Self-encrypting deception by Carlo Meijer

Carlo Meijer

We have analyzed the hardware full-disk encryption implementation of several Self-Encrypting Drives (SEDs) from Samsung and Crucial (Micron) by reverse engineering their firmwares. The vendors combined cover a majority of the market share of SEDs sold today.

In theory, the security guarantees offered by hardware encryption are similar to those of software implementations. In reality, we found that many hardware implementations have critical security weaknesses, for many models allowing for complete recovery of the data without knowledge of any secret.

BitLocker, the encryption software built into Microsoft Windows will rely exclusively on hardware full-disk encryption if the drive advertises supported for it. Thus, for these drives, data protected by BitLocker is also compromised.

This challenges the view that full-disk encryption implemented in hardware is preferable over software. We conclude that one should not rely solely on hardware encryption offered by SEDs.