{"id":11287,"date":"2019-09-30T01:44:14","date_gmt":"2019-09-29T23:44:14","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=11287"},"modified":"2022-03-18T06:01:21","modified_gmt":"2022-03-18T05:01:21","slug":"microsoft-setzt-bei-self-encrypting-drives-seds-auf-bitlocker-verschlsselung","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/09\/30\/microsoft-setzt-bei-self-encrypting-drives-seds-auf-bitlocker-verschlsselung\/","title":{"rendered":"Microsoft uses Bitlocker self-encrypting drives (SEDs)"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" height=\"47\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2019\/09\/30\/microsoft-setzt-bei-self-encrypting-drives-seds-auf-bitlocker-verschlsselung\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Microsoft doesn't trust self-encrypting drives (SEDs) no more and has begun to encrypt self-encrypting drives (SEDs) using Bitlocker in Windows 10.<\/p>\n<p><!--more--><\/p>\n<h2>Cause: SSD manufacturers fail with encryption<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg01.met.vgwort.de\/na\/49a502ff45544561aaa898b01b0a505f\" alt=\"\" width=\"1\" height=\"1\" \/>Self-encrypting drives (SEDs) are actually a good thing because the operating system doesn't have to worry about encryption. However, the problem is that these drives do not work reliably in terms of encryption. In November 2018 Microsoft had to publish the security advisory <a href=\"https:\/\/web.archive.org\/web\/20201027201617\/https:\/\/portal.msrc.microsoft.com\/en-us\/security-guidance\/advisory\/ADV180028\" target=\"_blank\" rel=\"noopener noreferrer\">ADV180028<\/a> entitled <em>Guidance for configuring BitLocker to enforce software encryption<\/em>. The background was that the self-encrypting drives (SEDs) had weaknesses in hardware encryption.<\/p>\n<p>On Windows computers with self-encrypting drives, BitLocker Drive Encryption\u2122 was configured to use hardware encryption by default. Customers who were worried about the vulnerabilities they discovered were advised to take action by Microsoft. Administrators who want to enforce software encryption on computers with self-encrypting drives can do so by deploying Group Policy. This Group Policy overrides the Windows default behavior, which is hardware encryption, and Bitlocker encrypts the data using software.<\/p>\n<h2>Microsoft switches to Bitlocker for encryption<\/h2>\n<p>Now Microsoft starts to deactivate the hardware encryption in Windows 10 and uses a software encryption with Bitlocker. I was made aware of this by the following tweet.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Microsoft gives up on SSD manufacturers: Windows will no longer trust drives that say they can encrypt themselves, BitLocker will default to CPU-accelerated AES encryption instead. This is after an expos\u00e9 on broad issues with firmware-powered encryption.<a href=\"https:\/\/t.co\/6B357jzv46\">https:\/\/t.co\/6B357jzv46<\/a> <a href=\"https:\/\/t.co\/fP7F9BGzdD\">pic.twitter.com\/fP7F9BGzdD<\/a><\/p>\n<p>\u2014 SwiftOnSecurity (@SwiftOnSecurity) <a href=\"https:\/\/twitter.com\/SwiftOnSecurity\/status\/1177429658259927040?ref_src=twsrc%5Etfw\">September 27, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The support article for update <a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4516071\/windows-10-update-kb4516071\" target=\"_blank\" rel=\"noopener noreferrer\">KB4516071<\/a> for Windows 10 Version 1709, released on September 24, 2019, contains the following item:<\/p>\n<blockquote><p>Changes the default setting for BitLocker when encrypting a self-encrypting hard drive. Now, the default is to use software encryption for newly encrypted drives. For existing drives, the type of encryption will not change.<\/p><\/blockquote>\n<p>When encrypting a 'self-encrypting drive', the update changes the setting. Instead of using the encryption by the drive, Windows 10 itself does this using Bitlocker. The same text can be found in Update <a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4516061\" target=\"_blank\" rel=\"noopener noreferrer\">KB4516061<\/a> for Windows 10 Version 1607 and Windows Server 2016.<\/p>\n<p>Meanwhile sites like <a href=\"https:\/\/www.tomshardware.com\/news\/bitlocker-encrypts-self-encrypting-ssds,40504.html\" target=\"_blank\" rel=\"noopener noreferrer\">Tom's Hardware<\/a> also report about this issue (with reference to the <a href=\"https:\/\/twitter.com\/SwiftOnSecurity\/status\/1177429658259927040\" target=\"_blank\" rel=\"noopener noreferrer\">Tweet<\/a> and further statements by @SwiftOnSecurity). For other Windows 10 builds, I haven't found a clue to this change yet. I'm not sure if and when other Windows 10 builds will make this change.<\/p>\n<p><strong>Similar articles:<br \/>\n<\/strong><a href=\"https:\/\/borncity.com\/win\/2018\/11\/07\/bitlocker-on-ssds-microsoft-security-advisory-notification-nov-6-2018\/\">Bitlocker on SSDs: Microsoft Security Advisory Notification (Nov. 6, 2018)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Microsoft doesn't trust self-encrypting drives (SEDs) no more and has begun to encrypt self-encrypting drives (SEDs) using Bitlocker in Windows 10.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[356,69,194],"class_list":["post-11287","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-bitlocker","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/11287","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=11287"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/11287\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=11287"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=11287"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=11287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}