• Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 62
  • Last Modified:

Bitlocker Encryption - Additional Startup Authentication Vs Standard

Hello all,

just a question on Bitlocker for the experts. I've tried to find an answer online to no avail.

I know in Windows 10 pro (and previous o/s) you can have different login methods after encryption. You can encrypt the hardrive by right clicking C: and selecting the "Turn Bitlocker on" method, following the standard/ recommended process. However, i also know that in gpedit.msc you can configure the "Require additional authentication at startup" so that you can enter a PIN/Password on boot.

My question is.. What is the difference between them both? If i choose *not* to have an additional authentication at startup but have the hardrive encrypted, what are the security implications here?

I would really appreciate help/guidance if possible :)
0
N00b2015
Asked:
N00b2015
  • 4
  • 4
2 Solutions
 
McKnifeCommented:
Hi.

Without having preboot authentication, someone may start the machine. The encryption key is in RAM after starting and can be read by sophisticated attackers, then. You can also run a dma attack and a network attack on the machine, then. All that requires a sophisticated attacker.

So a preboot authentication is safer and if you choose it, use the PIN, not the password. Passwords can be brute forced, PINs cannot due to tpm lockout after just 32 attempts.
0
 
N00b2015Author Commented:
Thank you! Would you perhaps know why the "require additional authentication at startup" option is optional other than compulsory with bitlocker? Seeing as it's a vulnerability. Ideally, I do not want to use additional boot authentication and just encrypt the hardrive.
0
 
McKnifeCommented:
The risk is small. Only if someone in the know stole your laptop, he would be able to unlock it, someone really specialized. So you have to weigh comfort against security, as always.

If you use BL without preboot auth, make sure to gave unguessable passwords for all accounts and have the firewall activated with no exceptions.
1
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
N00b2015Author Commented:
Thankd again. Very helpful. Sorry for all the questions. Just trying to get my head around it. When you say un guess able password. Since there is no preboot authentication, I believe you are talking about the windows password? If so, is that more secure now with BL
0
 
McKnifeCommented:
"more secure now with bitlocker" - ? Plese explain what that should mean.
I tried to point out that using BL without preboot authentication should at least be accompanied by some security measures (no passwords of the 123456 style, firewall on).
0
 
N00b2015Author Commented:
Hi,

thanks, i understand what you mean but when you set bitlocker to encrypt the hardrive (without preboot). It does not request you to set a PIN/Password, it just encrypts the drive. So my confusion is what complex password has to be set? Would you mean the windows o/s password itself?
0
 
McKnifeCommented:
Yes sure, the "OS"/user password(s).
0
 
N00b2015Author Commented:
Thank you for the clarification.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now