Microsoft has quietly changed the default functionality of its Bitlocker encryption system to only use a drive's hardware encryption capabilities when specifically requested, following the discovery of major vulnerabilities in popular SSD models.

In principle, hardware encryption is a good thing: Offloading cryptographic tasks to specialist hardware contained within the storage device itself not only lessens the load on the system CPU and, potentially, accelerates data throughput, but it should also offer some protections against exploitation by keeping the private key away from the host operating system. Sadly, that's not always the case: Back in November researchers published a report detailing flaws in SSDs from Crucial and Samsung in which it was possible to recover private keys and decrypt supposedly-encrypted drive content, though how easy this was varied by drive model.

The flaw's impact was heightened by a decision made by Microsoft to have Bitlocker, the drive encryption tool built into its Windows operating system, use hardware encryption by default with no easy way - bar the application of a Group Policy Object (GPO) - to force software encryption when a drive with hardware encryption is detected. Initially, Microsoft's response to the flaw was to better document the use of this GPO to force software encryption, but now the company appears to have opted to flip the way Bitlocker operates and make hardware encryption opt-in instead of opt-out.

In Windows 10 Build 18317, a change noted by Tero Alhonen flips the way Bitlocker's encryption GPO operates: Where previously leaving the setting unconfigured would default to using hardware-based encryption, it now defaults to software-based encryption even when supported hardware is detected.

The change won't affect any existing Bitlocker-encrypted drives - switching from hardware to software encryption or vice-versa requires that the drive is fully decrypted then encrypted again - nor will it change the operation of Bitlocker for those who have manually set either software or hardware encryption. Even if the hardware encryption is not used, however, it's a good idea to install the latest firmware available from drive manufacturers to patch the security holes outlined in the report - holes which are thought to exist on a wider range of drives than those tested.

Discuss this in the forums
Mod of the Month March 2019 in Association with Corsair

April 9 2019 | 16:50