0

I did enabled Bitlocker encryption on my Windows 10 Pro Laptop. but it has TPM 2.0 chip installed and Because of that it DOES NOT actually Protecting me as someone JUST NEED TO CRACK 1 PASSWORD (windows login screen password) and Boom. THEY OWN MY COMPUTER... and if I goes without TPM is it Less Secure(somehow, hope you can help me with this one..) it DOES asking for another password before the computer actually BOOTS UP to the windows lock screen. Hopefully there is something better than this.

NOTE: (I Know it is good against someone who connect my SSD to another computer but not if someone is using my Laptop without Pulling out the SSD)

Another note: please give me a solution for a PC without TPM. (yes, I Can use Bitlocker without it but again it is less SECURE. if this is the only Solution, So I Guess it is Better than Nothing... or Should I use Veracrypt?)

Thank you.

  • For your first note, to protect your data if they boot your drive in your laptop use TPM with PIN as described by both my answer and Esa's. This will prevent the system from booting automatically by protecting the startup key. For your second note there are multiple options that work without a TPM, and they are as secure as your choices in protecting the keys allow. A USB drive locked away offsite is very secure. – Doug Oct 03 '21 at 12:31
  • Thank you. but it is not realistic to somehow lock away the USB drive for a day to day use.(hope you can help me with that.) also, how I can enable PIN to bitlocker with TPM if I already encrypted my Laptop? – iudhfgihdfigh Oct 03 '21 at 15:03
  • That's the choice of convenience vs security. For some people who require strong security it is perfectly reasonable to lock the key in a vault in another building. To switch from TPM to TPM and PIN you first need to enable the policy from my answer, then disable and re-enable BitLocker. Alternatively you can enable the policy, then run the command "manage-bde -protectors c: -delete -type tpm" followed immediately by "manage-bde -protectors c: -add -type tpmandpin". – Doug Oct 05 '21 at 20:42

2 Answers2

1

You are incorrect in saying BitLocker without a TPM is less secure, as the underlying encryption key is the same in all cases. How you balance protection and convenience in accessing, protecting, and providing backup archives of protectors of that key is what determines your level of security.

You are correct that once the machine is running it is vulnerable to many forms of attack, however this is true of all encryption tools regardless of vendor. The running system must have the encryption key available in order to operate, and a sufficiently motivated hacker can extract the key from the system while it is operating.

  1. With a TPM a startup key is stored within the TPM, which for convenience will provide the key to the secure bootup sequence. It is possible for the TPM to be damaged or otherwise lose the key, requiring the recovery key to be entered manually from an archived copy (paper, stored in Active Directory, store in your cloud account, stored in a file on another drive, etc.). It is only as secure as your archived keys. If you choose not to archive the key the drive will be unrecoverable.

  2. With a TPM and PIN the startup key is stored within the TPM, and is protected by the PIN. If the PIN is entered incorrectly too many times the TPM will lock which prevents the startup key from being accessed even with a valid PIN. The key must be entered manually from an archived copy as above, and the TPM reset to resume using the TPM or TPM and PIN options. This is more secure than option 1, however it is only as secure as your PIN and archived keys. If you choose not to archive the key and forget your PIN the drive will be unrecoverable.

  3. Without a TPM the key can be stored on the drive and protected by a password. The password is protected, however it is technically vulnerable as there is no separation between the password, key, and data. There is no lock available to lock the password as the hard drive can be duplicated and restored to any previous state. While this is at least theoretically not secure, realistically it is as secure as your chosen password and the encryption algorithms Microsoft has used to protect the password and key on the disk. If you choose not to archive the key and forget your password the drive is realistically not recoverable.

  4. Without a TPM a startup key can be stored on a USB drive. The computer and hard drive have no copy of the startup key, so you are required to provide it by inserting the USB drive during the boot up sequence. Once the system has booted the USB drive can be removed and left on top of the computer, or preferably placed in the secret vault under your bed at your secret lair known only unto yourself. This can be more secure than option 1, 2, or 3 however it is only as secure as your USB drive and archived keys. If you choose not to archive the key and lose the USB drive containing the startup key or it becomes damaged it will be unrecoverable.

  • In all cases I assume no key loggers or other hardware level or software level compromises exist such that you or Microsoft give your PIN, password, or keys away. If you need security at a Faraday cage level BitLocker won't save you. There have been security issues that have previously impacted BitLocker and other full disk systems. There are security issues that currently impact BitLocker and other full disk systems.

To enable options 1-4 open "Edit group policy" and navigate to Local Computer Policy->Computer Configuration->Administrative Templates->Windows Components->BitLocker Drive Encryption->Operating System Drives->Require additional authentication on startup. Configure it as Enabled, and set the remaining options as needed for your preference. Generally 'Enabled' is sufficient, as the remaining options default to "Allow" rather than "Require" or "Do not allow". Other useful policies are available here including "Allow enhanced PINs for startup", PIN length, password length, permitted algorithms, required algorithms, etc..

BitLocker policy screenshot

Once you have enabled your policy choices, Manage BitLocker will present additional options.

BitLocker screenshot

If you wish to go further additional options are available including TPM and USB drive, TPM and USB Drive and PIN, Certificate, network unlock, etc.. These can be researched by running the command lines "manage-bde -on -?" and "manage-bde -protectors -add /?". I won't include them here as I believe option 2 using TPM and PIN is sufficient for what you are looking for.

  1. Without a TPM you can memorize the recovery key. It is as secure as your threshold to extraction by torture or guile, and the note scribbled under the keyboard as your archived copy. If you forget your key it is unrecoverable. Notwithstanding future technology or defects in the algorithm the 50 digit recovery key will take a billion computers running a million attempts per second many many times longer than the age of the universe to crack the recovery key.

To enable option 5 configure the policy as above, and configure BitLocker to use a password. When prompted to backup the recovery key select to print it, select the Microsoft Print to PDF option, and save the resulting PDF to the protected drive. Open the PDF and memorize the recovery key. BitLocker will need the machine to be restarted. After the machine is restarted and BitLocker is fully enabled you may delete the PDF. The intention is simply to destroy all archives of the recovery key, so any method you choose will be somewhat secure. Save it to a USB drive and grind the USB drive, print it to paper and burn it, etc. but make sure the only copy is in your head. Now use the command line to run the command "manage-bde -protectors -delete c: -type password" and reboot the system. Windows will now prompt you to manually enter the recovery key at every boot.

Doug
  • 146
  • 4
0

Use BitLocker with more than one startup authentication factors (TPM+PIN, TPM+USB, or TPM+PIN+USB).

From the official documentation, BitLocker Security FAQ (emphasis is mine):

What is the best practice for using BitLocker on an operating system drive?

The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.

You could also use a BIOS power-on password, but it is easier to bypass.

The most likely attack scenario is not cracking your Windows password, as you suggest. Instead, it is possible to steal the cryptographic key provided by the TPM and decrypt the disk, giving access to the data on the disk. With write access, they can also change the password, which is much faster than cracking the password hash.

Esa Jokinen
  • 16,725
  • 5
  • 51
  • 56