Many consumer SSDs claim to support encryption and BitLocker believed in it. But, as we learned last year, those disks often do not encrypt files securely. Microsoft has just changed Windows 10 to stop trusting in those sketchy SSD & standard software encryption.
In summary, solid-state disks and other hard disks can claim to be "self-coding." If they do, BitLocker would not work with any encryption, even if you have enabled BitLocker manually. In theory that was good: the disk could perform the coding itself at the firmware level, speed up the process, reduce CPU usage and perhaps save some energy. In reality it was bad: many disks had empty master passwords and other terrible security errors. We have learned that consumer SSD & # 39; s cannot be trusted to implement encryption.
Now Microsoft has changed things. By default, BitLocker ignores disks that claim to be self-coding and the coding works in software. Even if you have a disk that claims to support encryption, BitLocker won't believe it.
This change arrived in the KB451
Microsoft gives up SSD manufacturers: Windows no longer trusts disks that say they are themselves BitLocker will use CPU-accelerated AES encryption instead as standard. This is after an explanation of broad problems with firmware encryption. Http://t.co/6B357jzv46 pic.twitter.com/fP7F9BGzdD
– SwiftOnSecurity (@SwiftOnSecurity) 27 September, 2019
Existing systems with BitLocker are not automatically migrated continue to use hardware encryption if they were originally set up that way. If BitLocker encryption is already enabled on your system, you must decrypt the disk and then re-encrypt it to ensure that BitLocker uses software encryption instead of hardware encryption. This Microsoft security bulletin contains a command that you can use to check if your system uses hardware or software encryption.
As SwiftOnSecurity notes, modern CPU & # 39; s can perform these actions in software and you should not see any noticeable delay when BitLocker switches to software coding.
BitLocker can still trust hardware encryption if you want. That option is simply disabled by default. For companies that have disks with firmware that they trust, the option "Configure use of hardware-based encryption for fixed data drives" under Computer Configuration Administrative Templates Windows Components BitLocker Drive Encryption Fixed Data Drives in Group Policy allows them to use hardware based encryption. Everyone should leave it alone.
It is unfortunate that Microsoft and the rest of us cannot trust the drive manufacturers. But it makes sense: of course, your laptop is made possible by Dell, HP or even Microsoft itself. But do you know which disk is in that laptop and who made it? Are you confident that the manufacturer of that drive will handle encryption safely and issue updates if there is a problem? As we learned, you probably shouldn't do that. Now Windows does not do that either.
RELATED: You cannot trust BitLocker to encrypt your SSD on Windows 10