none
New SSD - Enabling BitLocker Defaults to Hardware Encryption Mode RRS feed

  • Question

  • This is my first time using an SSD drive for my laptop, so would like to ask the question below:

    Just got a new Crucial MX500 2.5 inch SSD internal drive for my laptop. I enabled BitLocker and the MANAGE-BDE -STATUS shows that BitLocker is using Hardware Encryption. Why is this? The package does not even state that it’s an encrypted SSD. I am so confused.

    How can I disable this and use BitLocker the way I used to which was in Software Encryption mode?

    Thanks!




    • Edited by AS.Bowen Sunday, October 21, 2018 12:12 PM
    Sunday, October 21, 2018 7:05 AM

All replies

  • By default, if the drive allows it, bitlocker will use hardware encryption, because it has better performance. What is your problem with it? Most modern SSDs support hardware encryption out of the box, as you can see.
    Sunday, October 21, 2018 1:51 PM
  • Thanks for the quick response.

    Well, for now, I need to use BitLocker the way I used to before. That's all. Until my decision is reached, I need to use BitLocker in Software Encryption mode. I disabled BitLocker and then set the following Group Policy: Configure use of hardware-based encryption for operating system drives= DISABLED

    I re-enabled BitLocker again, and this time seems to be Software based encryption again according to MANAGE-BDE -STATUS. Hopefully, I did not have to reinstall Windows 10 for this change? Please confirm this.

    Another question if I decide to use BitLocker with Hardware Encryption mode for my SSD down the road, I noticed this also relies on the TPM. So my question is, suppose for example I do some major UEFI Firmware upgrade or major changes in the firmware, or do some major hardware upgrades on my laptop, will BitLocker be in Recovery Mode even when using the SSD in Hardware Encryption mode?

    Another question, will SSD Hardware-based encryption with BitLocker still exposes the chances of a DMA or Cold Boot attacks?






    • Edited by AS.Bowen Sunday, October 21, 2018 3:36 PM
    Sunday, October 21, 2018 3:01 PM
  • You proceeded correctly. No need to reinstall.

    HW encryption does not act differently, so yes, when used with a TPM, you will need to suspend it before doing firmware updates to avoid recovery mode.

    Without using the TPM together with a pre-boot authentication PIN, you will be endangered by cold-boot attacks. HW encryption does not change that.

    Sunday, October 21, 2018 4:18 PM
  • So, getting back to your question as to why I am not using the SSD's built-in encryption.

    I would ask the same question as to why most businesses and enterprises are not implementing these as well? Maybe some do or starting to, but most of the enterprises still stick with software-based BitLocker.



    • Edited by AS.Bowen Monday, October 22, 2018 6:55 AM
    Monday, October 22, 2018 6:52 AM
  • "most of the enterprises still stick with software-based BitLocker." - how do you know? You don't have numbers to support that, have you? Who knows, I don't.
    Monday, October 22, 2018 7:11 AM
  • As for the performance impact, not noticeable when using BitLocker in Software encryption mode. Performance does not matter with encryption because nowadays many new computing devices come packed with a lot of computing power anyways. So that should not be an issue.

    Secondly, Drive encryption adds complexity and risk to enterprises.  Keys must be managed to start with:  Every drive will have a KEK (key encryption key) that must be tracked and itself security protected.  That introduces management complexity.

    Many enterprises often have policies prohibiting physical data storage devices (HDDs and SSDs) from ever leaving a data center intact.  Drives are physically destroyed, perhaps using a drive shredder, when they are to be discarded.   Adding physical encryption to such devices may be viewed as having little value compared to the complexity and risk.

    Beyond that yes there are enterprises that do leverage drive encryption, but it is used in specific cases where it is needed.  For data-at-rest encryption other technologies and methods are used that are more encompassing, as drive encryption only protects against data loss from unauthorized physical access to the drive itself.

    Thanks for the responses and support.

    Tuesday, October 23, 2018 6:23 AM
  • Hi Ronald, 

    Thanks for this. Have you got a link to spec that documents the fact that bitlocker will use hardware encryption by default ?

    Thanks,
    Alan

    Tuesday, November 13, 2018 5:21 PM
  • Here, Alan:

    https://gpsearch.azurewebsites.net/#8152

    "If you do not configure this policy setting, BitLocker will use hardware-based encryption with the encryption algorithm set for the drive." (by default, this GPO is not configured).

    Wednesday, November 14, 2018 7:15 AM