Bitlocker - SSD Hardware encryption vs software

In this case, Intel and AMD CPU’s are experiencing the same issue when trying to enable and successfully use a Samsung 990Pro with hardware encryption.

Depending on the manufacture date of the SN850X, btw, WD’s spec sheet for it as of a few years ago changed to specify that it is Opal 2.01 compliant – meaning it has HW encryption. Wasn’t on the first run’s spec sheet; don’t know if that means it didn’t have it or it was just an oversight. A lot of online reviews do reflect the info from its first release, though.

Blows my mind a little that people keep citing a 5yo study on the subject of HW drive encryption that was explicitly taken on (as in: they say it in the study) due to inherent weaknesses in software drive encryption…

Yes, btw, the concerns are overblown. The issues from 5y ago had nothing to do with proprietary encryption (neither AES nor the Opal framework are proprietary to any HW vendor), and involved either firmware or hardware sideband attacks usually against either low-level drive commands or key acquisition methods. Put simply: when the attacker would need to create a custom JTAG rig to manually insert custom machine code into the key check to read drive data, your security is less likely to hinge on your drive and more likely to hinge on the fact that you’re running a Windows machine whose user credentials are still ridiculously easy to crack/bypass when you have physical access to it. Serious concern back then for MIL-SPEC stuff, not a serious concern for folks for example happy enough with LUKS or VeraCrypt as sufficient security. (I, for one, thought LUKS was fine for my needs back then, and HW encryption even more so – my security needs were limited to attacks of much lower sophistication than the ones in the paper, and a RAM dump is much easier to pull than any of the methods they used.)

Fortunately I worked in the field then, so it was a little easier for me to ignore the Internet tizzy calling HW encryption worthless as a result of the paper. Same snot as it always is: if you need security, layer your security and don’t rely on one silver bullet for it. There is no absolute to security; nothing is full-stop “secure.” Some flawless drive encryption mechanism could come out tomorrow and that’ll still be as true then as it is now.

2 Likes