Mitigate Windows 10 BitLocker Hardware Encryption Vulnerabilities on SSD

Microsoft released new security advisory ADV180028, Guidance for configuring BitLocker to enforce software encryption on November 6 2018, as response to the research paper Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs) by Carlo Meijer and Bernard von Gastel from Radboud University after they discovered vulnerability in SSDs that support hardware encryption enabled them to retrieve data from encrypted drive without knowledge of the password used to encrypt the data on it.

Although BitLocker supports software and hardware encryption but it will uses hardware encryption by default if supported by the drive. Microsoft suggested to enforce software encryption on SSDs using group policy settings.

Verify BitLocker Encryption Method

Step 1: Open cmd with run as administrator option.

Step 2: Type

Step 3: Check for Hardware Encryption under Encryption Method.

Step 4: If you don’t find hardware encryption referenced in the output this mean SSD uses software encryption or there is no BitLocker encryption.

Switch to BitLocker Software Encryption via BitLocker Group Policy settings

Step 1: Open Start menu.

Step 2: Type

Step 3: Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.

For the system drive, open Operating System Drives and double click on Configure use of hardware-based encryption for operating system drives.

For fixed date drives, open Fixed Data Drives and double click on Configure use of hardware-based encryption for Fixed Data Drives.

For removable drives, open Removable Data Drives and double click on Configure use of hardware-based encryption for Removable Data Drives.

Step 4: Set the required policies to Disabled. A value of disabled forces BitLocker to use software-encryption for all drives even those that support hardware encryption. The setting applies to new drives that you connect to the computer.

Image for post
Image for post

Turn off BitLocker on existing drive

BitLocker won’t apply the new encryption method to drives that are already encrypted.

Note: NOT need to reformat the drive or reinstall any applications after changing BitLocker settings.

Step 1: Open Explorer on the computer.

Step 2: Right click on the drive and select Manage BitLocker from the context menu.

Step 3: Select Turn off BitLocker to decrypt the drive.

Image for post
Image for post

Step 4: Enable BitLocker encryption again on the drive.

Originally published at pupuweb.com on November 7, 2018.

Written by

Technology Blogger writing about emerging technologies (pupuweb.com) and marketing/lifestyle (paminy.com)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store