How to Mitigate Windows 10 BitLocker Hardware Encryption Vulnerabilities on SSD

Microsoft released new security advisory ADV180028, Guidance for configuring BitLocker to enforce software encryption on November 6 2018, as response to the research paper Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs) by Carlo Meijer and Bernard von Gastel from Radboud University after they discovered vulnerability in SSDs that support hardware encryption enabled them to retrieve data from encrypted drive without knowledge of the password used to encrypt the data on it.

The vulnerability affects SSDs that support hardware encryption by local access to the SSDs and reverse engineered the firmware of it to access the data.

The security researchers tested only some Solid State Drives that support hardware encryption feature including Crucial MX100, MX200 and MX3000, Samsung T3 and T5, and Samsung 840 Evo and 850 Evo drives. it seems likely that additional drives are vulnerable as well. Crucial MX300 includes an empty master password by default which allow access to the encryption key that encrypts your files.

Affected Microsoft products including Windows 10, 8.1, 2012, 2012 R2, 2016 and 2019. BitLocker on Windows 7 does not affected by this vulnerability due to not supported offloading encryption to encrypted hard drives.

Although BitLocker supports software and hardware encryption but it will uses hardware encryption by default if supported by the drive. Microsoft suggested to enforce software encryption on SSDs using group policy settings.

Verify BitLocker Encryption Method

Step 1: Open cmd with run as administrator option.

Step 2: Type manage-bde.exe -status

Step 3: Check for Hardware Encryption under Encryption Method.

Step 4: If you don’t find hardware encryption referenced in the output this mean SSD uses software encryption or there is no BitLocker encryption.

Switch to BitLocker Software Encryption via BitLocker Group Policy settings

Step 1: Open Start menu.

Step 2: Type gpedit.msc

Step 3: Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.

For the system drive, open Operating System Drives and double click on Configure use of hardware-based encryption for operating system drives.

For fixed date drives, open Fixed Data Drives and double click on Configure use of hardware-based encryption for Fixed Data Drives.

For removable drives, open Removable Data Drives and double click on Configure use of hardware-based encryption for Removable Data Drives.

Step 4: Set the required policies to Disabled. A value of disabled forces BitLocker to use software-encryption for all drives even those that support hardware encryption. The setting applies to new drives that you connect to the computer.

Switching to software encryption using BitLocker with a Group Policy.

Turn off BitLocker on existing drive

BitLocker won’t apply the new encryption method to drives that are already encrypted.

Note: NOT need to reformat the drive or reinstall any applications after changing BitLocker settings.

Step 1: Open Explorer on the computer.

Step 2: Right click on the drive and select Manage BitLocker from the context menu.

Step 3: Select Turn off BitLocker to decrypt the drive.

Turn off BitLocker

Step 4: Enable BitLocker encryption again on the drive.