SOLVED

Can I ask a Bitlocker question?

%3CLINGO-SUB%20id%3D%22lingo-sub-80668%22%20slang%3D%22en-US%22%3ECan%20I%20ask%20a%20Bitlocker%20question%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80668%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20I%20understand%20it%2C%20an%20SSD%20is%20built%20with%20wear%20leveling%20and%20the%20actual%20space%20is%20double%20of%20the%20advertised%20available%20space%20to%20the%20OS.%20If%20an%20SSD%20has%20been%20in%20use%20for%20an%20unknown%20period%20of%20time%20and%20is%20later%20Bitlocked%2C%20does%20all%20of%20the%20drive%20become%20protected%2C%20even%20the%20dormant%20bits%20that%20can't%20be%20seen%20and%26nbsp%3Bare%20%22resting%22%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80863%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20I%20ask%20a%20Bitlocker%20question%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80863%22%20slang%3D%22en-US%22%3E%3CP%3EWear%20levelling%20algorithms%20are%20proprietary%20per%20drive%20manufacturer.%20An%20attacker%20would%20have%20to%20work%20around%20the%20firmware%20to%20even%20check%20out%20spare%20blocks%2C%20and%20then%20hope%20to%20understand%20how%20data%20is%20scattered%20to%20piece%20something%20meaningful%20together.%20Attacking%20data%20that%20way%20is%20likely%20quite%20difficult%2C%20but%20theoretically%20possible.%20The%20risk%20to%20any%20data%20present%20prior%20to%20encryption%20would%20go%20down%20over%20time%20after%20encryption%20as%20the%20drive%20is%20used%2C%20and%20spare%20blocks%20get%20reused%20for%20wear%20levelling%20but%20of%20course%20you%C3%A2%E2%82%AC%E2%84%A2ll%20never%20know%20for%20sure%20if%20everything%20is%20encrypted.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYour%20best%20bet%20is%20to%20always%20to%20encrypt%20from%20the%20start%2C%20regardless%20of%20the%20encryption%20solution%20which%20all%20share%20the%20same%20issue%2C%20before%20any%20sensitive%20data%20is%20on%20the%20drive%2C%20so%20you%20can%20achive%20the%20assurance%20you're%20looking%20for.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80820%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20I%20ask%20a%20Bitlocker%20question%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80820%22%20slang%3D%22en-US%22%3EThat's%20along%20the%20lines%20of%20what%20I%20was%20thinking.%20My%20worry%20though%20is%20a%20machine%20that%20has%20already%20been%20in%20use%2C%20then%20full-drive%20encrypted...%20is%20there%20a%20chance%20that%20a%20file%20deleted%20in%20the%20shell%20(marked%20for%20deletion%20by%20the%20OS)%20but%20later%20goes%20dormant%20by%20the%20firmware%20for%20wear%20leveling%3F%3CBR%20%2F%3E%3CBR%20%2F%3EMeaning%20the%20data%20is%20still%20there%2C%20but%20not%20seen%20by%20the%20OS%2C%20but%20could%20be%20activated%20at%20a%20later%20time.%20A%20bit%20%22tin-foil-hat%22%20I%20know%2C%20but%20if%20there's%20valuable%20corporate%20assets%20(HR%2C%20Credit%20cards%2C%20PII)%20on%20the%20drive%2C%20it's%20a%20real%20concern.%20For%20instance%20on%20a%20tablet%20that%20needs%20warranty%20repair%20by%20a%203rd%20party%2C%20we%20can't%20remove%20the%20drive%20so%20we%20must%20rely%20on%20encryption%20alone.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80810%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20I%20ask%20a%20Bitlocker%20question%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80810%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20what%20the%20is%20shown%20to%20the%20OS%20by%20the%20SSD%2C%20but%20in%20the%20moment%20a%20new%2C%20never%20used%20before%20cell%20is%20activated%20it%20will%20be%20encrypted%2C%20so%20no%20need%20to%20encrypt%20'everything'%20upfront%2C%20exept%20for%20a%20very%20small%20performance%20impact%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80808%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20I%20ask%20a%20Bitlocker%20question%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80808%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20understanding%20is%20that%20the%20full%20disk%20encryption%20would%20be%20for%20the%20entire%20volume.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80802%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20I%20ask%20a%20Bitlocker%20question%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80802%22%20slang%3D%22en-US%22%3ERight%2C%20but%20is%20the%20%22entire%20contents%22%20of%20the%20drive%20just%20what%20the%20application%20sees%2C%20or%20every%20bit%2Fcell%20on%20the%20SSD%20that's%20controlled%20by%20the%20firmware.%20Maybe%20this%20is%20a%20deeper%20question%20for%20the%20hardware%20vendor.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-80679%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20I%20ask%20a%20Bitlocker%20question%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-80679%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20would%20appear%20that%20you%20have%20a%20choice%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EEncrypt%20used%20disk%20space%20only%3C%2FLI%3E%3CLI%3EEncrypt%20entire%20drive%20(slower)%20-%20for%20drives%20already%20in%20use%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20478px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F16191i2320897D0D4539EF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%220ce702360bf98b2e8b04ce76fc9b7fe7.png%22%20title%3D%220ce702360bf98b2e8b04ce76fc9b7fe7.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

As I understand it, an SSD is built with wear leveling and the actual space is double of the advertised available space to the OS. If an SSD has been in use for an unknown period of time and is later Bitlocked, does all of the drive become protected, even the dormant bits that can't be seen and are "resting"?

6 Replies

It would appear that you have a choice:

 

  • Encrypt used disk space only
  • Encrypt entire drive (slower) - for drives already in use

0ce702360bf98b2e8b04ce76fc9b7fe7.png

 

Right, but is the "entire contents" of the drive just what the application sees, or every bit/cell on the SSD that's controlled by the firmware. Maybe this is a deeper question for the hardware vendor.

My understanding is that the full disk encryption would be for the entire volume.

Just what the is shown to the OS by the SSD, but in the moment a new, never used before cell is activated it will be encrypted, so no need to encrypt 'everything' upfront, exept for a very small performance impact

That's along the lines of what I was thinking. My worry though is a machine that has already been in use, then full-drive encrypted... is there a chance that a file deleted in the shell (marked for deletion by the OS) but later goes dormant by the firmware for wear leveling?

Meaning the data is still there, but not seen by the OS, but could be activated at a later time. A bit "tin-foil-hat" I know, but if there's valuable corporate assets (HR, Credit cards, PII) on the drive, it's a real concern. For instance on a tablet that needs warranty repair by a 3rd party, we can't remove the drive so we must rely on encryption alone.
Best Response confirmed by Todd Godchaux (Occasional Contributor)
Solution

Wear levelling algorithms are proprietary per drive manufacturer. An attacker would have to work around the firmware to even check out spare blocks, and then hope to understand how data is scattered to piece something meaningful together. Attacking data that way is likely quite difficult, but theoretically possible. The risk to any data present prior to encryption would go down over time after encryption as the drive is used, and spare blocks get reused for wear levelling but of course you’ll never know for sure if everything is encrypted. 

 

Your best bet is to always to encrypt from the start, regardless of the encryption solution which all share the same issue, before any sensitive data is on the drive, so you can achive the assurance you're looking for.