Microsoft Windows no longer trusts built-in SSD encryption and neither should you

From LinuxReviews
Jump to navigationJump to search

Many modern SSDs come with their own built-in encryption system. Enabling it under GNU/Linux is typically quite trivial; most of them will ask the BIOS for a ATA HDD password and use that if one is set. However, there are some valid concerns about the security of these built-in encryption schemes. Hard-coded super-passwords set by the manufacturer is one which should not be ignored.

This screenshot of xscreensaver's GLMatrix screensaver has absolutely nothing to do with the subject at hand.

GNU/Linux systems come with a standardized encryption scheme called LUKS which can be managed by a command-line tool called cryptsetup. Distributions like Manjaro Linux and Debian have an option of enabling it during installation. This option is preferable to any black-box encryption scheme built into a SSD.

Microsoft's proprietary operating system Windows 10 has a built-in encryption system called BitLocker. It used to blindly trust and use SSDs built-in hardware encryption instead of it's own encryption if hardware encryption was available. Microsoft changed this as of update "KB4516071" which was released on September 24th, 2019. It includes this little tid-bit in the changelog:

"Changes the default setting for BitLocker when encrypting a self-encrypting hard drive. Now, the default is to use software encryption for newly encrypted drives. For existing drives, the type of encryption will not change."

Microsoft KB4516071 announcement on September 24th, 2019

There are probably a good reasons why the software giant Microsoft has decided to not trust that hardware manufacturers provide safe and secure encryption. This move should tell you something: If you want encryption, and you do, then you should absolutely not trust random hardware manufacturers to provide solid proprietary solutions.

On a more general last note: The built-in encryption features SSDs offer are rather pointless anyway. Most modern CPUs have aes instructions (check your /proc/cpuinfo and you will likely find that you have aes support) and a older chip like the Ryzen 1600X can do aes-xts with a 512b at 1400.0 MiB/s (both read and write). That's fast enough to keep up with all SATA based SSDs and all but the most expensive NVMe drives.