How do you check if a hard drive was encrypted with software or hardware when using BitLocker?
up vote
20
down vote
favorite
Due to the recent security findings in that probably most SSDs implement encryption in a completely naive and broken way, I want to check which of my BitLocker machines are using hardware encryption and which ones are using software.
I found a way to disable the use of hardware encryption, but I can't figure out how to check if I'm using hardware encryption (in which case, I'll have to re-encrypt the drive). How do I do ti?
I'm aware of manage-bde.exe -status
which gives me an output such as:
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]
Size: 952.62 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password
but I don't know if the information I want is in this screen.
windows security bitlocker
add a comment |
up vote
20
down vote
favorite
Due to the recent security findings in that probably most SSDs implement encryption in a completely naive and broken way, I want to check which of my BitLocker machines are using hardware encryption and which ones are using software.
I found a way to disable the use of hardware encryption, but I can't figure out how to check if I'm using hardware encryption (in which case, I'll have to re-encrypt the drive). How do I do ti?
I'm aware of manage-bde.exe -status
which gives me an output such as:
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]
Size: 952.62 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password
but I don't know if the information I want is in this screen.
windows security bitlocker
Do you have a reference for the claim about weaknesses in hardware crypto implementations? Sounds like a good read.
– Nat
Nov 15 at 0:58
2
@Nat: See this advisory for details. Incidentally, it also solves OP's problem.
– Kevin
Nov 15 at 2:17
2
@Nat: I believe this is the source of the information: ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/…
– pupeno
Nov 15 at 17:18
add a comment |
up vote
20
down vote
favorite
up vote
20
down vote
favorite
Due to the recent security findings in that probably most SSDs implement encryption in a completely naive and broken way, I want to check which of my BitLocker machines are using hardware encryption and which ones are using software.
I found a way to disable the use of hardware encryption, but I can't figure out how to check if I'm using hardware encryption (in which case, I'll have to re-encrypt the drive). How do I do ti?
I'm aware of manage-bde.exe -status
which gives me an output such as:
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]
Size: 952.62 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password
but I don't know if the information I want is in this screen.
windows security bitlocker
Due to the recent security findings in that probably most SSDs implement encryption in a completely naive and broken way, I want to check which of my BitLocker machines are using hardware encryption and which ones are using software.
I found a way to disable the use of hardware encryption, but I can't figure out how to check if I'm using hardware encryption (in which case, I'll have to re-encrypt the drive). How do I do ti?
I'm aware of manage-bde.exe -status
which gives me an output such as:
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]
Size: 952.62 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password
but I don't know if the information I want is in this screen.
windows security bitlocker
windows security bitlocker
asked Nov 14 at 9:27
pupeno
3,395165474
3,395165474
Do you have a reference for the claim about weaknesses in hardware crypto implementations? Sounds like a good read.
– Nat
Nov 15 at 0:58
2
@Nat: See this advisory for details. Incidentally, it also solves OP's problem.
– Kevin
Nov 15 at 2:17
2
@Nat: I believe this is the source of the information: ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/…
– pupeno
Nov 15 at 17:18
add a comment |
Do you have a reference for the claim about weaknesses in hardware crypto implementations? Sounds like a good read.
– Nat
Nov 15 at 0:58
2
@Nat: See this advisory for details. Incidentally, it also solves OP's problem.
– Kevin
Nov 15 at 2:17
2
@Nat: I believe this is the source of the information: ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/…
– pupeno
Nov 15 at 17:18
Do you have a reference for the claim about weaknesses in hardware crypto implementations? Sounds like a good read.
– Nat
Nov 15 at 0:58
Do you have a reference for the claim about weaknesses in hardware crypto implementations? Sounds like a good read.
– Nat
Nov 15 at 0:58
2
2
@Nat: See this advisory for details. Incidentally, it also solves OP's problem.
– Kevin
Nov 15 at 2:17
@Nat: See this advisory for details. Incidentally, it also solves OP's problem.
– Kevin
Nov 15 at 2:17
2
2
@Nat: I believe this is the source of the information: ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/…
– pupeno
Nov 15 at 17:18
@Nat: I believe this is the source of the information: ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/…
– pupeno
Nov 15 at 17:18
add a comment |
1 Answer
1
active
oldest
votes
up vote
20
down vote
accepted
There exists a pretty new article on MSRC, partially explaining the issue and how to solve it. Thanks @Kevin
Microsoft is aware of reports of vulnerabilities in the hardware
encryption of certain self-encrypting drives (SEDs). Customers
concerned about this issue should consider using the software only
encryption provided by BitLocker Drive Encryption™. On Windows
computers with self-encrypting drives, BitLocker Drive Encryption™
manages encryption and will use hardware encryption by default.
Administrators who want to force software encryption on computers with
self-encrypting drives can accomplish this by deploying a Group Policy
to override the default behavior. Windows will consult Group Policy to
enforce software encryption only at the time of enabling BitLocker.
To check the type of drive encryption being used (hardware or
software):
Run
manage-bde.exe -status
from elevated command prompt.
If none of
the drives listed report "Hardware Encryption" for the Encryption
Method field, then this device is using software encryption and is not
affected by vulnerabilities associated with self-encrypting drive
encryption.
manage-bde.exe -status
should show you if hardware-encryption is used.
I don't have a HW encrypted drive ATM, so here is a reference link and the image it contains:
The BitLocker UI in Control Panel does not tell you whether hardware
encryption is used, but the command line tool manage-bde.exe does when
invoked with the parameter status. You can see that hardware
encryption is enabled for D: (Samsung SSD 850 Pro) but not for C:
(Samsung SSD 840 Pro without support for hardware encryption):
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
20
down vote
accepted
There exists a pretty new article on MSRC, partially explaining the issue and how to solve it. Thanks @Kevin
Microsoft is aware of reports of vulnerabilities in the hardware
encryption of certain self-encrypting drives (SEDs). Customers
concerned about this issue should consider using the software only
encryption provided by BitLocker Drive Encryption™. On Windows
computers with self-encrypting drives, BitLocker Drive Encryption™
manages encryption and will use hardware encryption by default.
Administrators who want to force software encryption on computers with
self-encrypting drives can accomplish this by deploying a Group Policy
to override the default behavior. Windows will consult Group Policy to
enforce software encryption only at the time of enabling BitLocker.
To check the type of drive encryption being used (hardware or
software):
Run
manage-bde.exe -status
from elevated command prompt.
If none of
the drives listed report "Hardware Encryption" for the Encryption
Method field, then this device is using software encryption and is not
affected by vulnerabilities associated with self-encrypting drive
encryption.
manage-bde.exe -status
should show you if hardware-encryption is used.
I don't have a HW encrypted drive ATM, so here is a reference link and the image it contains:
The BitLocker UI in Control Panel does not tell you whether hardware
encryption is used, but the command line tool manage-bde.exe does when
invoked with the parameter status. You can see that hardware
encryption is enabled for D: (Samsung SSD 850 Pro) but not for C:
(Samsung SSD 840 Pro without support for hardware encryption):
add a comment |
up vote
20
down vote
accepted
There exists a pretty new article on MSRC, partially explaining the issue and how to solve it. Thanks @Kevin
Microsoft is aware of reports of vulnerabilities in the hardware
encryption of certain self-encrypting drives (SEDs). Customers
concerned about this issue should consider using the software only
encryption provided by BitLocker Drive Encryption™. On Windows
computers with self-encrypting drives, BitLocker Drive Encryption™
manages encryption and will use hardware encryption by default.
Administrators who want to force software encryption on computers with
self-encrypting drives can accomplish this by deploying a Group Policy
to override the default behavior. Windows will consult Group Policy to
enforce software encryption only at the time of enabling BitLocker.
To check the type of drive encryption being used (hardware or
software):
Run
manage-bde.exe -status
from elevated command prompt.
If none of
the drives listed report "Hardware Encryption" for the Encryption
Method field, then this device is using software encryption and is not
affected by vulnerabilities associated with self-encrypting drive
encryption.
manage-bde.exe -status
should show you if hardware-encryption is used.
I don't have a HW encrypted drive ATM, so here is a reference link and the image it contains:
The BitLocker UI in Control Panel does not tell you whether hardware
encryption is used, but the command line tool manage-bde.exe does when
invoked with the parameter status. You can see that hardware
encryption is enabled for D: (Samsung SSD 850 Pro) but not for C:
(Samsung SSD 840 Pro without support for hardware encryption):
add a comment |
up vote
20
down vote
accepted
up vote
20
down vote
accepted
There exists a pretty new article on MSRC, partially explaining the issue and how to solve it. Thanks @Kevin
Microsoft is aware of reports of vulnerabilities in the hardware
encryption of certain self-encrypting drives (SEDs). Customers
concerned about this issue should consider using the software only
encryption provided by BitLocker Drive Encryption™. On Windows
computers with self-encrypting drives, BitLocker Drive Encryption™
manages encryption and will use hardware encryption by default.
Administrators who want to force software encryption on computers with
self-encrypting drives can accomplish this by deploying a Group Policy
to override the default behavior. Windows will consult Group Policy to
enforce software encryption only at the time of enabling BitLocker.
To check the type of drive encryption being used (hardware or
software):
Run
manage-bde.exe -status
from elevated command prompt.
If none of
the drives listed report "Hardware Encryption" for the Encryption
Method field, then this device is using software encryption and is not
affected by vulnerabilities associated with self-encrypting drive
encryption.
manage-bde.exe -status
should show you if hardware-encryption is used.
I don't have a HW encrypted drive ATM, so here is a reference link and the image it contains:
The BitLocker UI in Control Panel does not tell you whether hardware
encryption is used, but the command line tool manage-bde.exe does when
invoked with the parameter status. You can see that hardware
encryption is enabled for D: (Samsung SSD 850 Pro) but not for C:
(Samsung SSD 840 Pro without support for hardware encryption):
There exists a pretty new article on MSRC, partially explaining the issue and how to solve it. Thanks @Kevin
Microsoft is aware of reports of vulnerabilities in the hardware
encryption of certain self-encrypting drives (SEDs). Customers
concerned about this issue should consider using the software only
encryption provided by BitLocker Drive Encryption™. On Windows
computers with self-encrypting drives, BitLocker Drive Encryption™
manages encryption and will use hardware encryption by default.
Administrators who want to force software encryption on computers with
self-encrypting drives can accomplish this by deploying a Group Policy
to override the default behavior. Windows will consult Group Policy to
enforce software encryption only at the time of enabling BitLocker.
To check the type of drive encryption being used (hardware or
software):
Run
manage-bde.exe -status
from elevated command prompt.
If none of
the drives listed report "Hardware Encryption" for the Encryption
Method field, then this device is using software encryption and is not
affected by vulnerabilities associated with self-encrypting drive
encryption.
manage-bde.exe -status
should show you if hardware-encryption is used.
I don't have a HW encrypted drive ATM, so here is a reference link and the image it contains:
The BitLocker UI in Control Panel does not tell you whether hardware
encryption is used, but the command line tool manage-bde.exe does when
invoked with the parameter status. You can see that hardware
encryption is enabled for D: (Samsung SSD 850 Pro) but not for C:
(Samsung SSD 840 Pro without support for hardware encryption):
edited Nov 15 at 9:33
answered Nov 14 at 10:04
Lenniey
2,33221022
2,33221022
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f939961%2fhow-do-you-check-if-a-hard-drive-was-encrypted-with-software-or-hardware-when-us%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Do you have a reference for the claim about weaknesses in hardware crypto implementations? Sounds like a good read.
– Nat
Nov 15 at 0:58
2
@Nat: See this advisory for details. Incidentally, it also solves OP's problem.
– Kevin
Nov 15 at 2:17
2
@Nat: I believe this is the source of the information: ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/…
– pupeno
Nov 15 at 17:18