Discussion in 'Article Discussion' started by bit-tech, 5 Nov 2018.
Wow. This could be huge, especially knowing how many companies rely on the protections of Bitlocker as standard policy.
But how big is the realistic threat? How easy is it to implement? What measures can be taken to make SSDs safer? Firmware updates, or better hardware?
Needs more study.
Tiny typo spotted: second author's surname should be "van Gastel" (with -el)
The paper's pretty detailed in how the attacks work, but they all require physical access - which, given that's exactly the scenario data encryption is supposed to protect against, ain't exactly good.
Samsung's already released firmware updates for the T3 and T5 - plus the T1, but for some reason you have to talk to support to get that one - which it claims fix the problems, but it recommends that users of its other drives give up on the hardware encryption and use software encryption (after making sure the software encryption is actually software encryption, i.e. don't use BitLocker). Crucial/Micron ain't got back to me yet.
Hah - years of mentally correcting all the American -el suffixes in press releases to -le has me undone! Fixed now - ta!
Presumably Bitlocker could be updated with a blacklist of drives with non-functional encryption and 'failed over' to the software implementation if one is present.
So when you say software encryption you're talking about programs like Veracrypt?
I noticed that the program has a number of encryption methods so I was wondering about which one would be secure but not effect the read / write speeds too much (i5-7300hq cpu).
Article updated with Samsung, Micron, and Microsoft statements - the latter including instructions for switching BitLocker from hardware to software encryption (which you can only do via Group Policy changes, annoyingly.)
Aye, that sort of thing.
When in doubt, go AES: it's the same algorithm the hardware encryption uses, and modern CPUs include AES acceleration instructions. Handily, Veracrypt has a built-in benchmark - here are the results from a test on my A10-5800K desktop:
As you can see, AES is by far and away the fastest algorithm thanks to the acceleration instructions. At 1.4GB/s write and 1.9GB/s read, it's considerably faster than most SSDs - so you shouldn't see an impact, except that it will load the CPU during encryption and decryption operations. In other words, things might be a bit slower.
The other algorithms are really only there if you don't trust the US Government-approved AES algorithm, and come with considerable performance penalties - especially when you start chaining them, which is what the brackets indicate: AES(Twofish(Serpent)) means data is encrypted first with AES, then the encrypted output encrypted again with Twofish, then the encrypted output encrypted again with Serpent. If there's a flaw or backdoor in any one of the three algorithms, your data is still secure - but you take a major performance hit.
On samsung drives bitlocker issue should be very much less an issue as you have to go out of your way to press the ready button to enable e-drive support and reload windows and the uefi bios has to support e-drive as well and maybe have a tpn chip as well
crucial unfortunately e-drive is enabled by Default (no way to turn it off) and so if you meet the requirements for a drive on bitlocker then it will instantly enable bitlocker which means hardware-based encryption is being used ( you can use gpedit or the bitlocker manager I'll have to check what it is again later) to force bitlocker to use software bitlocker
if you enable bitlocker and you have that percentage progress bar then you are using software based bitlocker which for the majority people will be most ( as you need to meet at least three or four requirements to make bitlocker E-drive to work)
If ms wanted to assur that it's secure they could make Bitlocker use software based bitlocker when been enabled as most cpus have AES hardware acceleration (make hardware optional bitlocker manager instead of preferred)
Separate names with a comma.