Bitlocker gets encryption back via hardware
More speed and more security – after its discontinuation in 2019, Windows encryption will soon rely on crypto hardware instead of CPUs again.
(Image: heise online / dmk)
What Microsoft only roughly outlined at its "Ignite" event a month ago is now taking clearer shape: The Bitlocker drive encryption integrated into Windows will again support certain hardware accelerators in the coming months. This is intended to provide more speed, especially with fast SSDs, and become more secure overall. Unlike before, the processor core and RAM, both traditionally vulnerable to side-channel attacks among other things, will no longer have access to the operations or keys.
This was also the case until 2019, but the crypto hardware supported by Bitlocker at the time was itself sometimes so vulnerable to attacks that Microsoft has since moved Bitlocker entirely into its own domains. However, since the company now considers drivers an extended security risk, Bitlocker is to preferably run on specialized hardware accelerators again. Specifically, in a blog post about the new Bitlocker, Microsoft only mentions Intel's Core Ultra 300, codenamed "Panther Lake" for notebooks, expected at CES in early January. However, other hardware is expected to follow, the blog continues.
(Image:Â Windows IT Pro Blog)
Encryption and decryption without the CPU
This also makes it clear that Panther Lake will likely bring an improved crypto engine, most likely in the form of dedicated function units. These will then also handle key management, as shown in a diagram from Microsoft. This makes it less vulnerable than the previous handling via CPU, even if the keys were supported by a TPM. Microsoft has not yet clearly described how the performance increase promised by the company is to be achieved. Previously, Bitlocker already used CPU crypto instruction sets, but dedicated engines could significantly speed up operations.
Videos by heise
This is also a goal of the development, as Microsoft writes. The requirement for Bitlocker has always been to only slow down input and output "in the single-digit percentage range." However, due to the rapid progress in SSDs, this is no longer the case, necessitating major changes. Microsoft's thorough overhaul of its driver architecture for mass storage was also evident recently when native access via the NVMe protocol was implemented for client versions of Windows as well. Previously, this was only done by implementing SCSI commands.
(nie)
