 11 and Windows Server through major system updates. Microsoft has been detailing how and when this new architecture is activated in different versions.
In the case of Windows 11, hardware acceleration starts to arrive with the branch 24:2 and it consolidates in the version 25H2, along with a September update that allows the functionality to be enabled automatically on devices compatible with NVMe drives and SoCs prepared for this type of encryption.
In server environments, the improvement is integrated into Windows Server 2025 (in its September update), allowing organizations to adopt hardware-accelerated full disk encryption in their infrastructures, without sacrificing the performance demanded by critical databases, hypervisors, and applications.
The algorithm used by default remains XTS-AES-256Microsoft has also announced that it will automatically adjust certain parameters, such as key sizes, in future spring updates to maximize compatibility with the encryption engines embedded in the SoCs.
Hardware requirements and first supported platforms
Not all computers will be able to benefit from this new architecture. For BitLocker to use hardware acceleration, a certain system is required. SoC or processor with dedicated cryptographic engine compatible with the operating system.
In the first phase, Microsoft has indicated that support is especially geared towards systems Intel vProstarting with future processors Intel Core Ultra Series 3 “Panther Lake”These chips will include the necessary acceleration blocks for Windows to natively offload encryption to the hardware.
On Intel's side, it is mentioned that the Intel Core Ultra 300 Series processors (Panther Lake), scheduled for release starting in 2026, will be fully compatible with this new implementation. Furthermore, the Intel vPro platform will remain a priority target for delivering accelerated encryption in enterprise environments.
As for the AMDMany of its modern Ryzen and EPYC processors already include AES-NI support or equivalent instructions to accelerate CPU encryption, which have so far served to improve the performance of software-based BitLocker. Microsoft has made it clear that support for dedicated encryption engines will be extended to other manufacturers and architectures as these become available. include specific acceleration blocks in their SoCs.
In the field of SoC ARMs, Qualcomm Snapdragon X Elite Other modern designs also stand out for including robust integrated cryptographic capabilities, which opens the door for them to take more direct advantage of this hardware-accelerated encryption model as integration with Windows 11 is refined.
Compatibility, group policies, and how to check if it's active
Although the system may be hardware-compatible, certain software configurations can prevent BitLocker from using acceleration. In enterprise environments, the group policies that enforce specific algorithms or key sizes Not supported by the SoC's encryption engine, these can inadvertently disable hardware optimization.
To check if a specific computer is using hardware acceleration through BitLocker, you can use the command-line tool. manage-bde. Running the following command in a console with administrator privileges:
manage-bde -status
In the section dedicated to the encryption method, if the equipment and configuration are compatible, an indication should appear that encryption is being used. “Hardware accelerated”If not, the system is likely still using the traditional software-based model.
For IT administrators, this means carefully reviewing their policy templates and automated security configuration deployment tools, so that The cryptographic capabilities of the hardware are not accidentally blocked. that could speed up BitLocker.
What happens if your computer doesn't have compatible hardware?
If your PC or laptop does not have the dedicated cryptographic engine required by Accelerated BitLocker, the system will continue to function with the traditional software encryptionYou will still have data protection, but the impact on performance and CPU usage will be similar to what has been observed so far.
In those cases, it may still be a good idea to leave BitLocker enabled, especially on mobile devices that are more easily lost or stolen. The decision will depend on the balance between safety and performance that you need: on older machines, disabling it can give a small speed boost, but at the cost of risking your data.
For those planning to upgrade their equipment in the coming years, it's a good idea to start looking at specifications and check if the advertised processor or SoC explicitly supports hardware-accelerated encryption for BitLockerIt is very likely that, little by little, this feature will go from being something "advanced" to another standard safety requirement in new machines.
Ultimately, what Microsoft is proposing with this new architecture is that you can have your disk always encrypted without having to give up a agile system And without any performance surprises, something that until now many users only saw as possible if they disabled BitLocker as soon as they started using the PC. Share this information so more users know what BitLocker is..