BitLocker hardware encryption recommendation

German version can be found here.

In the beginning of November, two researchers from Nijmegen, Netherlands published a concerning research paper. In their research, they looked at hardware-based encryption of modern SSD drives. They found that every tested drive can be fully decrypted without knowing the key. The original paper can be downloaded here.

In reaction, Microsoft issued an Advisory ADV180028 in which they recommend to disable hardware-based encryption for now and only use software-based encryption.

Our security team conducted some tests in which we focused on usability and performance. We can recommend the software-based encryption with good conscience.

For BitLocker, this setting can easily be controlled by a GPO. It can be found in Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption. In all three subfolders (Fixed Data Drives, Operating System Drives, Removable Data Drives), there is a setting called “Configure use of hardware-based encryption for … drives”. Set these to Disabled and BitLocker will no longer use hardware-based encryption.

If a drive is already encrypted with hardware encryption, setting this GPO will not re-encrypt the drive. Therefore, make sure to check which devices have hardware encryption deployed. This can be done by running this command:

manage-bde -status

What we are looking for is the entry called Encryption Method. If you see something along the lines of AES 128 or AES 265, you are good to go. However, if it says hardware encryption, you should consider removing the encryption and re-encrypting the drive after setting the policy.

In this example, no hardware encryption is used. This is the result you want to see.