Microsoft to Automatically Encrypt Self-Encrypted Hard Drives to Counter Vulnerabilities
Andrew Wheeler posted on October 01, 2019 |
Microsoft to automatically encrypt new SSDs that already have self-encryption from the manufacturer

Software programs that encrypt hard drives are well known tools that leverage a computer's CPU to encrypt and decrypt data as it is read and written. This can cause systemic inefficiencies that manifest themselves in poor overall performance. Also, using software programs to encrypt your hard drive has well known vulnerabilities, including methods that allow users to recover encrypted information in case they lose their encryption key. This is positive in terms of mitigating the loss of value that occurs with the loss of data due to encryption, but also indicates that malicious actors can decrypt information on a targeted user's hard drive. 

This is why hard drive manufacturers that make Solid State Drives (SSDs) encrypt their drives with built-in encryption controllers like 256-bit AES encryption controllers. This allows users to utilize full disk encryption, known as a self-encrypting drive. In theory and in practice, hardware encryption is more secure than software encryption. If a malicious actor doesn't have the encryption key for an encrypted SSD, it's nearly impossible to access any of its data. Self-encrypting drives (SEDs) do not cause inefficiencies in performance, because they do not use the CPU to perform encryption in real time as data is read from or written to the drive.

Discovery of Hardware Vulnerabilities in SSDs

Microsoft has hard drive encryption software called BitLocker available to Windows users who want to use the software encryption on their hard drives. However, up until two researchers from Radboud University in the Netherlands published a paper detailing the discovery of vulnerabilities in self-encrypted drives representing 60 percent of well-known SSD manufacturers, Microsoft trusted the encryption built into SSDs and did not see a need to automatically integrate their BitLocker software encryption to protect new SSDs. 

This excerpt is from the abstract of the research paper: 

"For multiple models, it is possible to bypass the encryption entirely, allowing for a complete recovery of the data without any knowledge of passwords or keys. The situation is worsened by the delegation of encryption to the drive by BitLocker. Due to the default policy, many BitLocker users are unintentionally using hardware encryption, exposing them to the same threats. We should reconsider how we view hardware encryption: as a layered defense, or exclusively in charge of protecting data (without active software encryption.)"

The fallout from the report included firmware fixes from Samsung and Crucial (Micron), and a fix using a Group Policy setting from Microsoft. This required users to decrypt their hard drives and re-encrypt them again from scratch using BitLocker.

Windows BitLocker was programmed to detect any hardware-based encryption capable device and ignore its own data encryption process. This meant that the user's SSD was not encrypted at the software level and remained vulnerable due to the discovered exploits.

Microsoft has apparently decided to change their policy to protect users. 

Earlier this week, they recommended that Windows 10 users to continue to switch to software encryption for SEDs. More importantly, in update KB4516071, Microsoft changed the default settings for BitLocker so that new SEDs automatically use software encryption. SSD manufacturers are basically being overridden by Microsoft in a vote of no confidence in the firmware fixes they've released so far. 

Bottom Line

This also means that millions of computers will now automatically be using the CPU for encryption, slowing down peak performance of self-encrypting SSDs. But hey, it's not like any malicious actors have figured out how to exploit Microsoft software...


Recommended For You