Hi Everyone,
Recently published research from Radboud University indicates that the hardware-based full disk encryption solution offered for self-encryption drives (SED) may be vulnerable to weaknesses in the encryption of these drives. These vulnerabilities could lead to unauthenticated access to data on an encrypted device without knowledge of the user’s passphrase/PIN/TPM. All full-disk encryption solutions that leverage the built-in encryption capabilities of SEDs are therefore also impacted by this vulnerability. Customers concerned about this issue should consider using the software only encryption provided by Sophos Central Device Encryption and Sophos SafeGuard Enterprise (when managing BitLocker or FileVault).
For customers already using Sophos device encryption, note that BitLocker Drive Encryption will use hardware encryption by default, and therefore Sophos recommends that administrators assess the installation and either upgrade the drive's firmware or migrate to software-based full disk encryption.
For drives that are already encrypted using an SED with a vulnerable form of hardware-based encryption, the vulnerability can be mitigated by either upgrade the drive's firmware according to the vendor's documentation or switching to software-based encryption (Windows Group Policy/SGN Policy) and have the whole drive re-encrypted.
Should a vendor be unable to provide a suitable firmware upgrade or if a firmware upgrade is not feasible, customers are advised to switch to software-based encryption. While not all vendors, models, or revisions of self-encrypting drives are vulnerable to the described flaws, the performance benefit of such drives is negligible when compared to software-based full-disk encryption combined with a modern CPU (featuring AES-NI extensions), so migration to software-based should cause only insignificant levels of performance degradation.
Please refer to the KBA below for more details.
Impact on Sophos Encryption products by Microsoft ADV180028
This thread was automatically locked due to age.