How to transition a system to use software encryption when it's using Opal hardware encryption
Last Modified: 2022-03-24 05:05:06 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
How to transition a system to use software encryption when it's using Opal hardware encryption
Technical Articles ID:
KB91041
Last Modified: 2022-03-24 05:05:06 Etc/GMT Environment
Drive Encryption (DE) 7.2.x, 7.1.x Management of Native Encryption (MNE) — all supported versions Opal self-encrypting drives Summary
Security vulnerabilities have been discovered in the firmware of some Opal self-encrypting drives (SSDs). This article describes how to mitigate this threat by changing the system from using Opal hardware encryption to software encryption.
These security vulnerabilities can allow an attacker unauthenticated access to sensitive data. For details, see the disclosure Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs). The disclosure describes vulnerabilities in both ATA Security and Opal security implementations on specific drives from various OEMs. DE does not use ATA Security (only Opal); so, sections relating to ATA Security can be ignored. Microsoft has released Security Advisory 180028 related to this issue and BitLocker. We recommend that customers review the paper and undertake a risk assessment to determine whether their organization can be impacted by this hardware vulnerability and whether changes to their encryption policy are required. NOTE: The disclosure doesn't describe a software vulnerability in either DE or BitLocker. The described vulnerability is in the firmware of the SSD itself and is independent of the software used to manage the SSD. If your organization is impacted by the use of these specific SSDs, or you decide to transition to software encryption to mitigate any risk from manufacturers not listed, see the solutions provided below. Solution 1
DE — Transitioning to software encryption To transition to software encryption, an Opal encrypted system needs to disable the encryption policy to deactivate the Opal management, and then enable policy software encryption to start the software encryption. For further assistance with any of the steps below, see the Drive Encryption Product Guide (PD26653). At a high level, the steps required are listed below. Additional steps can be added to include the use of a tag to trigger each step. These steps aren't described here.
Solution 2
MNE — Transitioning to software encryption To transition to software encryption, encryption must first be disabled via a policy before being reenabled with a software encryption policy. NOTE: On systems running MNE earlier than 4.0, the option to disable hardware-based encryption via a policy isn't available. If hardware-based encryption is enabled via GPO settings, you must upgrade to MNE 4.0 or later before proceeding, or modify GPO directly according to the Microsoft Security Bulletin listed above. For further assistance with any of the steps below, see the Management of Native Encryption 4.1 Product Guide (PD26394).
Affected ProductsLanguages:This article is available in the following languages: |
|