Encryption-at-rest under question: SSDs, hardware support and Bitlocker

Many of us deal with personal and sensitive data these days. Best practice in computing circles is to make use of “encryption at rest”: ensuring data remains secure by encrypting it on a device (whether it’s a laptop, mobile phone or USB key). Some researchers at Radboud University in the Netherlands have discovered that widely used data storage devices with self-encrypting drives don’t do the job very well. Worse, they weaken the security of the popular Bitlocker solution.

This problem affects SSDs (solid-state disks – not the traditional slow spinning disks) which support “hardware encryption”. The disks are given the data in the clear, and encrypt the data themselves before storing it. The alternative, “software encryption”, is that the computer processes the data on the main CPU to encrypt it, before passing it down to the hard drive for storage.

The big picture is shown in this table, that the researchers have included in their paper:

This is a list of popular SSD drives, and these were all the drives the researchers tested. They are some of the biggest and most respected brands on the market.

The table outlines the results of testing. In every sample, researchers were able to bypass the encryption and retrieve data in at least some circumstances. No drive was able to protect the data stored in the way that you would expect: although the encryption works, it’s possible to authenticate to the device and convince it to decrypt the data.

Given that these failed so comprehensively, we have to assume that this is a generic problem in the market. These manufacturers aren’t specifically to blame – it’s likely most, if not all, drives exhibit similar issues.

What’s the problem?

There are two issues here. The first thing is to recognise that “hardware encryption” usually isn’t anything of the sort. You have encryption software, and that software either runs as a regular program (more or less) on the main CPU, or it runs as firmware on a device CPU.

The advantage of using firmware is that it makes the hardware more capable, and potentially offers a performance advantage. It used to be the case that “hardware encryption” was only offered in high-end RAID storage devices and similar.

However, device firmware is less regularly reviewed, tends to be device-specific and users tend not to patch it as frequently. In many cases, users don’t even know what the hardware under the hood is – and wouldn’t know what to patch.

How does Bitlocker come in?

Bitlocker is a popular Microsoft product for encrypting disks. It’s easy to use, and comes with various protections to prevent you losing your encryption keys (and thus, your data).

As a piece of software, it has come under intensive scrutiny to ensure it does a good job of encryption. As a very security-sensitive function, it’s imperative that encryption software is high-quality – we’ve seen lots of examples where that isn’t the case.

It turns out that Bitlocker is generally very good, but it makes an assumption. If a hard drive tells the main computer it can encrypt data, then Bitlocker will take it at its word – effectively disabling its own, strong, encryption. That’s a reasonable assumption if, and only if, we trust the hard drive firmware as much as Bitlocker.

What to do?

For an end-user, all of this is a bit confusing – except that we’re now worried whether or not the security we thought we had is real. If I lose my laptop, is my data still secure?

There’s probably not much to immediately worry about. The attacks uncovered by the University apply to attackers with relatively specialist knowledge as well as the ability to physically access the hardware, so this isn’t something to lose sleep about in the next few nights.

However, it calls into question hardware encryption. I could advise you to go and check your hardware, find vendor patches and apply them to the hard drives, etc. – but that’s difficult to audit and leaves you little the wiser.

There are alternative software products, but there’s not much to recommend about them, either. Encryption software is difficult to get right, and most systems which have been audited have been found wanting.

Unfortunately, we have to wait for the operating system vendors here. My expectation is that sometime soon, Bitlocker will add a feature which allows you to set software-only encryption as a mode. For some, this will be overkill and they would prefer to have the increased performance (which I suspect is marginal…) – but for security-sensitive users, the assurance of the known process is critical.

Security by Design For Everyone