未加星标

You Can’t Trust BitLocker to Encrypt Your SSD on Windows 10

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二03 | 时间 2018 | 作者 红领巾 ] 0人收藏点击收藏

You Can’t Trust BitLocker to Encrypt Your SSD on Windows 10

Some SSDs advertise support for “hardware encryption.” If you enable BitLocker on windows , Microsoft trusts your SSD and doesn’t do anything. But researchers have found that manySSDsare doing a terrible job, which means BitLocker isn’t providing secure encryption.

Many SSDs Don’t Implement Encryption Properly

Even if you enable BitLocker encryption on a system, Windows 10 may not actually be encrypting your data. Instead, Windows 10 may be relying on your SSD to do it, and your SSD’s encryption may be easily broken.

That’s the conclusion from a new paper by researchers at Radbound University. They reverse engineered thefirmwares of many solid-state drives and found a variety of issues with the “hardware encryption” found in many SSDs.

The researchers tested drives from Crucial and Samsung, but we definitely wouldn’t be surprised if other manufacturers had major issues. Even if you don’t have any of these specific drives, you should be concerned.

For example, the Crucial MX300 includes an empty master password by default. Yes, that’s right―it has a master password set to nothing, and that empty password gives access to the encryption key that encrypts your files. That’s crazy.

The encrypted SSD has a master password that’s set to “”. But don’t worry, customers, you can turn it off! Everything will be fine. pic.twitter.com/hSlPCMyHsi

― Matthew Green (@matthew_d_green) November 5, 2018

BitLocker Trusts SSDs, But SSDs Aren’t Doing Their Jobs

This wouldn’t normally matter―after all, who uses the hardware encryption on an SSD? Windows users would use BitLocker instead. And BitLocker encrypts the files before storing them on the SSD, right?

Wrong. If your computer has a solid-state drive that says it can handle hardware encryption, BitLocker doesn’t do anything at all. BitLocker just trusts the SSD to encrypt your files, abandoning all responsibility. And, as researchers have found, SSD manufacturers are having some serious trouble implementing encryption properly.

Even if you opt to encrypt your laptop’s hard drive with BitLocker, you’re now relying on whatever company made the SSD in your laptop. Do you trust that the manufacturer of the drive in your laptop did a good job? Do you even know what company made your laptop’s internal SSD? Did your laptop manufacturer think about this before it selected a hard drive vendor?

BitLocker on Windows 7 does not support “offloading encryption to encrypted hard drives,” as Microsoft’s documentation puts it. In other words, this is a new feature in Windows 10, so Windows 7 systems won’t have the same problem.

How to Make BitLocker Use Software Encryption

If you’re using BitLocker encryption on an SSD, you can tell BitLocker to avoid using hardware-based encryption and use software-based encryption instead. But this requiresGroup Policy. Group Policy is only available on Windows 10 Professional―but then, so is the standard version of BitLocker.

On a single PC, open the local Group Policy Editor by pressing Windows+R, typing “gpedit.msc” into the Run dialog, and pressing Enter.


You Can’t Trust BitLocker to Encrypt Your SSD on Windows 10

Head to the following location:

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

Double-click the “Configure use of hardware-based encryption for fixed data drives” option in the right pane.


You Can’t Trust BitLocker to Encrypt Your SSD on Windows 10

Select the “Disabled” option and click “OK.”


You Can’t Trust BitLocker to Encrypt Your SSD on Windows 10

You may need to suspend BitLocker protection and re-enable it afterwards. This forces Windows to unencrypt and then re-encrypt the drive.

How to Encrypt Your SSD Without BitLocker

Rather than relying on BitLocker, you could also use the open-source VeraCrypt tool to encrypt your Windows system drive or any other drive. It’s based on the TrueCrypt software, which you might have heard of.

Unlike BitLocker, VeraCrypt is also available to Windows 10 Home and Windows 7 Home users. You don’t have to pay $100 for encryption . VeraCrypt doesn’t ever rely on SSDs the do the encryption work―VeraCrypt always handles the encryption itself.

RELATED: How to Encrypt Your Windows System Drive With VeraCrypt


You Can’t Trust BitLocker to Encrypt Your SSD on Windows 10
Why Does BitLocker Trust SSDs?

When available, hardware-based encryption can be faster than software-based encryption. So, if an SSD had solid hardware-based encryption technology, relying on that SSD would result in improved performance.

Unfortunately, it seems many SSD manufacturers cannot be trusted to implement this properly. If you need encryption, you’re better off using BitLocker’s software-based encryption so you don’t have to trust your SSD’s security.

In a perfect world, hardware-accelerated encryption is definitely better. That’s one reason why Apple includes a T2 security chip on its new Macs . The T2 chip uses a hardware-accelerated encryption engine to speedily encrypt and decrypt data stored on the Mac’s internal SSD.

But your Windows PC doesn’t use technology like that―it has an SSD from a manufacturer that probably didn’t spend much time thinking about security. And that’s no good.

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

代码区博客精选文章
分页:12
转载请注明
本文标题:You Can’t Trust BitLocker to Encrypt Your SSD on Windows 10
本站链接:https://www.codesec.net/view/610680.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(69)