Office of the Chief Information Security Officer

November 16, 2018

BitLocker Ineffective on Self-encrypting Drives

Audience
Summary
How to tell if a computer is at risk
What to do
Configuring Group Policy
Technical resources

More Articles

Audience

This information is intended for Windows system administrators. End users may need assistance to implement these recommendations.

Summary

This vulnerability may render full disk encryption protections ineffective.

Under certain circumstances, Microsoft’s BitLocker software may offload the task of encryption to the hard drive’s own encryption mechanism. Many of these drives are known to implement encryption in a way that is easily bypassed, and most drives which implement hardware encryption may have similar vulnerabilities.

How to tell if a computer is at risk

To determine if a computer is at risk, start by answering the following two questions:

  • Is it running Windows and using BitLocker?
  • Does it have a solid-state drive?

If the answer is yes to both, then run the following command with elevated privileges:

manage-bde -status

In the output, look for a property named “Encryption Method”.

  • If its value contains the string “Hardware Encryption,” then the computer may be vulnerable.
  • If the value of “Encryption Method” does not contain the string “Hardware encryption,” then BitLocker is using software encryption, and the computer is not at risk from this issue.

What to do

If the computer is at risk, two mitigation options are:

Mitigation Option 1
(less secure, moderate effort)
This method will result in data being temporarily written to the drive unencrypted, and it is possible that some of this data may be forensically recovered later, even after re-encryption. If this risk is unacceptable, then choose mitigation option 2.

  1. Set the appropriate Group Policy to force BitLocker to use software encryption (detailed instructions provided below).
  2. Turn off BitLocker on the affected computer and wait for decryption to complete.
  3. Confirm that the Group Policy settings have propagated to the computer.
  4. Turn on BitLocker, choosing the option to encrypt the entire drive (not just the in-use portion).

Mitigation Option 2
(more secure, significant effort)

This method is more cumbersome, but reduces the likelihood that sensitive data may be recovered from the disk by an unauthorized party.

  1. Set the appropriate Group Policy to force BitLocker to use software encryption (detailed instructions provided below).
  2. Back up the computer’s data.
  3. Use the drive vendor’s software to issue a “secure erase” command on the SSD. This should safely remove all data. You may need to contact the hardware vendor for help with this since this procedure is device-specific.
  4. Reinstall Windows and join it to the domain if appropriate, but do not yet restore protected or sensitive data.
  5. Confirm that the Group Policy settings have propagated to the computer.
  6. Enable BitLocker, choosing the option to encrypt the entire drive (not just the in-use portion).
  7. Restore the data.

Configuring Group Policy to force BitLocker to use software encryption

Important: This policy is only effective if it is set (and has propagated) before enabling BitLocker. Changing this policy will have no effect on already-encrypted drives.

Using Group Policy administrative templates or local computer policy settings, set the following to “disabled”:

  • “Configure use of hardware-based encryption for fixed data drives”
  • “Configure use of hardware-based encryption for operating system drives”
  • “Configure use of hardware-based encryption for removable data drives”

More information:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings

Technical resources