How does bitlocker protect data when it does request a passkey at boot?

I have used bitlocker to encrypt the entire drive of my laptop. It has a TPM chip ans so does require me to enter a passkey at boot up time.

I set up bitlocker because I was concerned that if I lost or had my laptop stolen it would expose confidential data. I have used truecrypt on the past and that software asked for a passkey at startup.

I understand hoe encryption protects my data but am still unsure how bitlocker prevents someone else accessing my data without asking me for a passkey of some kind?

Am I missing something?
LVL 1
roy_battyDirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
You have to login to your machine, no valid login no decryption, remove the drive and examine the contents all encrypted. With secure boot only approved media will boot the system.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
roy_battyDirectorAuthor Commented:
Simple really :)

Many thanks.
McKnifeCommented:
The selected answer is wrong. The decryption is not triggered at logon. The data is in unlocked state (not decrypted, it never gets decrypted) as soon as the machine starts, the tpm provides the key to unlock it.

I'll tell you more tomorrow if you like, now I am on the move.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

McKnifeCommented:
See, your question title says "it does request a passkey at boot?" while you are using a TPM and at the end you write "without asking me for a passkey" - so I suspect, your title was wrong and you use BL in transparent mode, that is, only the TPM is protecting it and you don't need to do preboot authentication. Is that correct?

If so, read If a Tree Falls in the Forest, is it Encrypted?
This funny Gartner analyst has no idea. He has the same misunderstanding of how bitlocker works.
We may boot the system, but only under conditions that "please" the TPM. Without bitlocker+TPM, you can access the drive offline and circumvent all security measures. He fails to understand that.

That said, there's more to it. If you want the best possible protection, you should setup a PIN that is being asked pre-boot, see http://mikebeach.org/2011/12/08/how-to-enable-bitlocker-tpmpin-after-encrypting-hard-drive/
roy_battyDirectorAuthor Commented:
I am more confused now. :)

I am trying to ensure that:

1. If the laptop is stolen, the user will need some form of password to access the encrypted data. Be it the Windows login password or a separate bit-locker password at boot. The first option is more pleasing to the end user as it is one less password to remember.

2. The thief is unable to access the data by either booting from some form of PE disk or moving the disk to a different PC.

I have just tried booting my PC from an PE disk and I am unable to read any data on the encrypted drive. I presume it would be the same if I moved the disk into a different PC.

If that is correct I feel that is good enough. I appreciate that the data is not actually decrypted and is just "unlocked".
McKnifeCommented:
The goal is not to confuse you, but quite the opposite. No one tries to make you a bitlocker expert :-), but the basic principles need to be understood.
So, please answer, what has been asked.
roy_battyDirectorAuthor Commented:
The answer to your question is yes. TPM only.
McKnifeCommented:
Ok.

With tpm only, there is the so called "cold boot attack" as possible attack vector. To fight it, do as I told you, read that link on how to set a PIN. Info on cold boot: www.youtube.com/watch?v=JDaicPIgn9U (video by princeton university staff)
David Johnson, CD, MVPOwnerCommented:
I used poor wording when I said decrypted.. As far as the user is concerned the data is available in a decrypted state. The actual data on the hard drive stays encrypted but as far as the user is concerned there is no perceptible difference between an encrypted drive and one that is not encrypted.

In the same way we don't look at the actual bits that are on the hard drive by using low level functions to see how the data is stored all we care about is how it is presented to us.

There are some attacks that involve freezing the ram on the machine and then attacking via tools to try and find the encryption key.

At the user level the contents are decrypted and usable but at the hardware level are still encrypted.
McKnifeCommented:
David, you said it is happening at logon - that's what I was criticizing. Nothing is happening at logon that is connected to bitlocker.
roy_battyDirectorAuthor Commented:
Thanks for the additional information here McKnife.

So basically when the encryption key is loaded into RAM then its vulnerable.
As TPM loads the key into RAM without any user input the key is vulnerable.

So to minimize the risk a pre-boot password should be used and i suppose using sleep/hibernate is not recommended either.

Disk encryption is not the high level of protection I once thought.
David Johnson, CD, MVPOwnerCommented:
Only without a TPM is the key vulnerable with a tpm the key is held within the tpm. This is why without a tpm you either have to enter a long key or store the key on a USB drive. or otherwise store it.
McKnifeCommented:
The key enters the RAM in any case, David - and it stays there until the machine is turned off. It is as vulnerable in RAM if you have a TPM as without.

Roy, your statement if fully correct. If you use a pre boot PIN, hibernation (aka "suspend to disk") is no risk since the RAM is not populated with info anymore but it is suspended to disk. Sleep (aka "suspend to RAM") is a risk, someone stealing a sleeping machine can read out the RAM.
"Disk encryption is not the high level of protection I once thought." - the shown cold-boot-attack is not the everyday attack you'd expect a thieve to conduct, but you never know. The PIN is a good protection against that and, with win8 or higher, you can use an enhanced PIN, so you don't have to use numbers only, but you can use your password, for example, also for bitlocker.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.