Hacker News new | ask | show | jobs
by derekerdmann 528 days ago
Correct, unless you're using a self-encrypting drive the FVEK sits in RAM once it's been released by the TPM during boot. The TPM is only a root of trust; for fast crypto operations without keeping the key in kernel memory you would need something like Intel SGX or ARM TrustZone.
1 comments
p_ing 528 days ago
BitLocker no longer leverages SED by default due to vulnerabilities in drive manufactures firmware as of Sept 2019.

> Changes the default setting for BitLocker when encrypting a self-encrypting hard drive. Now, the default is to use software encryption for newly encrypted drives. For existing drives, the type of encryption will not change.

https://support.microsoft.com/en-us/topic/september-24-2019-...

https://nvd.nist.gov/vuln/detail/CVE-2018-12037

link
MoreMoore 528 days ago
Holy crap.

https://threadreaderapp.com/thread/1059435094421712896.html

This is amazing.

> The encrypted SSD has a master password that’s set to “”

HN discussion here: https://news.ycombinator.com/item?id=18382975

Original paper here: https://cs.ru.nl/~cmeijer/publications/Self_Encrypting_Decep...

link