How does bitlocker protect data when it does request a passkey at boot?
I have used bitlocker to encrypt the entire drive of my laptop. It has a TPM chip ans so does require me to enter a passkey at boot up time.
I set up bitlocker because I was concerned that if I lost or had my laptop stolen it would expose confidential data. I have used truecrypt on the past and that software asked for a passkey at startup.
I understand hoe encryption protects my data but am still unsure how bitlocker prevents someone else accessing my data without asking me for a passkey of some kind?
Am I missing something?
I set up bitlocker because I was concerned that if I lost or had my laptop stolen it would expose confidential data. I have used truecrypt on the past and that software asked for a passkey at startup.
I understand hoe encryption protects my data but am still unsure how bitlocker prevents someone else accessing my data without asking me for a passkey of some kind?
Am I missing something?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The selected answer is wrong. The decryption is not triggered at logon. The data is in unlocked state (not decrypted, it never gets decrypted) as soon as the machine starts, the tpm provides the key to unlock it.
I'll tell you more tomorrow if you like, now I am on the move.
I'll tell you more tomorrow if you like, now I am on the move.
See, your question title says "it does request a passkey at boot?" while you are using a TPM and at the end you write "without asking me for a passkey" - so I suspect, your title was wrong and you use BL in transparent mode, that is, only the TPM is protecting it and you don't need to do preboot authentication. Is that correct?
If so, read If a Tree Falls in the Forest, is it Encrypted?
This funny Gartner analyst has no idea. He has the same misunderstanding of how bitlocker works.
We may boot the system, but only under conditions that "please" the TPM. Without bitlocker+TPM, you can access the drive offline and circumvent all security measures. He fails to understand that.
That said, there's more to it. If you want the best possible protection, you should setup a PIN that is being asked pre-boot, see http://mikebeach.org/2011/12/08/how-to-enable-bitlocker-tpmpin-after-encrypting-hard-drive/
If so, read If a Tree Falls in the Forest, is it Encrypted?
This funny Gartner analyst has no idea. He has the same misunderstanding of how bitlocker works.
We may boot the system, but only under conditions that "please" the TPM. Without bitlocker+TPM, you can access the drive offline and circumvent all security measures. He fails to understand that.
That said, there's more to it. If you want the best possible protection, you should setup a PIN that is being asked pre-boot, see http://mikebeach.org/2011/12/08/how-to-enable-bitlocker-tpmpin-after-encrypting-hard-drive/
ASKER
I am more confused now. :)
I am trying to ensure that:
1. If the laptop is stolen, the user will need some form of password to access the encrypted data. Be it the Windows login password or a separate bit-locker password at boot. The first option is more pleasing to the end user as it is one less password to remember.
2. The thief is unable to access the data by either booting from some form of PE disk or moving the disk to a different PC.
I have just tried booting my PC from an PE disk and I am unable to read any data on the encrypted drive. I presume it would be the same if I moved the disk into a different PC.
If that is correct I feel that is good enough. I appreciate that the data is not actually decrypted and is just "unlocked".
I am trying to ensure that:
1. If the laptop is stolen, the user will need some form of password to access the encrypted data. Be it the Windows login password or a separate bit-locker password at boot. The first option is more pleasing to the end user as it is one less password to remember.
2. The thief is unable to access the data by either booting from some form of PE disk or moving the disk to a different PC.
I have just tried booting my PC from an PE disk and I am unable to read any data on the encrypted drive. I presume it would be the same if I moved the disk into a different PC.
If that is correct I feel that is good enough. I appreciate that the data is not actually decrypted and is just "unlocked".
The goal is not to confuse you, but quite the opposite. No one tries to make you a bitlocker expert :-), but the basic principles need to be understood.
So, please answer, what has been asked.
So, please answer, what has been asked.
ASKER
The answer to your question is yes. TPM only.
Ok.
With tpm only, there is the so called "cold boot attack" as possible attack vector. To fight it, do as I told you, read that link on how to set a PIN. Info on cold boot: www.youtube.com/watch?v=JDaicPIgn9U (video by princeton university staff)
With tpm only, there is the so called "cold boot attack" as possible attack vector. To fight it, do as I told you, read that link on how to set a PIN. Info on cold boot: www.youtube.com/watch?v=JDaicPIgn9U (video by princeton university staff)
I used poor wording when I said decrypted.. As far as the user is concerned the data is available in a decrypted state. The actual data on the hard drive stays encrypted but as far as the user is concerned there is no perceptible difference between an encrypted drive and one that is not encrypted.
In the same way we don't look at the actual bits that are on the hard drive by using low level functions to see how the data is stored all we care about is how it is presented to us.
There are some attacks that involve freezing the ram on the machine and then attacking via tools to try and find the encryption key.
At the user level the contents are decrypted and usable but at the hardware level are still encrypted.
In the same way we don't look at the actual bits that are on the hard drive by using low level functions to see how the data is stored all we care about is how it is presented to us.
There are some attacks that involve freezing the ram on the machine and then attacking via tools to try and find the encryption key.
At the user level the contents are decrypted and usable but at the hardware level are still encrypted.
David, you said it is happening at logon - that's what I was criticizing. Nothing is happening at logon that is connected to bitlocker.
ASKER
Thanks for the additional information here McKnife.
So basically when the encryption key is loaded into RAM then its vulnerable.
As TPM loads the key into RAM without any user input the key is vulnerable.
So to minimize the risk a pre-boot password should be used and i suppose using sleep/hibernate is not recommended either.
Disk encryption is not the high level of protection I once thought.
So basically when the encryption key is loaded into RAM then its vulnerable.
As TPM loads the key into RAM without any user input the key is vulnerable.
So to minimize the risk a pre-boot password should be used and i suppose using sleep/hibernate is not recommended either.
Disk encryption is not the high level of protection I once thought.
Only without a TPM is the key vulnerable with a tpm the key is held within the tpm. This is why without a tpm you either have to enter a long key or store the key on a USB drive. or otherwise store it.
The key enters the RAM in any case, David - and it stays there until the machine is turned off. It is as vulnerable in RAM if you have a TPM as without.
Roy, your statement if fully correct. If you use a pre boot PIN, hibernation (aka "suspend to disk") is no risk since the RAM is not populated with info anymore but it is suspended to disk. Sleep (aka "suspend to RAM") is a risk, someone stealing a sleeping machine can read out the RAM.
"Disk encryption is not the high level of protection I once thought." - the shown cold-boot-attack is not the everyday attack you'd expect a thieve to conduct, but you never know. The PIN is a good protection against that and, with win8 or higher, you can use an enhanced PIN, so you don't have to use numbers only, but you can use your password, for example, also for bitlocker.
Roy, your statement if fully correct. If you use a pre boot PIN, hibernation (aka "suspend to disk") is no risk since the RAM is not populated with info anymore but it is suspended to disk. Sleep (aka "suspend to RAM") is a risk, someone stealing a sleeping machine can read out the RAM.
"Disk encryption is not the high level of protection I once thought." - the shown cold-boot-attack is not the everyday attack you'd expect a thieve to conduct, but you never know. The PIN is a good protection against that and, with win8 or higher, you can use an enhanced PIN, so you don't have to use numbers only, but you can use your password, for example, also for bitlocker.
ASKER
Many thanks.