How do you check if a hard drive was encrypted with software or hardware when using BitLocker?
Due to the recent security findings in that probably most SSDs implement encryption in a completely naive and broken way, I want to check which of my BitLocker machines are using hardware encryption and which ones are using software.
I found a way to disable the use of hardware encryption, but I can't figure out how to check if I'm using hardware encryption (in which case, I'll have to re-encrypt the drive). How do I do ti?
I'm aware of manage-bde.exe -status which gives me an output such as:
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]
Size: 952.62 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password
but I don't know if the information I want is in this screen.
windows security bitlocker
asked Nov 14 '18 at 9:27
pupenopupeno
3,460165474
add a comment |
Due to the recent security findings in that probably most SSDs implement encryption in a completely naive and broken way, I want to check which of my BitLocker machines are using hardware encryption and which ones are using software.
I found a way to disable the use of hardware encryption, but I can't figure out how to check if I'm using hardware encryption (in which case, I'll have to re-encrypt the drive). How do I do ti?
I'm aware of manage-bde.exe -status which gives me an output such as:
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]
Size: 952.62 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password
but I don't know if the information I want is in this screen.
windows security bitlocker
asked Nov 14 '18 at 9:27
pupenopupeno
3,460165474
Do you have a reference for the claim about weaknesses in hardware crypto implementations? Sounds like a good read.
– Nat
Nov 15 '18 at 0:58
2
@Nat: See this advisory for details. Incidentally, it also solves OP's problem.
– Kevin
Nov 15 '18 at 2:17
2
@Nat: I believe this is the source of the information: ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/…
– pupeno
Nov 15 '18 at 17:18
add a comment |
Due to the recent security findings in that probably most SSDs implement encryption in a completely naive and broken way, I want to check which of my BitLocker machines are using hardware encryption and which ones are using software.
I found a way to disable the use of hardware encryption, but I can't figure out how to check if I'm using hardware encryption (in which case, I'll have to re-encrypt the drive). How do I do ti?
I'm aware of manage-bde.exe -status which gives me an output such as:
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]
Size: 952.62 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password
but I don't know if the information I want is in this screen.
windows security bitlocker
asked Nov 14 '18 at 9:27
pupenopupeno
3,460165474
Due to the recent security findings in that probably most SSDs implement encryption in a completely naive and broken way, I want to check which of my BitLocker machines are using hardware encryption and which ones are using software.
I found a way to disable the use of hardware encryption, but I can't figure out how to check if I'm using hardware encryption (in which case, I'll have to re-encrypt the drive). How do I do ti?
I'm aware of manage-bde.exe -status which gives me an output such as:
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]
Size: 952.62 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password
but I don't know if the information I want is in this screen.
windows security bitlocker
windows security bitlocker
asked Nov 14 '18 at 9:27
pupenopupeno
3,460165474
asked Nov 14 '18 at 9:27
pupenopupeno
3,460165474
asked Nov 14 '18 at 9:27
pupenopupeno
3,460165474
asked Nov 14 '18 at 9:27
pupenopupeno
3,460165474
asked Nov 14 '18 at 9:27
pupenopupeno
3,460165474
3,460165474
Do you have a reference for the claim about weaknesses in hardware crypto implementations? Sounds like a good read.
– Nat
Nov 15 '18 at 0:58
2
@Nat: See this advisory for details. Incidentally, it also solves OP's problem.
– Kevin
Nov 15 '18 at 2:17
2
@Nat: I believe this is the source of the information: ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/…
– pupeno
Nov 15 '18 at 17:18
add a comment |
Do you have a reference for the claim about weaknesses in hardware crypto implementations? Sounds like a good read.
– Nat
Nov 15 '18 at 0:58
2
@Nat: See this advisory for details. Incidentally, it also solves OP's problem.
– Kevin
Nov 15 '18 at 2:17
2
@Nat: I believe this is the source of the information: ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/…
– pupeno
Nov 15 '18 at 17:18
Do you have a reference for the claim about weaknesses in hardware crypto implementations? Sounds like a good read.
– Nat
Nov 15 '18 at 0:58
Do you have a reference for the claim about weaknesses in hardware crypto implementations? Sounds like a good read.
– Nat
Nov 15 '18 at 0:58
2
2
@Nat: See this advisory for details. Incidentally, it also solves OP's problem.
– Kevin
Nov 15 '18 at 2:17
@Nat: See this advisory for details. Incidentally, it also solves OP's problem.
– Kevin
Nov 15 '18 at 2:17
2
2
@Nat: I believe this is the source of the information: ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/…
– pupeno
Nov 15 '18 at 17:18
@Nat: I believe this is the source of the information: ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/…
– pupeno
Nov 15 '18 at 17:18
add a comment |
1 Answer
1
active
oldest
votes
There exists a pretty new article on MSRC, partially explaining the issue and how to solve it. Thanks @Kevin
Microsoft is aware of reports of vulnerabilities in the hardware
encryption of certain self-encrypting drives (SEDs). Customers
concerned about this issue should consider using the software only
encryption provided by BitLocker Drive Encryption™. On Windows
computers with self-encrypting drives, BitLocker Drive Encryption™
manages encryption and will use hardware encryption by default.
Administrators who want to force software encryption on computers with
self-encrypting drives can accomplish this by deploying a Group Policy
to override the default behavior. Windows will consult Group Policy to
enforce software encryption only at the time of enabling BitLocker.
To check the type of drive encryption being used (hardware or
software):
Run
manage-bde.exe -statusfrom elevated command prompt.
If none of
the drives listed report "Hardware Encryption" for the Encryption
Method field, then this device is using software encryption and is not
affected by vulnerabilities associated with self-encrypting drive
encryption.
manage-bde.exe -status should show you if hardware-encryption is used.
I don't have a HW encrypted drive ATM, so here is a reference link and the image it contains:
The BitLocker UI in Control Panel does not tell you whether hardware
encryption is used, but the command line tool manage-bde.exe does when
invoked with the parameter status. You can see that hardware
encryption is enabled for D: (Samsung SSD 850 Pro) but not for C:
(Samsung SSD 840 Pro without support for hardware encryption):
answered Nov 14 '18 at 10:04
LennieyLenniey
2,74421024
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f939961%2fhow-do-you-check-if-a-hard-drive-was-encrypted-with-software-or-hardware-when-us%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
There exists a pretty new article on MSRC, partially explaining the issue and how to solve it. Thanks @Kevin
Microsoft is aware of reports of vulnerabilities in the hardware
encryption of certain self-encrypting drives (SEDs). Customers
concerned about this issue should consider using the software only
encryption provided by BitLocker Drive Encryption™. On Windows
computers with self-encrypting drives, BitLocker Drive Encryption™
manages encryption and will use hardware encryption by default.
Administrators who want to force software encryption on computers with
self-encrypting drives can accomplish this by deploying a Group Policy
to override the default behavior. Windows will consult Group Policy to
enforce software encryption only at the time of enabling BitLocker.
To check the type of drive encryption being used (hardware or
software):
Run
manage-bde.exe -statusfrom elevated command prompt.
If none of
the drives listed report "Hardware Encryption" for the Encryption
Method field, then this device is using software encryption and is not
affected by vulnerabilities associated with self-encrypting drive
encryption.
manage-bde.exe -status should show you if hardware-encryption is used.
I don't have a HW encrypted drive ATM, so here is a reference link and the image it contains:
The BitLocker UI in Control Panel does not tell you whether hardware
encryption is used, but the command line tool manage-bde.exe does when
invoked with the parameter status. You can see that hardware
encryption is enabled for D: (Samsung SSD 850 Pro) but not for C:
(Samsung SSD 840 Pro without support for hardware encryption):
answered Nov 14 '18 at 10:04
LennieyLenniey
2,74421024
add a comment |
There exists a pretty new article on MSRC, partially explaining the issue and how to solve it. Thanks @Kevin
Microsoft is aware of reports of vulnerabilities in the hardware
encryption of certain self-encrypting drives (SEDs). Customers
concerned about this issue should consider using the software only
encryption provided by BitLocker Drive Encryption™. On Windows
computers with self-encrypting drives, BitLocker Drive Encryption™
manages encryption and will use hardware encryption by default.
Administrators who want to force software encryption on computers with
self-encrypting drives can accomplish this by deploying a Group Policy
to override the default behavior. Windows will consult Group Policy to
enforce software encryption only at the time of enabling BitLocker.
To check the type of drive encryption being used (hardware or
software):
Run
manage-bde.exe -statusfrom elevated command prompt.
If none of
the drives listed report "Hardware Encryption" for the Encryption
Method field, then this device is using software encryption and is not
affected by vulnerabilities associated with self-encrypting drive
encryption.
manage-bde.exe -status should show you if hardware-encryption is used.
I don't have a HW encrypted drive ATM, so here is a reference link and the image it contains:
The BitLocker UI in Control Panel does not tell you whether hardware
encryption is used, but the command line tool manage-bde.exe does when
invoked with the parameter status. You can see that hardware
encryption is enabled for D: (Samsung SSD 850 Pro) but not for C:
(Samsung SSD 840 Pro without support for hardware encryption):
answered Nov 14 '18 at 10:04
LennieyLenniey
2,74421024
add a comment |
There exists a pretty new article on MSRC, partially explaining the issue and how to solve it. Thanks @Kevin
Microsoft is aware of reports of vulnerabilities in the hardware
encryption of certain self-encrypting drives (SEDs). Customers
concerned about this issue should consider using the software only
encryption provided by BitLocker Drive Encryption™. On Windows
computers with self-encrypting drives, BitLocker Drive Encryption™
manages encryption and will use hardware encryption by default.
Administrators who want to force software encryption on computers with
self-encrypting drives can accomplish this by deploying a Group Policy
to override the default behavior. Windows will consult Group Policy to
enforce software encryption only at the time of enabling BitLocker.
To check the type of drive encryption being used (hardware or
software):
Run
manage-bde.exe -statusfrom elevated command prompt.
If none of
the drives listed report "Hardware Encryption" for the Encryption
Method field, then this device is using software encryption and is not
affected by vulnerabilities associated with self-encrypting drive
encryption.
manage-bde.exe -status should show you if hardware-encryption is used.
I don't have a HW encrypted drive ATM, so here is a reference link and the image it contains:
The BitLocker UI in Control Panel does not tell you whether hardware
encryption is used, but the command line tool manage-bde.exe does when
invoked with the parameter status. You can see that hardware
encryption is enabled for D: (Samsung SSD 850 Pro) but not for C:
(Samsung SSD 840 Pro without support for hardware encryption):
answered Nov 14 '18 at 10:04
LennieyLenniey
2,74421024
There exists a pretty new article on MSRC, partially explaining the issue and how to solve it. Thanks @Kevin
Microsoft is aware of reports of vulnerabilities in the hardware
encryption of certain self-encrypting drives (SEDs). Customers
concerned about this issue should consider using the software only
encryption provided by BitLocker Drive Encryption™. On Windows
computers with self-encrypting drives, BitLocker Drive Encryption™
manages encryption and will use hardware encryption by default.
Administrators who want to force software encryption on computers with
self-encrypting drives can accomplish this by deploying a Group Policy
to override the default behavior. Windows will consult Group Policy to
enforce software encryption only at the time of enabling BitLocker.
To check the type of drive encryption being used (hardware or
software):
Run
manage-bde.exe -statusfrom elevated command prompt.
If none of
the drives listed report "Hardware Encryption" for the Encryption
Method field, then this device is using software encryption and is not
affected by vulnerabilities associated with self-encrypting drive
encryption.
manage-bde.exe -status should show you if hardware-encryption is used.
I don't have a HW encrypted drive ATM, so here is a reference link and the image it contains:
The BitLocker UI in Control Panel does not tell you whether hardware
encryption is used, but the command line tool manage-bde.exe does when
invoked with the parameter status. You can see that hardware
encryption is enabled for D: (Samsung SSD 850 Pro) but not for C:
(Samsung SSD 840 Pro without support for hardware encryption):
answered Nov 14 '18 at 10:04
LennieyLenniey
2,74421024
edited Nov 15 '18 at 9:33
answered Nov 14 '18 at 10:04
LennieyLenniey
2,74421024
answered Nov 14 '18 at 10:04
LennieyLenniey
2,74421024
answered Nov 14 '18 at 10:04
LennieyLenniey
2,74421024
2,74421024
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f939961%2fhow-do-you-check-if-a-hard-drive-was-encrypted-with-software-or-hardware-when-us%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Do you have a reference for the claim about weaknesses in hardware crypto implementations? Sounds like a good read.
– Nat
Nov 15 '18 at 0:58
2
@Nat: See this advisory for details. Incidentally, it also solves OP's problem.
– Kevin
Nov 15 '18 at 2:17
2
@Nat: I believe this is the source of the information: ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/…
– pupeno
Nov 15 '18 at 17:18