Many consumer SSDs claim to support encryption and BitLocker believed them. But, as we learned last year, those drives often weren’t securely encrypting files. Microsoft just changed Windows 10 to stop trusting those sketchy SSDs and default to software encryption.
In summary, solid-state drives and other hard drives can claim to be “self-encrypting.” If they do, BitLocker wouldn’t perform any encryption, even if you enabled BitLocker manually. In theory, that was good: The drive could perform the encryption itself at the firmware level, speeding up the process, reducing CPU usage, and maybe saving some power. In reality, it was bad: Many drives had empty master passwords and other horrendous security failures. We learned consumer SSDs can’t be trusted to implement encryption.
Now, Microsoft has changed things. By default, BitLocker will ignore drives that claim to be self-encrypting and do the encryption work in software. Even if you have a drive that claims to support encryption, BitLocker won’t believe it.
This change arrived in Windows 10’s KB4516071 update, released on September 24, 2019. It was spotted by SwiftOnSecurity on Twitter:
Microsoft gives up on SSD manufacturers: Windows will no longer trust drives that say they can encrypt themselves, BitLocker will default to CPU-accelerated AES encryption instead. This is after an exposé on broad issues with firmware-powered encryption.https://t.co/6B357jzv46 pic.twitter.com/fP7F9BGzdD
— SwiftOnSecurity (@SwiftOnSecurity) September 27, 2019
Existing systems with BitLocker won’t be automatically migrated and will continue using hardware encryption if they were originally set up that way. If you already have BitLocker encryption enabled on your system, you must decrypt the drive and then encrypt it once again to ensure BitLocker is using software encryption rather than hardware encryption. This Microsoft security bulletin includes a command you can use to check whether your system is using hardware or software-based encryption.
As SwiftOnSecurity notes, modern CPUs can handle performing these actions in software and you shouldn’t see a noticeable slowdown when BitLocker switches to software-based encryption.
BitLocker can still trust hardware encryption, if you like. That option is just disabled by default. For enterprises that have drives with firmware they trust, the “Configure use of hardware-based encryption for fixed data drives” option under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives in Group Policy will let them reactivate the use of hardware-based encryption. Everyone else should leave it alone.
It’s a shame Microsoft and the rest of us can’t trust disk manufacturers. But it makes sense: Sure, your laptop might be made by Dell, HP, or even Microsoft itself. But do you know what drive is in that laptop and who manufactured it? Do you trust that drive’s manufacturer to handle encryption securely and issue updates if there’s a problem? As we’ve learned, you probably shouldn’t. Now, Windows won’t either.