Windows BitLocker no longer trusts SSD hardware protection
After reports of widespread flaws in hardware-based SSD encryption, Microsoft has pushed out an update that defaults BitLocker protection to software-based AES encryption
2 October 2019 | 0
As the old espionage axiom goes, trust no one. As of the latest Windows 10 update, Microsoft’s BitLocker encryption tool that is built into Pro and Enterprise versions will no longer assume that self-encrypting SSDs are actually securing the data.
After researchers demonstrated last year that flaws in many self-encrypting SSDs could let blackhats bypass that encryption thanks to a mixture of poor security implementations and secret Master Passwords set by the SSD manufacturers, Microsoft has closed that potential loophole by having BitLocker not trust hardware-based encryption by default.
Swift on Security, the pseudonymous infosec Twitter rock star, first noticed the tweak, which Microsoft published on September 24 as part of the KB4516071 update: “Changes the default setting for BitLocker when encrypting a self-encrypting hard drive,” the update reads. “Now, the default is to use software encryption for newly encrypted drives. For existing drives, the type of encryption will not change.”
That means that any SSDs you secure with BitLocker will now rely on software-based AES encryption performed by your processor, regardless of whether the drive claims to perform its own hardware-based encryption.
If you trust your SSD’s encryption technique, you can still tell BitLocker to use that instead, but now that is an opt-in feature rather than the default. Alternatively, if you don’t trust your self-encrypting SSDs firmware any longer and you already use BitLocker, you will need to decrypt it, then encrypt it again to blow away the existing hardware-based reliance and move to BitLocker’s software-based encryption instead.
This beginner’s guide to BitLocker can help you start using Microsoft’s encryption tool, though you’ll need specific hardware features and the Pro or Enterprise version of Windows 10 to access it. Home versions of Windows 10 don’t support BitLocker.
It’s a shame that self-encrypting SSDs can’t be fully trusted to be secure — that is their proverbial ‘One Job’. But Microsoft deserves kudos for providing a safety net with BitLocker rather than letting end users potentially be lulled into thinking their data is protected when it is not.
IDG News Service