Sergey Nivens - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How can I protect my self-encrypting drives?

Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on vulnerable solid-state drives?

Researchers found multiple vulnerabilities in self-encrypting drives. What is the core issue with these vulnerabilities, and what should enterprises look out for with self-encrypting drives?

Solid-state, self-encrypting drives are subject to multiple security flaws. Among the most critical are vulnerabilities associated with implementing security for Advanced Technology Attachment (ATA) drives, a type of disk drive that does not require a separate drive controller because it integrates its own controller internally, and for the standard defined by the Trusted Computing Group (TCG) Opal Security Subsystem Class (SSC) specification, which could enable an unauthenticated attacker to decrypt the contents of an encrypted solid-state drive.

With the ATA security vulnerability, a legitimate user provides a password that is not cryptographically linked to the hardware-based key used to encrypt the data. This means an attacker could access the key without entering a password and then use it to decrypt disk data that has been encrypted.

Researchers at Radboud University, in Nijmegen, Netherlands, found the vulnerabilities in several models of self-encrypting drives, including:

  • Micron's Crucial MX100, MX200 and MX300 drives;
  • Samsung T3 and T5 portable drives; and
  • Samsung 840 EVO and 850 EVO drives that are in ATA high mode. The drives in TCG or ARA max mode are not affected.

With the vulnerability in the TCG Opal SSC, the researchers turned their attention to the wear-level storage chip that stores encryption key information. Wear-leveling doesn't fully remove the old copy of updated data.

When data is moved to a new segment of a chip, previous versions of the data may remain in the old segment. If an attacker enters a new password, the key is then updated. The previous version of the key that is unprotected or guarded with an old password could be accessible. All modes of the Samsung 840 EVO drives can be affected by this tactic.

To guard against these vulnerabilities in self-encrypting drives, enterprises should determine if patches are available and, if so, apply them. If patches are not available, IT should consider software-based decryption.

Additionally, admins should check the Group Policy for Windows' BitLocker to ensure the default encryption is set to software-based. Remember to disable and re-enable BitLocker after the policy is changed to allow the new encryption protection to take effect.

BitLocker is not available in Windows Home edition. Enterprises using non-Windows systems should check for the default drive encryption options available to them.

This was last published in March 2019

Dig Deeper on Disk and file encryption tools

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How are you protecting your self-encrypting drives?
Self Encrypting drives or Full disc encryption drives (FDE) protect everything on the drive, not just a selection of data like most encryption software. An encryption chip is placed between the hard drive and computer thus keeping all the data always encrypted unless powered on and a password inputted. If someone steals your laptop, removes the drive and attempts to turn it on, make a forensic copy, etc, they will only get encrypted garbage. You don't even need to format your drive or do a data wipe. Just change your password and your drive is now erased. Technically its not, but its so encrypted the data can't be recovered and the new encrypted data will write over it eventually. For further guides you can visit our website