[Note: my position is that hardware disk encryption is useful for protecting against opportunistic attacks, whereas software disk encryption is best for protecting against targeted attacks. Use both.]
1. PR Notice: https://www.ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/radboud-university-researchers-discover-security/ 2. Advisory: https://www.ru.nl/publish/pages/909275/advisory.pdf 3. Paper draft, very exciting read!: https://www.ru.nl/publish/pages/909282/draft-paper.pdf There are two CVEs here, which I will attempt to summarize: CVE-2018-12037: user supplied password is not (or not entirely) used to encrypt the disk encryption key stored in the flash. Key can be extracted via various techniques. Examples given: - ATA password (Maximum and High modes) on internal SSDs such as Crucial MX100,MX200,MX300 - ATA password (only in HIGH mode) on internal SSDs such as Samsung 840 EVO and 850 EVO - Proprietary unlock software on portable SSDs such as Samsung T3 and T5 CVE-2018-12038: user supplied password (or bitlocker(!)/OPAL key) *IS* used to encrypt the disk encryption key stored in the flash. However, care was not taken in firmware design to mitigate the logical->physical translation. Therefore the original unencrypted key (before reconfiguration) may still be recoverable somewhere in the flash if the original flash block was not erased fully as part of the wrapping of the key in the user-provided password/key. - Samsung 840 EVO was vulnerable Mitigations: 0. As suggested in the article (and in discussions on this list): always use software-based encryption. Note that Microsoft's Bitlocker utilizes hardware encryption when available by default for performance (using eDrive, a simple variant of OPAL). This can be disabled via group-policy, but it will not change the configuration of an already configured drive. 1. Don't use the Crucial MX100 and MX200. Oh, the horror. MX300 not much better either, so avoid. 2. If using ATA security on the Samsung drives, always set both the User *AND* Master passwords (utilize Maximum security mode). 3. TCG Opal implementation looks pretty solid on the Samsung drives. However 840 has a wear-leveling vulnerability in old key storage, so 850 or higher series is preferred. 4. Samsung claims their portable drive issues are resolved when moving to the v1.6.2 release of the unlocker. I'm doubtful. 5. Did I mention: always use software encryption as well? My opinions: 1. Crucial and Samsung may have some excitement in their FIPS compliance workstreams. 2. I'm fairly certain the TCG Opal standards are written to require manufacturers to address these two issues: a) wrap the damn keys correctly and b) ensure old key material is erased. This is a failure of engineering, testing and compliance. c) I've been peeved that the Samsung T3 and T5 drives, internally, are not TCG Opal, instead using a custom Samsung mechanism to lock/unlock their hardware encryption capabilities. The reason I was peeved: these are the only sources of 2TB mSATA drives which I would have loved to use with sedutil. Now I have a second reason to be peeved, which is that the custom mechanism was as crappy as Y2K-era ATA password protection. Happy Monday, Brendan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bd5caffc-6299-4079-995d-05dcc679b346%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.