Crucial MX500 SSD and BitLocker question

Kilobyte Kid

Crucial MX500 SSD and BitLocker question

This is my first time using an SSD drive for my laptop, so would like to ask the question below:

 

I need to use BitLocker in Software Encryption mode. I disabled BitLocker and then set the following Group Policy: Configure use of hardware-based encryption for operating system drives= DISABLED

I re-enabled BitLocker again, and this time seems to be Software based encryption again according to MANAGE-BDE -STATUS. 

 

After re-enabling BitLocker again which is now in Software Encryption mode, do I need to reinstall Windows 10?

 

Thanks!

8 Replies
JEDEC Jedi

Re: Crucial MX500 SSD and BitLocker question

I'm not a Windows user, but from my understanding you should be Ok without reinstalling if everything is working as you want it.

JEDEC Jedi

Re: Crucial MX500 SSD and BitLocker question

I'm curious, if you don't mind me asking, why would you use software encryption over hardware?  That seems an unnecessary performance overhead?

_______________________________________
How do I know what memory to buy?
Shop for your region: US | UK | EU | France |
I think my memory is bad. What do I do now?
FAQs and Top Forum Solutions
Did a user help you? Say thanks by giving Kudos!
Still need help? Contact Customer Service
Want to be a Super User?
Kilobyte Kid

Re: Crucial MX500 SSD and BitLocker question

I still have the package and the package does not state that it uses encryption. This all came by suprise when I first inserted my SSD into my laptop and enabled BitLocker. The encryption was really quick, I mean in seconds instead of hours and that came to my suspicion that something was not right. So I went to the Command Prompt and entered MANAGE-BDE -STATUS and thats how I knew it was Hardware based encryption.

 

However, when I went to the MANAGE-BDE -STATUS for the BitLocker status information, what does the following nean below?

 

Encryption Method: Hardware Encryption - 1.3.111.2.1619.0.1.2

 

 

 

JEDEC Jedi

Re: Crucial MX500 SSD and BitLocker question

It will only take seconds because it's hardware encrypted, always.  It's just not secured by default and will always decrypt until you enable a password against it.  This article explains: https://forums.crucial.com/t5/Crucial-SSDs/An-Overview-of-Hardware-Encryption/ta-p/181035

 

I'm not really sure why you would want the overhead of software encryption when you have hardware to do it for you.

_______________________________________
How do I know what memory to buy?
Shop for your region: US | UK | EU | France |
I think my memory is bad. What do I do now?
FAQs and Top Forum Solutions
Did a user help you? Say thanks by giving Kudos!
Still need help? Contact Customer Service
Want to be a Super User?
Kilobyte Kid

Re: Crucial MX500 SSD and BitLocker question

Why isn’t it secure by default? When I enabled Bitlocker the TPM chip should be the authentication method without entering password regardless if it is Hardware or software encryption.

And what does this mean below as the encryption method? I sure hope this drive uses AES-256 instead of AES-128.

1.3.111.2.1619.0.1.2
JEDEC Jedi

Re: Crucial MX500 SSD and BitLocker question

The MX500 uses AES-256. ref: http://uk.crucial.com/gbr/en/storage-ssd-mx500#a-features

 

I don't really understand the secure by default question.  The data is always hardware encrypted.  You need to configure a key of some kind (password or your TPM).  That couldn't really happen by default. certainly nto the password anyway.  Not to mention that not everyone wants it. I don't.

_______________________________________
How do I know what memory to buy?
Shop for your region: US | UK | EU | France |
I think my memory is bad. What do I do now?
FAQs and Top Forum Solutions
Did a user help you? Say thanks by giving Kudos!
Still need help? Contact Customer Service
Want to be a Super User?
Kilobyte Kid

Re: Crucial MX500 SSD and BitLocker question


@ADBowen wrote:
Why isn’t it secure by default? When I enabled Bitlocker the TPM chip should be the authentication method without entering password regardless if it is Hardware or software encryption.

And what does this mean below as the encryption method? I sure hope this drive uses AES-256 instead of AES-128.

1.3.111.2.1619.0.1.2

if your system meats the requirements of bitlocker e-drive support there is no reason to not use it (this is why it enables so quickly as your securing the encryption keys between windows and the SSD to lock the drive to your system with bitlocker auth, the data on the SSD is already encrypted as to why it enables so fast)

 

all SSDs that support SED or have a PSID on them are already encrypted the drive is just in a unlocked state until you set the ATA password or if your system and SSD meats the requirements of E-Drive witch in your case it was as to why bitlocker enabled right away

 

(if you reloaded windows you would undo the policy change you did to force software based bitlocker)

 

e-dive bitlocker is not enabled by default as not every one needs it , up to you to enable bit locker assuming win10 pro is used (also prevents the disk from working in another system as its tied to your motherboard TPM chip, in a home user setup it make data recovery imposable when windows 10 update messes up)

Highlighted
Kilobyte Kid

Re: Crucial MX500 SSD and BitLocker question

MANAGE-BDE -STATUS resulting in "Encryption Method: Hardware Encryption" then a bunch of numbers means BitLocker is using the drive's hardware encryption. Otherwise it would say "AES 128" or something similar.

 

Whether using software or hardware encryption, you should always set a password/PIN even if you've got a TPM, since using a TPM by itself just binds the SSD to the specific computer. If you pinch the drive and put it in another computer, you get blocked;, but if you take the whole computer with the SSD in it then you can boot it to the operating system login prompt, at which point the SSD is being transparently decrypted and all sorts of attacks open up.

 

A paper has just been published about attacks on design flaws in hardware encrypted SSDs including some older Crucial MX models (they didn't test the MX500), so I can see an argument for sticking with software encryption, but the attack vectors for Opal / eDrive involved modified firmware so I still trust hardware encryption to keep my data safe from opportunistic thieves which is all I'm really after.

 

It's quite hard (as someone else pointed out earlier) to stop a clean Windows install from enabling eDrive. The only way I know with the MX500 is to ensure there's a partition on it already before you run Windows setup, but I don't know at what point eDrive is enabled, so it's possible if you delete that partition and repartition during setup you'd still get eDrive turned on later in the process.

 

As well as MANAGE-BDE -STATUS, you'd know if you were using software encryption as it would take a while to encrypt, rather than being instantaneous to switch on/off. If your drive is now using software encryption, and you're happy with that, then stick with it and don't reinstall Windows.