Windows 10: Microsoft Security Advisory for self-encrypting drives

Microsoft published the security advisory ADV180028, Guidance for configuring BitLocker to enforce software encryption, yesterday. The advisory is a response to the research paper Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs) by the Dutch security researchers Carlo Meijer and Bernard von Gastel from Radboud University (PDF here).

The researchers discovered a vulnerability in Solid State Drives that support hardware encryption that enabled them to retrieve data from the encrypted drive without knowledge of the password used to encrypt the data on it.

The vulnerability requires local access to the drive as it is necessary to manipulate the firmware of it to access the data.

The security researchers tested several retail solid state drives that support hardware encryption and found the vulnerability in each of them including Crucial MX100, MX200 and MX3000, Samsung T3 and T5, and Samsung 840 Evo and 850 Evo drives.

How BitLocker is affected


BitLocker supports software and hardware encryption but uses hardware encryption by default if supported by the drive. Means: any drive that supports hardware encryption is potentially affected by the issue on Windows.

Microsoft suggests that administrators switch the encryption mode from hardware to software to address the issue and resolve it at the same time.

Verify the encryption method



System administrators can check the used encryption method on Windows devices in the following way:

1. Open an elevated command prompt, e.g. by opening the Start menu, typing cmd.exe, right-clicking on the result, and selecting the "run as administrator" option.
2. Confirm the UAC prompt that is displayed.
3. Type manage-bde.exe -status.
4. Check for "Hardware Encryption" under Encryption Method.

The solid state drives uses software encryption if you don't find hardware encryption referenced in the output.

How to switch to BitLocker software encryption



Administrators may switch the encryption method to software if BitLocker uses a drive's hardware encryption capabilities on a Windows machine.

BitLocker can't switch to software encryption automatically if a drive uses hardware encryption. The required process involves enabling software encryption as the default, decryption of the drive, and encrypting it using BitLocker.

Microsoft notes that it is not required to format the drive or install software again when switching the encryption method.

First thing that needs to be done is enforce the use of software encryption using the Group Policy.

1. Open the Start menu.
2. Type gpedit.msc
3. Go to Computer Configuration> Administrative Templates > Windows Components > Bitlocker Drive Encryption.
   1. For the system drive, open Operating System Drives and double-click on Configure use of hardware-based encryption for operating system drives.
   2. For fixed date drives, open Fixed Data Drives and double-click on Configure use of hardware-based encryption for Fixed Data Drives.
   3. For removable drives, open Removable Data Drives and double-click on Configure use of hardware-based encryption for Removable Data Drives,
4. Set the required policies to Disabled. A value of disabled forces BitLocker to use software-encryption for all drives even those that support hardware encryption.

The setting applies to new drives that you connect to the computer. BitLocker won't apply the new encryption method to drives that are already encrypted.

It is necessary to turn off BitLocker on affected drives fully to decrypt the data and turn it on again after the process so that BitLocker uses software encryption as defined in the Group Policy to encrypt the drive's data.

Here is how that is done

1. Open Explorer on the computer.
2. Right-click on the drive and select "Manage BitLocker" from the context menu.
3. Select "Turn off BitLocker" to decrypt the drive. The time it takes to decrypt the drive depends on a number of factors
4. Once BitLocker is turned off on the drive, enable BitLocker encryption again on the drive.

Closing Words

The issue affects Solid State Drives that support hardware encryption. The security researchers tested only some Solid State Drives that support the security feature; it seems likely that additional drives are vulnerable as well.

Attackers need local access to the drive to exploit the vulnerability. While that is very limiting, it is still suggested to switch to software encryption especially if critical data is stored on the drive or if the computer or drive may be sold or given away at a later point in time. (via Born)

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader. The post Microsoft Security Advisory for self-encrypting drives appeared first on gHacks Technology News.

read more...

 

Micron_1100_mtfddav256tbn ssd self encryption or not


Correction : In the BIOS there is a field under advanced " Intel AES -IN> ENABLED /DISABLED "

Then I found this which I found helpful Self-Encrypting Drives: A Brief Introduction and Step by Step Guide - TechSpot

 

Seagate And McAfee Drive Advances In Self-Encrypting Notebook Computers

Seagate today announced sweeping advances in its global push to help secure notebook computer information from theft or loss. To combat growing threats to mobile information, Seagate, the world leader in storage solutions, is now shipping its groundbreaking, self-encrypting notebook PC hard drives, now with up to 320GB of capacity, to the worldwide distribution channel, with 500GB models coming soon. Additionally, Dell is now shipping a notebook with a 160GB self-encrypting hard drive. McAfee is set to provide software for the enterprise-wide management of notebooks with Seagate Secure hard drives.

Powerful, easy-to-use notebook data security is increasingly important as the global adoption of mobile PCs continues to soar and more notebooks are used to store sensitive personal and business information. Lost or stolen notebooks can cost companies millions of dollars in compromised proprietary information and threaten consumers with the high cost of identity theft, yet many computers remain unprotected. According to the United States FBI, a notebook computer is stolen every 53 seconds and 97% are never recovered*.

The new Momentus FDE (full-disk encryption) notebook hard drives, 5400- and 7200-rpm models with capacities of up to a half-terabyte, deliver powerful protection to help guard against unauthorized access to information on lost or stolen notebook computers. Part of the Seagate Secure family of self-encrypting drives, the Momentus FDE drives feature government-grade encryption that delivers powerful security for confidential customer or corporate information on executive notebook computers, critical customer data on field sales and customer support notebook PCs, and sensitive information on personal notebooks. “Delivering easy-to-use notebook security that also is cost-effective requires leading partnerships and technologies,” said Tom Major, vice president of the Personal Compute Business Unit at Seagate. “Seagate is pleased to be teaming with industry leaders to simplify security management for our customers and providing our OEM and channel customers with the world’s fastest self-encrypting hard drive.”

Businesses of all sizes and shapes are turning to hard drive-based encryption solutions to protect the important information that ensures their competitive edge. Papa Gino’s, a Dedham, Massachusetts-based restaurant chain, has deployed approximately 80 self-encrypting notebook computers for its workers since last year and has its sights set on using the newest secure notebooks.

“With these hardware-based security solutions only the right people get access to the right information with the best performance and the lowest price,” said Chris Cahalin, manager of Network Operations at Papa Gino’s.

McAfee Teams with Seagate to Simplify Management of Secure Notebooks
McAfee joins a growing list of security software providers – including SECUDE International, Wave Systems and WinMagic Data Security – that are teaming with Seagate to help secure notebook PCs. McAfee ePolicy Orchestrator management system and McAfee’s endpoint encryption client will integrate with Seagate Momentus FDE hard drives to use the embedded hardware encryption, giving customers full, user-rich features and the total enterprise management required to secure notebook computers in heterogeneous environments.

“McAfee provides leading enterprise-class, powerful encryption and strong access control technologies,” said Tony Jennings, vice president Strategic Partnerships at McAfee. “By teaming with Seagate on its new encrypting Momentus drive, we are extending additional protection tools to our customers.”

Through McAfee ePO, organizations worldwide can leverage Seagate Momentus FDE hard drives in heterogeneous environments to secure notebook information. IT security personnel can enforce policy management globally, enable token authentication and end-user password recovery, and aid organizations to prove that a missing notebook was encrypted at the time it was lost or stolen – a requirement for compliance with many data-privacy laws.

Seagate Delivers Strong, Simple-to-Use Notebook Security for Consumers and Organizations
Seagate Secure hard drives are simple and easy for consumers and organizations to use. Individual computer users who are not subject to corporate policies and regulatory compliance, don’t need multi-user encryption management and want to protect personal and other sensitive information can easily deploy a notebook with a Momentus FDE hard drive, which installs as easily as a traditional drive. Once installed, the user simply enters a BIOS password, then logs on as usual, and the security is in place. The hardware-based encryption engine delivers security without the overhead – no bootup delays, no system slowdowns – and the BIOS automatically authenticates the user for transparent security.

For organizations requiring high strength authentication and a simple way to meet state and federal consumer-privacy laws, Momentus FDE HD – the industry’s first hard drive with built-in encryption – can be deployed in notebook fleets to enable secure disposal and repurposing of drives and notebooks; security audits; password escrow; pre-boot authentication in the form of biometrics, passwords and smart cards; and simple centralized management.

Now shipping is the Momentus 5400 FDE.3 hard drive with capacities of 320GB and 160GB and 8MBs of cache, as is Momentus 7200 FDE, Seagate’s first high-performance (7200 RPM) self-encrypting notebook drive, with capacities of 320GB and 160GB and a 16MBcache. Seagate’s Momentus 5400 RPM and 7200 RPM self-encrypting hard drives in capacities up to 500GB are scheduled to begin shipping early next year. All Momentus FDE drives feature a fast Serial ATA interface and built-in AES encryption, an AES government-grade encryption used to encrypt all hard drive information transparently and automatically.

The Seagate Secure family is powered by a robust security platform that combines strong, fully automated hardware-based security with a programming foundation that makes it easy to add security-based software applications for organization-wide encryption key management, multi-factor user authentication and other capabilities that help lock down digital information at rest. Seagate Secure hard drives are the only other hardware-based encryption solutions that deliver both AES government-grade security and centralized notebook security management. The drives aid government, healthcare, education, banking and financial institutions to comply with consumer laws and state and federal legislation requiring identity theft protection.

*2007 Annual CSI/FBI Computer Crime and Security Survey

Source: Seagate

 

Toshiba Launches Self-Encrypting to Deliver Cost-Effective Security to Businesses

Toshiba Storage Device Division (SDD), the pioneer in small form factor hard disk drives (HDDs), today announced a 7,200 RPM 2.5-inch (6.4cm) Self-Encrypting Drive (SED) that provides government-grade AES-256 hardware encryption incorporated in the disk drive’s controller electronics. The MKxx61GSYD is the newest addition to the Toshiba family of drives designed for commercial notebooks and security-sensitive applications, including shared desktop PCs. The drive’s built-in hardware encryption offers benefits that go beyond software encryption.

Based on the Opal Security Subsystem Class (Opal SSC) specification from the Trusted Computing Group (TCG), the new Toshiba SED enables secure and quick deployment of encryption on notebook and desktop PCs to protect confidential information. Many organisations are taking steps to comply with security policies and new laws governing data privacy. The SED technology from Toshiba helps IT departments to achieve strong, cost-effective security without interrupting business flow or impacting application performance.





SEDs designed to the Opal SSC specification provide advanced access authentication and built-in hardware data encryption. Because it is an open industry standard, Opal encourages broad support from both security solutions vendors and SED makers – enabling seamless management of most deployments that support both pre-existing software encryption and Opal SSC-specified SED storage. SEDs designed to the Opal specification help organisations easily and cost-effectively protect data from theft or unauthorised access, while easing the administrative burdens associated with re-purposing, or retiring client systems and data storage.

The MKxx61GSYD provides organisations with a range of benefits, including:

• Stronger security: The Toshiba MKxx61GSYD provides AES-256 encryption, built into the drive’s electronics hardware. This government-grade encryption increases security for data that resides on the storage media. The Toshiba AES-256 encryption algorithm implementation is certified by the US National Institute of Standards and Technology (NIST) through its Cryptographic Algorithm Validation Program (CAVP). In addition, access to the Toshiba MKxx61GSYD SED can be securely administered or disabled remotely, using capabilities such as those enabled by Intel’s Active Management Technology (AMT).
• Ease of deployment: With SED storage, the initial encryption of OS files, applications, and user data is performed at full I/O speeds by the SED as the data are transferred to the disk media. With software encryption, loading of the OS, applications and user data must be completed prior to reading and encrypting the same data within the PC’s system memory and re-writing the encrypted data back to the drive. This “re-encryption cycle” often takes hours and may create a security gap during initial system deployment. With SED drives, disk contents are encrypted as they are loaded, providing both a faster and more secure deployment process. These same advantages help to reduce IT support burdens when recovering or re-purposing a notebook or PC using SED storage.
• Compatibility: The MKxx61GSYD is compatible with leading third party security management applications for notebook and other client PCs. Recognising the need for stronger and more transparent deployment of encryption, leading independent software vendors (ISVs) have participated directly in the development of the TCG’s Opal SSC specification. As a result, Opal SSC is a broadly-supported industry standard with many security management software vendors supporting mixed environments of Opal SSC-compliant SEDs and legacy software encryption applications.
• Improved performance: Software encryption uses CPU cycles and system memory capacity, reducing the performance of applications. The hardware encryption built-into the MKxx61GSYD allows full storage I/O speeds, ensuring that users will experience no reduction in application performance due to background encryption processes.
• Transparency: Because SED security features are transparent to applications and operating systems, the MKxx61GSYD can be deployed into any managed security environment supporting the industry standard Opal SSC specification. The Toshiba MKxx61GSYD model also provides features to support secure, role-based pre-boot access authentication such as that which is employed by the leading security management ISVs in their client security, enterprise client administration, and single-sign-on frameworks.
• Reduced cost and simplicity: The MKxx61GSYD has built-in hardware encryption and therefore can help eliminate the expenses associated with software encryption licenses. The built-in encryption also eliminates the need to escrow media encryption keys, reducing the complexity of key management.

“Data is at the heart of business success, so it is critical that organisations are proactive in ensuring their valuable customer data does not fall into the wrong hands,” Martin Larsson, Vice President, Toshiba Europe, Storage Device Division. “Strong data encryption and access authentication provide the foundations for meeting the “safe harbour” provisions of privacy protection laws. The MKxx61GSYD helps businesses to protect their data assets by utilising the Opal SCC specification, a global standard which is broadly supported by leading security solutions providers. Users will benefit from richer security capabilities, in addition to optimum application performance.”

Larsson continued: “Toshiba’s close partnerships with the world’s leading independent security vendors ensures that Toshiba’s SED models can be integrated seamlessly with the most widely supported managed security environments. The MKxx61GSYD can be deployed and managed in the same way as existing software encryption solutions for client PCs. This means that businesses can quickly realise the practical benefits of drive-based encryption, without damage to any existing encryption software deployment they might have – assuring organisations of complete data protection.”

“Encryption standards established by organisations such as The Trusted Computing Group are making it significantly easier to deploy security solutions such as self-encrypted HDDs on portable PCs", said IDC industry analyst, John Rydning. "Toshiba is aiming squarely at the need for stronger data security by launching its new mobile 2.5-inch (6.4cm) HDD with AES 256 encryption embedded in the drive hardware, and designed to The Trusted Computing Group's Opal SSC specification."

Toshiba is shipping samples of the MKxx61GSYD now. Volume production is scheduled for Q1 2011.

For more information, refer to the Data Sheet.