Page 1 of 1

BitLocker...what about it?

Posted: Fri Sep 28, 2012 10:36 pm
by BIF
Win 8 will have it. Some versions of 7 have had it for years already.

Until now, I have avoided it because of a fear of complexity ..unreasonable maybe, but I'm increasingly concerned about the security of my data drives in my personal laptop and workstation systems. Especially the workstation, with it's drives all being easily removed...but also laptops sometimes grow their own legs. Or wings.

Does anybody have experience with BitLocker either in 7 or 8?

Re: BitLocker...what about it?

Posted: Fri Sep 28, 2012 10:43 pm
by chuckula
Give it a miss and try Truecrypt instead. One big issue with Bitlocker is that MS doesn't even offer it on most versions of Windows. For example, using Windows 7 Professional? No Bitlocker. You need either Enterprise or Ultimate, which may greatly limit your use of Bitlocker.

EDIT: See the feature grid here: http://windows.microsoft.com/en-US/wind ... e?T1=tab15

Re: BitLocker...what about it?

Posted: Fri Sep 28, 2012 10:46 pm
by Ryu Connor
It debuted with Vista (Enterprise & Ultimate), actually.

7 had Bitlocker and a new version just for removable media called Bitlocker to Go (7 Enterprise & Ultimate).

It's a straight forward implementation of whole disk encryption.

The boot drive must have the 100MB system partition to use it. Other drives will just work with it.

Most documentation details you must have a TPM for the boot drive. That's good advice as a TPM also provides boot loader integrity checks (albeit UEFI's secure boot will also do that).

It's possible to use Bitlocker on the boot drive without a TPM via a group policy. Instead you must provide a USB key to unlock the boot drive at boot.

Re: BitLocker...what about it?

Posted: Tue Oct 09, 2012 7:38 pm
by BIF
Thanks for the info. Some followup questions:

Can Bitlocker be used with UEFI?

Is it effective on SSDs?

All of my hard drives are SATA, but some are a few years old. How can I check my hard drives to confirm whether or not they have TPM?

Is it fair to say that Bitlocker (and the others) are good for preventing the casual hacker from accessing my data but not the experienced or persistent one?

Re: BitLocker...what about it?

Posted: Tue Oct 09, 2012 8:10 pm
by just brew it!
BIF wrote:
Thanks for the info. Some followup questions:

Can Bitlocker be used with UEFI?

Yes.

BIF wrote:
Is it effective on SSDs?

Shouldn't be any less effective from a security standpoint than on a mechanical drive. There might be some other implications though (e.g. I am not sure if it reduces the effectiveness of TRIM).

BIF wrote:
All of my hard drives are SATA, but some are a few years old. How can I check my hard drives to confirm whether or not they have TPM?

TPM is a feature of the motherboard, not the drives. Some motherboards have a socket for an optional TPM module.

BIF wrote:
Is it fair to say that Bitlocker (and the others) are good for preventing the casual hacker from accessing my data but not the experienced or persistent one?

Properly used, it should even be resistant to experienced/persistent hackers.

Re: BitLocker...what about it?

Posted: Tue Oct 09, 2012 8:36 pm
by BIF
Thanks!

I didn't know TPM was a motherboard option. My Asus P5KC surely won't have it, although I'm sure my one year old Asus laptop probably does.

At this time, I think I'll wait for hardware upgrade to be complete and for Windows 8; I think that would be better timing.

Re: BitLocker...what about it?

Posted: Tue Oct 09, 2012 8:44 pm
by just brew it!
BIF wrote:
My Asus P5KC surely won't have it, although I'm sure my one year old Asus laptop probably does.

I wouldn't count on it. AFAIK it tends to be a feature that is offered mainly on "business class" hardware, so it probably depends on the model.

Re: BitLocker...what about it?

Posted: Tue Oct 09, 2012 8:47 pm
by Captain Ned
Ah, BitLocker. Great idea that can be sabotaged by poor implementation.

I've opined several times here on the infosec policies of Federal Agency X, who supplies me with a laptop with which to perform the activities they can't get to due to resource constraints. Said laptops have a BitLocker keycode that must be entered before the machine will boot.

Every single laptop issued by Agency X has the same BitLocker keycode. The keycode is a telephone number well-known to any employee of Federal Agency X.

Re: BitLocker...what about it?

Posted: Tue Oct 09, 2012 8:49 pm
by BIF
Captain Ned wrote:
..Every single laptop issued by Agency X has the same BitLocker keycode. The keycode is a telephone number well-known to any employee of Federal Agency X...


NICE! :D

:o

Re: BitLocker...what about it?

Posted: Tue Oct 09, 2012 9:01 pm
by just brew it!
BIF wrote:
Captain Ned wrote:
..Every single laptop issued by Agency X has the same BitLocker keycode. The keycode is a telephone number well-known to any employee of Federal Agency X...


NICE! :D

:o

Without going into detail... you'd be amazed (and appalled) at how often stuff like this is done.

Re: BitLocker...what about it?

Posted: Tue Oct 09, 2012 9:33 pm
by Captain Ned
just brew it! wrote:
Without going into detail... you'd be amazed (and appalled) at how often stuff like this is done.

Agreed. The previous generation of laptops from Agency X all had the same BitLocker keycode (not the same one as today), and one that employees of Agency X recognized as an internal phone number.

EDIT: JBI & I have both flown too close to the Sun of Federal contracting. Icarus got off easy.

Re: BitLocker...what about it?

Posted: Wed Oct 10, 2012 7:48 am
by Flatland_Spider
Isn't there an option to have a startup key on a USB drive in Bitlocker? I know Truecrypt doesn't have the option to use a key on a flash drive, but I wish it did.

This brings up another interesting question. If the drive has builtin hardware encryption, does anyone actually need encrypted partitions?

Re: BitLocker...what about it?

Posted: Wed Oct 10, 2012 11:06 am
by Ryu Connor
Flatland_Spider wrote:
Isn't there an option to have a startup key on a USB drive in Bitlocker?


Yes, in group policy.