According to release notes Microsoft has published for the incremental KB4516071 update for Windows 10, the company will no longer use the hardware encryption capabilities built into some SSDs when the BitLocker security framework is enabled. Instead, Windows will apply its own software encryption. The change has been attributed by security experts to reports that major SSD manufacturers have not been taking adequate security measures with their implementations of encryption, resulting in potentially easy ways to bypass the security protections that users might take for granted. Microsoft is effectively taking control of the process, rather than trusting SSD manufacturers. The change will not affect existing BitLocker volumes.
As pointed out by the popular Twitter account SwiftOnSecurity, the change comes almost a year after a research report published by Radboud University in the Netherlands revealed that some implementations of hardware encryption on an SSD can be defeated by simply using a manufacturer’s master password, or by intercepting the DEK (Disk Encryption Key) which itself is not cryptographically encoded. These processes can be used by an attacker to defeat an SSD’s own security without needing to know the user’s own encryption key.
The research report identified several popular consumer SSD models sold by Crucial and Samsung. The findings applied to internal as well as external SSDs, and the researchers stated that many more drives might be affected. Both companies have since released security patches that are said to address this issue.
As reported by ZDNet at the time, the research report specifically noted that Windows BitLocker users were at risk because Microsoft by default allows SSDs to handle their own encryption. The company now seems to have changed its mind, and is taking control of the process, at least for newly created volumes.
Modern PCs can take advantage of specific instructions on newer CPUs that are designed to accelerate software encryption without creating significant overhead in terms of CPU workload. SSDs can be encrypted and decrypted on the fly, for most kinds of applications, negating the advantages of native hardware encryption.
Users (or IT administrators) who wish to switch from hardware to software encryption will first have to decrypt their drives entirely and then re-encrypt them. As always, there will still be the ability to rely on hardware encryption, which users can take advantage of if they are certain that their SSDs are secure.