Many consumer SSDs claim to support encryption and BitLocker believed them. But, as we learned last year, those drives often weren’t securely encrypting files. Microsoft just changed Windows 10 to stop trusting those sketchy SSDs and default to software encryption.
In summary, solid-state drives and other hard drives can claim to be “self-encrypting.” If they do, BitLocker wouldn’t perform any encryption, even if you enabled BitLocker manually. In theory, that was good: The drive could perform the encryption itself at the firmware level, speeding up the process, reducing CPU usage, and maybe saving some power. In reality, it was bad: Many drives had empty master passwords and other horrendous security failures. We learned consumer SSDs can’t be trusted to implement encryption.
Now, Microsoft has changed things. By default, BitLocker will ignore drives that claim to be self-encrypting and do the encryption work in software. Even if you have a drive that claims to support encryption, BitLocker won’t believe it.
This change arrived in Windows 10’s KB4516071 update, released on September 24, 2019. It was spotted by SwiftOnSecurity on Twitter:
Microsoft gives up on SSD manufacturers: Windows will no longer trust drives that say they can encrypt themselves, BitLocker will default to CPU-accelerated AES encryption instead. This is after an exposé on broad issues with firmware-powered encryption.https://t.co/6B357jzv46 pic.twitter.com/fP7F9BGzdD
— SwiftOnSecurity (@SwiftOnSecurity) September 27, 2019
Existing systems with BitLocker won’t be automatically migrated and will continue using hardware encryption if they were originally set up that way. If you already have BitLocker encryption enabled on your system, you must decrypt the drive and then encrypt it once again to ensure BitLocker is using software encryption rather than hardware encryption. This Microsoft security bulletin includes a command you can use to check whether your system is using hardware or software-based encryption.
As SwiftOnSecurity notes, modern CPUs can handle performing these actions in software and you shouldn’t see a noticeable slowdown when BitLocker switches to software-based encryption.
No comments:
Post a Comment