The hardware world is full of badly thought out implementations, from the inconvenient to the utterly incompetent, and today we have one of the latter.  Bitlocker and other popular encryption tools can use software or hardware to encrypt and store the data encryption key, with many opting for the accelerated hardware encryption baked into many SSDs.  This has turned out to be a bad idea, as tests on a variety of models show you can grab an encrypted disk, plug into the debug ports and convince it to accept any value as an authorized DEK and give you full access to the data on that drive.  This is in part due to the hardware not using the owner's password for encryption … at all.  The Register's article offers a suggestion, which is to make use of software encryption methods which do incorporate the users password and can be set to actually not use the same DEK across the entire drive. 

Read on for suggestions on solutions which should mitigate this flaw and which can coexist peacefully with hardware encryption.

"Basically, the cryptographic keys used to encrypt and decrypt the data are not derived from the owner's password, meaning, you can seize a drive and, via a debug port, reprogram it to accept any password. At that point, the SSD will use its stored keys to cipher and decipher its contents. Yes, it's that dumb."

Here is some more Tech News from around the web:

Tech Talk