Security vulnerabilities have been discovered in the firmware of some Opal self-encrypting drives (SSDs). This article describes how to mitigate this threat by changing the system from using Opal hardware encryption to software encryption.
These security vulnerabilities can allow an attacker unauthenticated access to sensitive data. For details, see the disclosure Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs).
The disclosure describes vulnerabilities in both ATA Security and Opal security implementations on specific drives from various OEMs. DE does not use ATA Security (only Opal); so, sections relating to ATA Security can be ignored.
Microsoft has released Security Advisory 180028 related to this issue and BitLocker.
We recommend that customers review the paper and undertake a risk assessment to determine whether their organization can be impacted by this hardware vulnerability and whether changes to their encryption policy are required.
NOTE: The disclosure doesn't describe a software vulnerability in either DE or BitLocker. The described vulnerability is in the firmware of the SSD itself and is independent of the software used to manage the SSD.
If your organization is impacted by the use of these specific SSDs, or you decide to transition to software encryption to mitigate any risk from manufacturers not listed, see the solutions provided below.