Microsoft Windows includes a software encryption feature called BitLocker. BitLocker is designed to protect data by encrypting entire storage volumes. A volume, or logical drive, is a single storage area that has a single file system.
By default, BitLocker uses the AES encryption algorithm in cipher block chaining (CBC) or XTS mode with a 128-bit or 256-bit key (CBC is is applied to each individual disk sector). When used in conjunction with a compatible Trusted Platform Module (TPM) on the host computer, BitLocker validates the integrity of boot and system files before decrypting a protected volume. An unsuccessful validation will prohibit access to a protected system.
Unfortunately, BitLocker and security concerns go hand-in-hand. Over the years, cold boot attacks, ability to bypass authentication, ability to bypass BitLocker encryption, and so on are all part of the BitLocker legacy. Known flaws have been addressed, but let’s note that hackers regularly—and successfully—attack BitLocker.
A few weeks ago, the New Secret-Spilling Hole in Intel CPUs Sends Company Patching (Again) article by Dan Goodin on Ars Technica, said researchers found a way to obtain the fuse encryption key unique to each CPU. With this vulnerability, hackers can access developer mode. In developer mode, an attacker can extract the encryption key stored in the TPM enclave. If the TPM is storing a BitLocker key, the attacker defeats BitLocker protection, too.
Consider a 2019 column by Chris Hoffman on the How-To Geek website called You Can’t Trust BitLocker to Encrypt Your SSD on Windows 10. According to Hoffman, if your SSD doesn’t support hardware encryption (i.e., self-encryption), then BitLocker software encryption occurs on the host computer. This reduces overall system performance since hardware encryption is faster than software encryption.
Does BitLocker Trust Your Drive?
Hoffman highlighted this problem: if the drive identified itself to Windows 10 as an SED, then the OS would trust it and disable BitLocker encryption, even if you had explicitly turned it on. Unfortunately, many consumer-grade SEDs have empty master passwords and other potential security failures, including sub-standard encryption in some cases. Nearly a year after its original publication, the article was updated with a link to a new column, Windows 10’s BitLocker Encryption No Longer Trusts Your SSD, which says Microsoft changed Windows 10 to stop trusting SEDs and revert back to using BitLocker’s software encryption, with all of its associated overhead.
What to make of all this? Well, hardware encryption in an SED is faster than software encryption on the host system. However, you need to be confident in the quality of the SED implementation—such as you find in a FIPS-certified SED.
We also know it’s crucial for a zero-trust (ZT) environment to secure Data at Rest (DAR), where DAR refers to data that resides on an SSD. A state-of-the-art DAR implementation uses a FIPS- or CC-certified SED. Access to the data needs to use authorization acquisition. (Authorization acquisition occurring prior to booting the OS is known as pre-boot authentication (PBA)). For even higher levels of security, multi-factor authorization (MFA) must be implemented.
Finally, are you ready for more alphabet soup? An SED manufacturer cannot simply claim that its drive has an EE and supports AA using MFA and PBA. For the best security, the Federal Government also requires that a DAR solution be TAA compliant and FIPS- or CC-certified. Oh, even if a manufacturer says its SSD is FIPS-certified, make sure it really is. We’ve seen misleading claims before. Anyway, BitLocker may be sufficient for private or low-security usage, but do you want to rely on it when securing data truly matters?
(BTW, if you are unsure as to what these terms mean, check out the Additional Resources section below.)
At DIGISTOR, we specialize in helping military and government agencies and commercial entities of all sizes find the right encrypted storage solution to secure their DAR. With a wide range of secure storage offerings, from bare drives to removable solutions to Commercial Solutions for Classified (CSfC)-ready SSDs, we can assist with specifying the appropriate storage devices to secure your important data. If you have any questions as to securing DAR might apply to your own data security requirements, please feel free to contact us.
Whitepaper: Is Your Data at Rest (DAR) Truly Secure?
Article on EEJournal.com: Secure Your Data at Rest, Stupid!