To paraphrase Fox Mulder, trust no self-encrypting SSD. As of the latest Windows 10 update, Microsoft’s BitLocker encryption tool that’s built into Pro and Enterprise versions will no longer assume that self-encrypting SSDs are, you know, actually securing their data. After researchers demonstrated last year that flaws in many self-encrypting SSDs could let baddies bypass that encryption thanks to a mixture of poor security implementations and secret Master Passwords set by the SSD manufacturers, Microsoft has closed that potential loophole by having BitLocker not trust hardware-based encryption by default.
Swift on Security, the pseudonymous infosec Twitter rockstar, first noticed the tweak, which Microsoft published on September 24 as part of the KB4516071 update: “Changes the default setting for BitLocker when encrypting a self-encrypting hard drive,” the update reads. “Now, the default is to use software encryption for newly encrypted drives. For existing drives, the type of encryption will not change.”
That means that any SSDs you secure with BitLocker will now rely on software-based AES encryption performed by your processor, regardless of whether the drive claims to perform its own hardware-based encryption.
If you trust your SSD’s encryption technique, you can still tell BitLocker to use that instead, but now that’s an opt-in feature rather than the default. Alternatively, if you don’t trust your self-encrypting SSDs firmware any longer and you already use BitLocker, you’ll need to decrypt it, then encrypt it again to blow away the existing hardware-based reliance and move to BitLocker’s software-based encryption instead.
Our beginner’s guide to BitLocker can help you start using Microsoft’s encryption tool, though you’ll need specific hardware features and the Pro or Enterprise version of Windows 10 to access it. Home versions of Windows 10 don’t support BitLocker.
It’s a shame that self-encrypting SSDs can’t be fully trusted to be secure—that’s their proverbial One Job. But Microsoft deserves props for providing a safety net with BitLocker rather than letting end users potentially be lulled into thinking their data is protected when it’s not.