AMD reinstates memory encryption in consumer CPUs after user backlash

AMD said it will re-enable Transparent Secure Memory Encryption (TSME) — the feature it disabled in the Ryzen 9000 processors it launched in May — via a microcode update. The company told Ars Technica that the decision was «in response to user feedback and input from the security research community».

TSME is a feature that automatically encrypts at the hardware level the data that the RAM keeps in system memory. Even if an attacker physically accesses the RAM chips (in a «cold boot» or «evil maid» attack, for example), reading unencrypted data is extremely difficult. It has long been standard on EPYC server-class processors, and it has been on the consumer line since 2022.

When AMD left TSME disabled by default on the new Ryzen 9000 (Zen 5) line, the user community and security researchers viewed it as a serious regression. Linux kernel developer Greg Kroah-Hartman said in a statement: «Lowering a device's default security posture leaves behind compromisable data on millions of devices».

AMD's comment was brief: «TSME came with a small performance cost; we acknowledge that for most consumer workloads, that cost is not noticeable. We will roll out the microcode update this summer». The company said the main reason for the delay was additional verification work on kernel side-channel attacks.

The performance impact has been debated. AMD's own benchmarks show TSME causes a 1 to 2 per cent drop on gaming and general desktop workloads. The hit climbs to as much as 4 per cent on virtualisation and database workloads.

Intel's equivalent feature, Total Memory Encryption (TME), has been enabled by default since the 12th-generation Core (Alder Lake) family. But Intel still reserves the TME-Multi-Key (TME-MK) feature for its Xeon processors, allowing encryption isolation between virtual machines.

Microsoft, since the Windows 11 24H2 update, has automatically opted-in systems with TME for BitLocker disk encryption setup. AMD's reinstatement of TSME could trigger similar automatic detection for Ryzen 9000 on Windows installs.

For enterprise buyers this matters. For a CIO, having memory automatically encrypted when a laptop is lost or stolen reduces the risk of corporate leaks. Europe's NIS2 directive and the US Cyber Incident Reporting law have both tightened notification obligations in such incidents.

Since the Linux kernel 6.10, there has been an option to forcibly enable TSME at system boot (`mem_encrypt=on`). With AMD's new microcode, that flag will run consistently on Ryzen 9000. On the Windows side, Microsoft is currently testing a similar driver update in its Insider builds.

Security researcher Daniel Gruss (TU Graz) told Ars Technica: «Memory encryption is not a silver bullet on its own, but it is a foundational security layer; in 2026, having it off by default is unacceptable». How consumer PC manufacturers handle the feature in upcoming BIOS updates will determine how effective AMD's new approach is in practice.