Some SSDs advertise support for “hardware encryption.” If you enable BitLocker on Windows, Microsoft trusts your SSD and doesn’t do anything. But researchers have found that many SSDs are doing a terrible job, which means BitLocker isn’t providing secure encryption.
Update: Microsoft has issued a security advisory about this problem. It includes a command you can use to check whether you’re using hardware or software encryption.
Update: Nearly a year later, BitLocker no longer trusts your SSD, so you can trust it once again.
Many SSDs Don’t Implement Encryption Properly
Even if you enable BitLocker encryption on a system, Windows 10 may not actually be encrypting your data. Instead, Windows 10 may be relying on your SSD to do it, and your SSD’s encryption may be easily broken.
That’s the conclusion from a new paper by researchers at Radbound University. They reverse engineered the firmwares of many solid-state drives and found a variety of issues with the “hardware encryption” found in many SSDs.
The researchers tested drives from Crucial and Samsung, but we definitely wouldn’t be surprised if other manufacturers had major issues. Even if you don’t have any of these specific drives, you should be concerned.
For example, the Crucial MX300 includes an empty master password by default. Yes, that’s right—it has a master password set to nothing, and that empty password gives access to the encryption key that encrypts your files. That’s crazy.
The encrypted SSD has a master password that’s set to “”. But don’t worry, customers, you can turn it off! Everything will be fine. pic.twitter.com/hSlPCMyHsi
— Matthew Green (@matthew_d_green) November 5, 2018
BitLocker Trusts SSDs, But SSDs Aren’t Doing Their Jobs
This wouldn’t normally matter—after all, who uses the hardware encryption on an SSD? Windows users would use BitLocker instead. And BitLocker encrypts the files before storing them on the SSD, right?
Wrong. If your computer has a solid-state drive that says it can handle hardware encryption, BitLocker doesn’t do anything at all. BitLocker just trusts the SSD to encrypt your files, abandoning all responsibility. And, as researchers have found, SSD manufacturers are having some serious trouble implementing encryption properly.
Even if you opt to encrypt your laptop’s hard drive with BitLocker, you’re now relying on whatever company made the SSD in your laptop. Do you trust that the manufacturer of the drive in your laptop did a good job? Do you even know what company made your laptop’s internal SSD? Did your laptop manufacturer think about this before it selected a hard drive vendor?
BitLocker on Windows 7 does not support “offloading encryption to encrypted hard drives,” as Microsoft’s documentation puts it. In other words, this is a new feature in Windows 10, so Windows 7 systems won’t have the same problem.
How to Make BitLocker Use Software Encryption
If you’re using BitLocker encryption on an SSD, you can tell BitLocker to avoid using hardware-based encryption and use software-based encryption instead. But this requires Group Policy. Group Policy is only available on Windows 10 Professional—but then, so is the standard version of BitLocker.
On a single PC, open the local Group Policy Editor by pressing Windows+R, typing “gpedit.msc” into the Run dialog, and pressing Enter.
Head to the following location:
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives
Double-click the “Configure use of hardware-based encryption for fixed data drives” option in the right pane.
Select the “Disabled” option and click “OK.”
Microsoft says you must unencrypt and re-encrypt the drive afterwards before this change will take effect.
How to Encrypt Your SSD Without BitLocker
Rather than relying on BitLocker, you could also use the open-source VeraCrypt tool to encrypt your Windows system drive or any other drive. It’s based on the TrueCrypt software, which you might have heard of.
Unlike BitLocker, VeraCrypt is also available to Windows 10 Home and Windows 7 Home users. You don’t have to pay $100 for encryption. VeraCrypt doesn’t ever rely on SSDs the do the encryption work—VeraCrypt always handles the encryption itself.
Warning: Some big Windows 10 updates have caused issues with VeraCrypt in the past. We recommend having rescue media on hand, just in case. You won’t have these issues if you stick with BitLocker, so we recommend using BitLocker and disabling hardware encryption.
Why Does BitLocker Trust SSDs?
When available, hardware-based encryption can be faster than software-based encryption. So, if an SSD had solid hardware-based encryption technology, relying on that SSD would result in improved performance.
Unfortunately, it seems many SSD manufacturers cannot be trusted to implement this properly. If you need encryption, you’re better off using BitLocker’s software-based encryption so you don’t have to trust your SSD’s security.
In a perfect world, hardware-accelerated encryption is definitely better. That’s one reason why Apple includes a T2 security chip on its new Macs. The T2 chip uses a hardware-accelerated encryption engine to speedily encrypt and decrypt data stored on the Mac’s internal SSD.
But your Windows PC doesn’t use technology like that—it has an SSD from a manufacturer that probably didn’t spend much time thinking about security. And that’s no good.