Windows 10’s BitLocker Encryption No Longer Trusts Your SSD

BitLocker player icon on a Windows 10 desktop.

Many consumer SSDs claim to support encryption, and BitLocker has believed them. But, as we learned last year, these drives often did not encrypt files securely. Microsoft has just changed Windows 10 to stop trusting these incomplete SSDs and the default software encryption.

In summary, SSDs and other hard drives can claim to be "self-encrypted". If this is the case, BitLocker will not perform any encryption, even if you activated BitLocker manually. In theory, it was good: the drive could do the encryption itself at the firmware level, which speeded up the process, reduced CPU usage, and perhaps saved power. In fact, it was bad: many readers had empty master passwords and other appalling security failures. We learned that we can not trust consumer SSDs to implement encryption.

Now, Microsoft has changed things. By default, BitLocker will ignore drives that claim to be self-encrypting and will perform the encryption job in the software. Even if your player claims to support encryption, BitLocker will not believe it.

This change happened in Windows 10 KB4516071 update posted on September 24, 2019. It was spotted by SwiftOnSecurity on Twitter:

Microsoft renounces SSD manufacturers: Windows no longer trusts readers who claim to be able to encrypt themselves, BitLocker defaults to processor-accelerated AES encryption. This follows a presentation on vast issues related to firmware-based encryption.

– SwiftOnSecurity (@SwiftOnSecurity) September 27, 2019

Existing systems with BitLocker will not be automatically migrated and will continue to use hardware encryption if they were originally configured in this manner. If you already have BitLocker Encryption Enabled on your system, you must decrypt the drive and then encrypt it again to make sure BitLocker uses software encryption rather than hardware encryption. This Microsoft security bulletin includes a command that you can use to check if your system uses hardware or software encryption.

As SwiftOnSecurity notes, modern processors can handle these actions in the software and you should not see any noticeable slowdown when BitLocker switches to software-based encryption.

If you wish, BitLocker can always trust hardware encryption. This option is simply disabled by default. For enterprises with drives that have approved firmware, the option "Configure hardware encryption usage for fixed data drives" under Computer Configuration Administrative Templates Windows Components BitLocker Drive Encryption Readers fixed data in Group Policy will enable them to reactivate the use of hardware encryption. Everyone should leave him alone.

Option to enable or disable hardware encryption for BitLocker in Windows 10 Group Policy.

It's a shame that Microsoft and the rest of us can not trust the record manufacturers. But it makes sense that your laptop is manufactured by Dell, HP or even Microsoft itself. But do you know which disc is in this laptop and who made it? Do you think the manufacturer of this drive will handle encryption safely and will post updates in case of problems? As we have learned, you probably should not. Now, Windows either.

RELATED, RELATED, RELATED: You Can not Trust BitLocker to Encrypt Your SSD in Windows 10

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.