In June last year security researchers discovered that SSD hardware encryption could be trivially bypassed with only $100 of tools by simply reflashing the drive firmware.
The issue only affected hardware encryption but not software encryption, and Bitlocker was found to be “exceptionally vulnerable” when using hardware encryption (also called self-encryption), which relied on the SSD properly encryption and decrypting itself.
At the time Microsoft suggested users switch to software encryption for more protection, and now in the latest version of Windows 10 19H1 Microsoft appears to have switched to software encryption by default.
Windows 10 build 18317 BitLocker GPO opts out hardware-based encryption.
"If you do not configure this policy setting, BitLocker will use software-based encryption"
Used to be
"If you do not configure this policy setting, BitLocker will use hardware-based encryption" pic.twitter.com/5oMybPHP3U
— Tero Alhonen (@teroalhonen) January 16, 2019
As Tero notes, previously if your SSD supported hardware encryption Windows 10 would default to that mode as it is faster and less resource intensive, but new GPO defaults to software encryption.
If you care enough about the security of your data to use BitLocker, you may want to check if you are using software or hardware encryption by:
- Open an elevated command prompt, e.g. by opening the Start menu, typing cmd.exe, right-clicking on the result, and selecting the “run as administrator” option.
- Confirm the UAC prompt that is displayed.
- Type manage-bde.exe -status.
- Check for “Hardware Encryption” under Encryption Method.
The drive is using Software Encryption if there’s no reference of hardware encryption in the output.
To switch to software encryption you will need to decrypt the drive and re-encrypt it.
The issue only affects SSDs and not HDDs but then these have almost become the default in mid-range and higher laptops.
Read more about the issue at Microsoft’s advisory here.