Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Encrypting Samsung SSDs with Bitlocker (or other software)


  • Please log in to reply
7 replies to this topic

#1 yu gnomi

yu gnomi

  •  Avatar image
  • Members
  • 544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago suburb
  • Local time:12:10 AM

Posted 27 April 2022 - 09:09 PM

My desktop PC has an 840 Evo SSD, which was my original boot drive, and a 960 Evo SSD, my current boot drive. Before I bought the 960 Evo, I was thinking of encrypting my 840 Evo drive until I found an article, explaining that Samsung had screwed up the implementation of the built-in opal encryption on those drives. Hackers could break the encryption easily. In addition, if you encrypted the drive with Bitlocker, it would simply default to the opal encryption, and you would end up with an insecurely encrypted drive.

 

Does anyone know if later Samsung SSDs have this same issue? - I am particularly asking about 960 Evo.



BC AdBot (Login to Remove)

 


#2 yu gnomi

yu gnomi
  • Topic Starter

  •  Avatar image
  • Members
  • 544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago suburb
  • Local time:12:10 AM

Posted 28 April 2022 - 11:42 PM

This article mentions the issue I am referring to with 840 Evo SSDs and encryption https://www.tomshardware.com/news/crucial-samsung-ssd-encryption-bypassed,38025.html

 

When I mentioned Opal encryption before, I am just talking about the built-in hardware encryption. I honestly don't know if Opal is security software, an encryption standard, or what.



#3 cknoettg

cknoettg

  •  Avatar image
  • BC Advisor
  • 1,897 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Delray Beach, FL
  • Local time:01:10 AM

Posted 02 May 2022 - 07:56 PM

The 960 EVO is claiming compliance with a TCG Opal specification:

Source (Samsung itself): Samsung_SSD_960_EVO_Data_Sheet_Rev_1_2.pdf

User report that Windows does not recognize the drive as being Opal compliant, but Linux does: Solved: SSD 960 EVO not TCG/Opal Compliant? - Samsung Community - 746506

 

Dry material, but the TCG Opal Standard here (from TCG itself): TCG Storage Security Subsystem Class: Opal (trustedcomputinggroup.org)

 

Enabling BitLocker is not a perfect solution: (IEEE paper on how BitLocker will cede to the drive's built-in encryption mechanism: 310.pdf (ieee-security.org)

 

On the one hand, the drives that were reverse engineered were from 2014 to 2018. The Opal standard continues to be modified. Keep your SSD firmware as up-to-date as possible.

 

I don't think we can say that Opal is "bad." It is an evolving standard, by a neutral party, and offers a better guarantee than no guarantee and no standard at all. But, it just goes to show that no solution is perfect.

 

Here is a link from a Western Digital drive where they specifically released a firmware update to address such a situation: WDC-19006 SanDisk X600 SATA SED SSD | Western Digital


Microsoft MCE, CASP+, Linux+, Server+, Cloud+, Certified Forensic Computer Examiner


#4 Chiragroop

Chiragroop

  •  Avatar image
  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 PM

Posted 04 May 2022 - 08:14 PM

The good news is that Windows 10 (and Windows 11) no longer trusts hardware encryption and uses software encryption https://www.pcworld.com/article/398130/bitlocker-windows-built-in-encryption-tool-no-longer-trusts-your-ssds-hardware-protection.html



#5 yu gnomi

yu gnomi
  • Topic Starter

  •  Avatar image
  • Members
  • 544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago suburb
  • Local time:12:10 AM

Posted 05 May 2022 - 10:34 PM

Thanks for the responses. I think the specific issue with the 840 Evo and some of the other drives was that you could either read the drive's password in plaintext, or bypass it with a default password - I read up on it a long time ago. Seems like something that Samsung would have fixed in later drives, but never saw any confirmation.

 

I would only be interested in doing hardware encryption, because there is no performance loss. What confuses me is how to encrypt your boot drive, since I think the drive has to be un-initialized for the hardware encryption to be enabled. Link for reference https://docs.microsoft.com/en-us/windows/security/information-protection/encrypted-hard-drive


Edited by yu gnomi, 05 May 2022 - 11:09 PM.


#6 Chiragroop

Chiragroop

  •  Avatar image
  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:10 PM

Posted 06 May 2022 - 05:19 PM

Based on these instructions, you would need to clean install Windows. If you are concerned about performance for software encryption, keep in mind that the impact would be minimal on modern CPUs as they have AES instructions


Edited by Chiragroop, 06 May 2022 - 05:39 PM.


#7 yu gnomi

yu gnomi
  • Topic Starter

  •  Avatar image
  • Members
  • 544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago suburb
  • Local time:12:10 AM

Posted 06 May 2022 - 10:52 PM

If you look at the data in the Anandtech article linked in the article you posted, I wouldn't call the performance hit "minimal." (-13.9 % performance on Raw System Storage, vs -1.2% for Encrypted Drive and -29% performance on Random Write, vs -0.7% for Encrypted Drive)

 

I guess to do what I want, I need to create installation media, use Samsung Magician to enable Encrypted Drive, and then boot to installation media to format drive and install Windows. Not something that I'm going to do this weekend, maybe next weekend.



#8 zamroni

zamroni

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 18 August 2022 - 02:57 PM

The good news is that Windows 10 (and Windows 11) no longer trusts hardware encryption and uses software encryption https://www.pcworld.com/article/398130/bitlocker-windows-built-in-encryption-tool-no-longer-trusts-your-ssds-hardware-protection.html

It's only by default.
You can re-enable hardware encryption for bit locker by editing bit locker policy using gpedit.msc




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users