Friday 27 September 2019

Windows 10’s BitLocker Encryption No Longer Trusts Your SSD

BitLocker drive icon on a Windows 10 desktop.

Many consumer SSDs claim to support encryption and BitLocker believed them. But, as we learned last year, those drives often weren’t securely encrypting files. Microsoft just changed Windows 10 to stop trusting those sketchy SSDs and default to software encryption.

In summary, solid-state drives and other hard drives can claim to be “self-encrypting.” If they do, BitLocker wouldn’t perform any encryption, even if you enabled BitLocker manually. In theory, that was good: The drive could perform the encryption itself at the firmware level, speeding up the process, reducing CPU usage, and maybe saving some power. In reality, it was bad: Many drives had empty master passwords and other horrendous security failures. We learned consumer SSDs can’t be trusted to implement encryption.

Now, Microsoft has changed things. By default, BitLocker will ignore drives that claim to be self-encrypting and do the encryption work in software. Even if you have a drive that claims to support encryption, BitLocker won’t believe it.

This change arrived in Windows 10’s KB4516071 update, released on September 24, 2019. It was spotted by SwiftOnSecurity on Twitter:

Existing systems with BitLocker won’t be automatically migrated and will continue using hardware encryption if they were originally set up that way. If you already have BitLocker encryption enabled on your system, you must decrypt the drive and then encrypt it once again to ensure BitLocker is using software encryption rather than hardware encryption. This Microsoft security bulletin includes a command you can use to check whether your system is using hardware or software-based encryption.

As SwiftOnSecurity notes, modern CPUs can handle performing these actions in software and you shouldn’t see a noticeable slowdown when BitLocker switches to software-based encryption.

Read the remaining 6 paragraphs



Source: How-To Geek
Posted by at
Labels: