Researchers find “pattern of critical issues” in SSD encryption

[HEXUS]

It is sometimes very easy to “bypass existing protection mechanisms” in self encrypting SSDs.

Read more.

[Tabbykatze]

Whelp, that's 90% of mainstream disk encryption in businesses skagged.

If there's a data breach due to a lost device and they have to infor the EU ICO then they cannot guarantee the security of the data at rest because of this flaw.

If this affects the majority of SSDs then we have just witnessed disk encryption just get wiped out if the system reverts to hardware encryption over software...

[DanceswithUnix]

I've honestly never seen anyone use this encryption. If people care, then the specific data they care about is encrypted in other ways with something like smartcard key management. Payment systems aren't even allowed to have the decrypt key on the same box as the data at rest.

[Tabbykatze]

I've honestly never seen anyone use this encryption. If people care, then the specific data they care about is encrypted in other ways with something like smartcard key management. Payment systems aren't even allowed to have the decrypt key on the same box as the data at rest.

The problem is a lot of organisations rely on Bitlocker and Hexus haven't noted this properly that Bitlocker relies on it if it is available for SSDs:

Unfortunately, the pair also note that some popular data encryption systems, including the BitLocker tool Microsoft uses in Windows 10, do not use software encryption for SSDs and rely on the drive's vulnerable hardware encryption.

https://www.theregister.co.uk/2018/1...sd_encryption/

[plexabit]

Whelp, that's 90% of mainstream disk encryption in businesses skagged.

If there's a data breach due to a lost device and they have to infor the EU ICO then they cannot guarantee the security of the data at rest because of this flaw.

If this affects the majority of SSDs then we have just witnessed disk encryption just get wiped out if the system reverts to hardware encryption over software...

As others mentioned, I'm pretty sure businesses with any sort of salt have their own encryption techniqes for confidential info. Pretty sure this is just the "self-encryption" thing that most wouldn't expect to be secure anyway.

[Output]

I was just coming to post about this, having come across this Twitter conversation about it (at the end of the conversation is one of the report's authors).

The problem is a lot of organisations rely on Bitlocker and Hexus haven't noted this properly that Bitlocker relies on it if it is available for SSDs:



https://www.theregister.co.uk/2018/1...sd_encryption/

It's showing as mentioned here, so if it wasn't before it must have been edited in since your post.

Furthermore, if BitLocker sees you install a new SSD with hardware encryption, it is by default set to trust and use the hardware facility – which has now been demonstrated to be vulnerable.

[mtyson]

Note: It hasn't been edited.
I did mention the BitLocker issue in the story when originally posted.

[BobF64]

I've honestly never seen anyone use this encryption.

Thats because its a ball ache for most people. To use the OPAL on a Windows bootable disk requires you to configure it before installing Windows, you cant enable it after the fact.

As others mentioned, I'm pretty sure businesses with any sort of salt have their own encryption techniqes for confidential info. Pretty sure this is just the "self-encryption" thing that most wouldn't expect to be secure anyway.

Most businesses buy someone elses "encryption techniques", which may contain any number of unknown flaws, open source is no different because unknown is unknown.

[Ttaskmaster]

I'm pretty sure businesses with any sort of salt have their own encryption techniqes for confidential info.

Our water not derived from rainfall will have gone through a desalination plant or something, which means we're without any sort of salt at all..... We don't even have on-site canteens any more, so no salt even there!

Our encrypted drives are usually bought pre-secured from PC World by IT, who then charge us more than 2½ times the retail price, so we get whatever Kingston put on their stuff. Same for most other kit, really.
But I imagine that, between our shoddy policies and Google's spying techniques, your data has already been intercepted and sold several times over anyway, so nothing to really worry about... and I rather doubt anyone else in the world even cares how big your poos are, let alone would actually pay money to find out?

[shaithis]

Whoops and we just rolled out BitLocker here, mainly with Samsung SSDs!

[Output]

Whoops and we just rolled out BitLocker here, mainly with Samsung SSDs!

Who gets to be the one to explain this to the bosses?