[German]Microsoft doesn’t trust self-encrypting drives (SEDs) no more and has begun to encrypt self-encrypting drives (SEDs) using Bitlocker in Windows 10.
Cause: SSD manufacturers fail with encryption
Self-encrypting drives (SEDs) are actually a good thing because the operating system doesn’t have to worry about encryption. However, the problem is that these drives do not work reliably in terms of encryption. In November 2018 Microsoft had to publish the security advisory ADV180028 entitled Guidance for configuring BitLocker to enforce software encryption. The background was that the self-encrypting drives (SEDs) had weaknesses in hardware encryption.
On Windows computers with self-encrypting drives, BitLocker Drive Encryption™ was configured to use hardware encryption by default. Customers who were worried about the vulnerabilities they discovered were advised to take action by Microsoft. Administrators who want to enforce software encryption on computers with self-encrypting drives can do so by deploying Group Policy. This Group Policy overrides the Windows default behavior, which is hardware encryption, and Bitlocker encrypts the data using software.
Microsoft switches to Bitlocker for encryption
Now Microsoft starts to deactivate the hardware encryption in Windows 10 and uses a software encryption with Bitlocker. I was made aware of this by the following tweet.
Microsoft gives up on SSD manufacturers: Windows will no longer trust drives that say they can encrypt themselves, BitLocker will default to CPU-accelerated AES encryption instead. This is after an exposé on broad issues with firmware-powered encryption.https://t.co/6B357jzv46 pic.twitter.com/fP7F9BGzdD
— SwiftOnSecurity (@SwiftOnSecurity) September 27, 2019
The support article for update KB4516071 for Windows 10 Version 1709, released on September 24, 2019, contains the following item:
Changes the default setting for BitLocker when encrypting a self-encrypting hard drive. Now, the default is to use software encryption for newly encrypted drives. For existing drives, the type of encryption will not change.
When encrypting a ‘self-encrypting drive’, the update changes the setting. Instead of using the encryption by the drive, Windows 10 itself does this using Bitlocker. The same text can be found in Update KB4516061 for Windows 10 Version 1607 and Windows Server 2016.
Meanwhile sites like Tom’s Hardware also report about this issue (with reference to the Tweet and further statements by @SwiftOnSecurity). For other Windows 10 builds, I haven’t found a clue to this change yet. I’m not sure if and when other Windows 10 builds will make this change.
Cookies helps to fund this blog: Cookie settings