Recently published research from Radboud University indicates that the hardware-based full disk encryption solution offered for self-encryption drives (SED) may be vulnerable to weaknesses in the encryption of these drives. These vulnerabilities could lead to unauthenticated access to data on an encrypted device without knowledge of the user’s passphrase/PIN/TPM. All full-disk encryption solutions that leverage the built-in encryption capabilities of SEDs are therefore also impacted by this vulnerability. Customers concerned about this issue should consider using the software only encryption provided by Sophos Central Device Encryption and Sophos SafeGuard Enterprise (when managing BitLocker or FileVault).
For customers already using Sophos device encryption, note that BitLocker Drive Encryption will use hardware encryption by default, and therefore Sophos recommends that administrators assess the installation and either upgrade the drive's firmware or migrate to software-based full disk encryption.
For drives that are already encrypted using an SED with a vulnerable form of hardware-based encryption, the vulnerability can be mitigated by either upgrading the drive's firmware according to the vendor's documentation or switching to software-based encryption (Windows Group Policy/SGN Policy) and having the whole drive re-encrypted.
Should a vendor be unable to provide a suitable firmware upgrade or if a firmware upgrade is not feasible, customers are advised to switch to software-based encryption. While not all vendors, models, or revisions of self-encrypting drives are vulnerable to the described flaws, the performance benefit of such drives is negligible when compared to software-based full-disk encryption combined with a modern CPU (featuring AES-NI extensions), so migration to software-based should cause only insignificant levels of performance degradation.
The following sections are covered:
Applies to the following Sophos products and versions SafeGuard BitLocker Client 6.0SafeGuard BitLocker Client 7.0SafeGuard BitLocker Client 8.0SafeGuard BitLocker Client 8.1Central Windows Device Encryption 1.3.90Central Windows Device Encryption 1.4SafeGuard Device Encryption 7.0SafeGuard Device Encryption 8.0SafeGuard Device Encryption 8.1
SafeGuard Enterprise offers two ways (locally on the client as well as centrally via the SafeGuard Database) to verify whether a client is encrypted using software-based or hardware-based encryption mechanisms.
C:\Program Files (x86)\Sophos\SafeGuard Enterprise\Client\>SGNState.exe /L
Administrators with access to the SafeGuard Database can query the Database for any existing clients encrypted with SafeGuard Device Encryption using hardware-based encryption using the following SQL query:
SELECT SAFE_GUARD_DIR.SGD_NAME, SAFE_GUARD_DIR.SGD_DSN FROM IVT_MACHINES INNER JOIN SAFE_GUARD_DIR ON IVT_MACHINES.IMA_MACHINE_ID = SAFE_GUARD_DIR.SGD_ID WHERE (IVT_MACHINES.IMA_POA_TYPE = '3')
Clients that have been identified to be encrypted using a vulnerable form of hardware-based encryption should be reconfigured to use software-based encryption. Please note that after a drive was encrypted using hardware-based encryption, switching to software-based encryption requires the drive to be fully decrypted first before it can be re-encrypted using software-based encryption.
The steps to migrate to software-based encryption differ, depending on the Sophos Encryption product used. Please refer to the following list of detailed steps, required to migrate the encryption mode on the affected client:
manage-bde.exe -off d:
After the policy change arrived on the client, which depends on the policy configuration, the user will be prompted by Sophos Device Encryption to specify a new PIN / Password.
manage-bde.exe -off c:
After the client was removed from the temporary decryption group and synchronized with the server, depending on the policy configuration the user will be prompted by Sophos SafeGuard BitLocker Client to specify a new PIN / Password.
The SafeGuard Device Encryption Client will re-encrypt the device using a software-based mechanism.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.