Mitigate Windows 10 BitLocker Hardware Encryption Vulnerabilities on SSD
Microsoft released new security advisory ADV180028, Guidance for configuring BitLocker to enforce software encryption on November 6 2018, as response to the research paper Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs) by Carlo Meijer and Bernard von Gastel from Radboud University after they discovered vulnerability in SSDs that support hardware encryption enabled them to retrieve data from encrypted drive without knowledge of the password used to encrypt the data on it.
Although BitLocker supports software and hardware encryption but it will uses hardware encryption by default if supported by the drive. Microsoft suggested to enforce software encryption on SSDs using group policy settings.
Verify BitLocker Encryption Method
Step 1: Open cmd with run as administrator option.
Step 2: Type
Step 3: Check for Hardware Encryption under Encryption Method.
Step 4: If you don’t find hardware encryption referenced in the output this mean SSD uses software encryption or there is no BitLocker encryption.
Switch to BitLocker Software Encryption via BitLocker Group Policy settings
Step 1: Open Start menu.
Step 2: Type
Step 3: Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
For the system drive, open Operating System Drives and double click on Configure use of hardware-based encryption for operating system drives.
For fixed date drives, open Fixed Data Drives and double click on Configure use of hardware-based encryption for Fixed Data Drives.
For removable drives, open Removable Data Drives and double click on Configure use of hardware-based encryption for Removable Data Drives.
Step 4: Set the required policies to Disabled. A value of disabled forces BitLocker to use software-encryption for all drives even those that support hardware encryption. The setting applies to new drives that you connect to the computer.
Turn off BitLocker on existing drive
BitLocker won’t apply the new encryption method to drives that are already encrypted.
Note: NOT need to reformat the drive or reinstall any applications after changing BitLocker settings.
Step 1: Open Explorer on the computer.
Step 2: Right click on the drive and select Manage BitLocker from the context menu.
Step 3: Select Turn off BitLocker to decrypt the drive.
Step 4: Enable BitLocker encryption again on the drive.
Originally published at pupuweb.com on November 7, 2018.