10-21-2018 08:46 AM - edited 10-21-2018 11:28 AM
This is my first time using an SSD drive for my laptop, so would like to ask the question below:
I need to use BitLocker in Software Encryption mode. I disabled BitLocker and then set the following Group Policy: Configure use of hardware-based encryption for operating system drives= DISABLED
I re-enabled BitLocker again, and this time seems to be Software based encryption again according to MANAGE-BDE -STATUS.
After re-enabling BitLocker again which is now in Software Encryption mode, do I need to reinstall Windows 10?
10-21-2018 12:32 PM
I'm not a Windows user, but from my understanding you should be Ok without reinstalling if everything is working as you want it.
10-21-2018 12:59 PM
I'm curious, if you don't mind me asking, why would you use software encryption over hardware? That seems an unnecessary performance overhead?
10-21-2018 01:59 PM - edited 10-21-2018 02:05 PM
I still have the package and the package does not state that it uses encryption. This all came by suprise when I first inserted my SSD into my laptop and enabled BitLocker. The encryption was really quick, I mean in seconds instead of hours and that came to my suspicion that something was not right. So I went to the Command Prompt and entered MANAGE-BDE -STATUS and thats how I knew it was Hardware based encryption.
However, when I went to the MANAGE-BDE -STATUS for the BitLocker status information, what does the following nean below?
Encryption Method: Hardware Encryption - 220.127.116.11.1618.104.22.168
10-21-2018 11:26 PM
It will only take seconds because it's hardware encrypted, always. It's just not secured by default and will always decrypt until you enable a password against it. This article explains: https://forums.crucial.com/t5/Crucial-SSDs/An-Overview-of-Hardware-Encryption/ta-p/181035
I'm not really sure why you would want the overhead of software encryption when you have hardware to do it for you.
10-22-2018 12:46 AM
10-22-2018 05:27 AM
The MX500 uses AES-256. ref: http://uk.crucial.com/gbr/en/storage-ssd-mx500#a-features
I don't really understand the secure by default question. The data is always hardware encrypted. You need to configure a key of some kind (password or your TPM). That couldn't really happen by default. certainly nto the password anyway. Not to mention that not everyone wants it. I don't.
11-02-2018 01:21 AM - edited 11-02-2018 01:24 AM
Why isn’t it secure by default? When I enabled Bitlocker the TPM chip should be the authentication method without entering password regardless if it is Hardware or software encryption.
And what does this mean below as the encryption method? I sure hope this drive uses AES-256 instead of AES-128.
if your system meats the requirements of bitlocker e-drive support there is no reason to not use it (this is why it enables so quickly as your securing the encryption keys between windows and the SSD to lock the drive to your system with bitlocker auth, the data on the SSD is already encrypted as to why it enables so fast)
all SSDs that support SED or have a PSID on them are already encrypted the drive is just in a unlocked state until you set the ATA password or if your system and SSD meats the requirements of E-Drive witch in your case it was as to why bitlocker enabled right away
(if you reloaded windows you would undo the policy change you did to force software based bitlocker)
e-dive bitlocker is not enabled by default as not every one needs it , up to you to enable bit locker assuming win10 pro is used (also prevents the disk from working in another system as its tied to your motherboard TPM chip, in a home user setup it make data recovery imposable when windows 10 update messes up)
11-05-2018 03:41 PM
MANAGE-BDE -STATUS resulting in "Encryption Method: Hardware Encryption" then a bunch of numbers means BitLocker is using the drive's hardware encryption. Otherwise it would say "AES 128" or something similar.
Whether using software or hardware encryption, you should always set a password/PIN even if you've got a TPM, since using a TPM by itself just binds the SSD to the specific computer. If you pinch the drive and put it in another computer, you get blocked;, but if you take the whole computer with the SSD in it then you can boot it to the operating system login prompt, at which point the SSD is being transparently decrypted and all sorts of attacks open up.
A paper has just been published about attacks on design flaws in hardware encrypted SSDs including some older Crucial MX models (they didn't test the MX500), so I can see an argument for sticking with software encryption, but the attack vectors for Opal / eDrive involved modified firmware so I still trust hardware encryption to keep my data safe from opportunistic thieves which is all I'm really after.
It's quite hard (as someone else pointed out earlier) to stop a clean Windows install from enabling eDrive. The only way I know with the MX500 is to ensure there's a partition on it already before you run Windows setup, but I don't know at what point eDrive is enabled, so it's possible if you delete that partition and repartition during setup you'd still get eDrive turned on later in the process.
As well as MANAGE-BDE -STATUS, you'd know if you were using software encryption as it would take a while to encrypt, rather than being instantaneous to switch on/off. If your drive is now using software encryption, and you're happy with that, then stick with it and don't reinstall Windows.