Why Hardware Encryption is Not Secure

A Little History

In the past, it was assumed that hardware encryption is far more secure than software encryption.  Many people, including security experts, still believe this to be true.  And in the past it was true.

But recent history has proven that hardware encryption is highly vulnerable.  The widely published recent discovered hardware encryption vulnerabilities include Spectre and Meltdown.  Both Spectre and Meltdown exploit flaws in processors.

Our good friend Steve Gibson has also outlined severe security vulnerabilities in a hardware-encrypted solid-state drive (SSDs).  Every SSD that researchers have examined has been found to have such a critical vulnerability that there is almost no barrier to accessing encrypted data on these drives.  Steve outlined the details on his Security Now Podcast.

Backdoors and Poor Encryption Standards

Hardware companies are notorious for including back doors.  The expectation or concern is that companies and even governments include back doors at the chip level.  This is entirely feasible and also likely.

It has also been reported that poor practices lead to hardware encryption vulnerabilities.  For example, encryption keys may be not held securely or may not be unique to each machine.

The Solution?

The solution is quite simple.  Ensure that you encrypted your data using reputable software encryption.  You will certainly keep your data more secure than with hardware encryption alone.  The software should be widely accepted.  Don’t use an encryption solution that is lesser-known or obscure.  Strong encryption requires methodical perfection in its processes because encryption is only as secure as its weakest link.

I use VeraCrypt or AxCrypt.  Both are free, widely accepted, and secure!

 

 

Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3

Donald Korinchak is a Cybersecurity Program Director serving customer in the Washington DC area.Donald holds an MBA from the University of Pittsburgh Katz School of Business.Donald is considered a thought leader in leadership and cybersecurity issues.
Avatar

Latest posts by Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3 (see all)

Leave a Comment