Whole-disk encryption is a form of data security that encrypts all the data on a hard disk, irrespective of what that data might be.
Encryption and decryption happen at a low level, making it transparent to normal usage. As long as you’re able to log in to your Windows machine, you’ll have access to everything on it as if it were unencrypted. Turn the machine off, and the data is inaccessible and securely encrypted until you sign in again.
Low-level encryption and decryption can happen either by the hard disk itself, as data is read from or written to the drive (hardware encryption) or by Windows (software encryption).
The problem? Some drives using hardware-based encryption have been discovered to have vulnerabilities that could allow encrypted data to be exposed.
Become a Patron of Ask Leo! and go ad-free!
- BitLocker is available only in certain editions of Windows — for all others, this is a non-issue.
- Some drives have vulnerabilities in their whole-disk encryption implementation.
- You can check to see if your BitLocker encryption is using hardware encryption.
- If it is, consider converting to software-based encryption instead.
BitLocker, Microsoft’s encryption technology, is available in Windows 10 versions I refer to as “Windows Pro or better”. That means all editions other than Windows Home, or, conversely, only on the Windows Pro, Enterprise, and Education editions. (I refer to “Pro or better” because specific editions can change. Windows editions seem to come and go, but they all seem to fall on either side of that “Pro or better” delineation.)
Thus, if you have Windows Home, there’s nothing for you here. The vulnerability being discussed involves the hardware encryption that may or may not be present in your disk drives on your machine. If you’re interested in full disk-encryption, a tool like VeraCrypt would be fine, and because it’s a software-based solution, it should also side-step the issue.1
The Register published an article titled Solid state of fear: Euro boffins bust open SSD, BitLocker encryption (it’s really, really dumb). The headline is both misleading and inflammatory (as is the body of the article, to be honest), but the meat of the issue is very real.
BitLocker is not at fault. The drives themselves are. And yes, it is kinda dumb. Quoting The Register:
…you can seize a drive and, via a debug port, reprogram it to accept any password. At that point, the SSD will use its stored keys to cipher and decipher its contents. Yes, it’s that dumb.
BitLocker’s mistake, if you want to call it that, is to trust that hardware encryption was implemented properly. Clearly, that’s a bad assumption.
However, BitLocker can be instructed not to make that assumption.
First, let’s see if you have a problem at all.
Checking for hardware encryption
To run a Command Prompt in Administrative Mode, right-click on Start and then click on Command Prompt (Admin).
In the resulting Command Prompt window, enter the command:
Followed by Enter. This will print a short report for each drive internal to your system.
In the example above, “Conversion Status: Fully Decrypted” indicates that this drive does not have BitLocker full-disk encryption enabled.
In this example, “Conversion Status: Used Space Only Encrypted” indicates that only actual files, and not free space, have been encrypted on the drive.
More importantly, though, “Encryption Method: XTS-AES 128” indicates software-based encryption. If the drive we’re using has the vulnerability we’ve been discussing, it doesn’t matter — we’re not using hardware-based encryption.
If the encryption method were listed as “Hardware Encryption”, BitLocker is relying on the drive to provide the encryption. If that drive suffers from the vulnerability, your data might be at risk of exposure.
Converting hardware- to software-based encryption
It’s a somewhat time-consuming process, but you can convert BitLocker whole-drive encryption that uses hardware encryption to use software encryption instead.
Prevent hardware use
First, run “gpedit.msc”, the Group Policy Editor. Once open, navigate to (expand each node in turn by clicking the “>” to its left):
> Administrative Templates
> Windows Components
> BitLocker Drive Encryption
> Fixed Data Drives (optional — seems to be present only on some systems)
There, look for “Configure use of hardware based encryption for fixed data drives”.
Double-click on that to open it.
Change the setting to Disabled, click OK to close the dialog, and close the Group Policy Editor.
Re-encrypt the drive
Re-encrypting the drive means nothing more than turning encryption off and then back on again.
Right-click on the drive in Windows File Explorer and click on Manage BitLocker.
Click on Turn off BitLocker. After confirming this is what you want to do, the drive will be decrypted in place. This may take some time, depending on the size of your drive.
When complete, the status will change from “BitLocker Decrypting” to “BitLocker off”.
Click on the “Turn on BitLocker” link to begin the process of encrypting the drive. Because we disabled the option to use hardware encryption, software encryption will be used.
Is there a downside?
One of the reasons hardware encryption is lucrative is that it doesn’t place an additional computational load on your computer’s processor. Since we’ve taken that option off the table, your computer will be doing the work of encryption and decryption.
In theory, you could notice a small performance degradation, depending on the characteristics of your computer. In practice, it’s unlikely you’ll notice a thing.
And even if you did, the extra security of encryption that actually works is worth it.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!