Personal computing discussed

Moderators: renee, morphine, Steel

 
BIF
Minister of Gerbil Affairs
Topic Author
Posts: 2458
Joined: Tue May 25, 2004 7:41 pm

BitLocker...what about it?

Fri Sep 28, 2012 10:36 pm

Win 8 will have it. Some versions of 7 have had it for years already.

Until now, I have avoided it because of a fear of complexity ..unreasonable maybe, but I'm increasingly concerned about the security of my data drives in my personal laptop and workstation systems. Especially the workstation, with it's drives all being easily removed...but also laptops sometimes grow their own legs. Or wings.

Does anybody have experience with BitLocker either in 7 or 8?
 
chuckula
Minister of Gerbil Affairs
Posts: 2109
Joined: Wed Jan 23, 2008 9:18 pm
Location: Probably where I don't belong.

Re: BitLocker...what about it?

Fri Sep 28, 2012 10:43 pm

Give it a miss and try Truecrypt instead. One big issue with Bitlocker is that MS doesn't even offer it on most versions of Windows. For example, using Windows 7 Professional? No Bitlocker. You need either Enterprise or Ultimate, which may greatly limit your use of Bitlocker.

EDIT: See the feature grid here: http://windows.microsoft.com/en-US/wind ... e?T1=tab15
4770K @ 4.7 GHz; 32GB DDR3-2133; Officially RX-560... that's right AMD you shills!; 512GB 840 Pro (2x); Fractal Define XL-R2; NZXT Kraken-X60
--Many thanks to the TR Forum for advice in getting it built.
 
Ryu Connor
Global Moderator
Posts: 4369
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA
Contact:

Re: BitLocker...what about it?

Fri Sep 28, 2012 10:46 pm

It debuted with Vista (Enterprise & Ultimate), actually.

7 had Bitlocker and a new version just for removable media called Bitlocker to Go (7 Enterprise & Ultimate).

It's a straight forward implementation of whole disk encryption.

The boot drive must have the 100MB system partition to use it. Other drives will just work with it.

Most documentation details you must have a TPM for the boot drive. That's good advice as a TPM also provides boot loader integrity checks (albeit UEFI's secure boot will also do that).

It's possible to use Bitlocker on the boot drive without a TPM via a group policy. Instead you must provide a USB key to unlock the boot drive at boot.
All of my written content here on TR does not represent or reflect the views of my employer or any reasonable human being. All content and actions are my own.
 
BIF
Minister of Gerbil Affairs
Topic Author
Posts: 2458
Joined: Tue May 25, 2004 7:41 pm

Re: BitLocker...what about it?

Tue Oct 09, 2012 7:38 pm

Thanks for the info. Some followup questions:

Can Bitlocker be used with UEFI?

Is it effective on SSDs?

All of my hard drives are SATA, but some are a few years old. How can I check my hard drives to confirm whether or not they have TPM?

Is it fair to say that Bitlocker (and the others) are good for preventing the casual hacker from accessing my data but not the experienced or persistent one?
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: BitLocker...what about it?

Tue Oct 09, 2012 8:10 pm

BIF wrote:
Thanks for the info. Some followup questions:

Can Bitlocker be used with UEFI?

Yes.

BIF wrote:
Is it effective on SSDs?

Shouldn't be any less effective from a security standpoint than on a mechanical drive. There might be some other implications though (e.g. I am not sure if it reduces the effectiveness of TRIM).

BIF wrote:
All of my hard drives are SATA, but some are a few years old. How can I check my hard drives to confirm whether or not they have TPM?

TPM is a feature of the motherboard, not the drives. Some motherboards have a socket for an optional TPM module.

BIF wrote:
Is it fair to say that Bitlocker (and the others) are good for preventing the casual hacker from accessing my data but not the experienced or persistent one?

Properly used, it should even be resistant to experienced/persistent hackers.
Nostalgia isn't what it used to be.
 
BIF
Minister of Gerbil Affairs
Topic Author
Posts: 2458
Joined: Tue May 25, 2004 7:41 pm

Re: BitLocker...what about it?

Tue Oct 09, 2012 8:36 pm

Thanks!

I didn't know TPM was a motherboard option. My Asus P5KC surely won't have it, although I'm sure my one year old Asus laptop probably does.

At this time, I think I'll wait for hardware upgrade to be complete and for Windows 8; I think that would be better timing.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: BitLocker...what about it?

Tue Oct 09, 2012 8:44 pm

BIF wrote:
My Asus P5KC surely won't have it, although I'm sure my one year old Asus laptop probably does.

I wouldn't count on it. AFAIK it tends to be a feature that is offered mainly on "business class" hardware, so it probably depends on the model.
Nostalgia isn't what it used to be.
 
Captain Ned
Global Moderator
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: BitLocker...what about it?

Tue Oct 09, 2012 8:47 pm

Ah, BitLocker. Great idea that can be sabotaged by poor implementation.

I've opined several times here on the infosec policies of Federal Agency X, who supplies me with a laptop with which to perform the activities they can't get to due to resource constraints. Said laptops have a BitLocker keycode that must be entered before the machine will boot.

Every single laptop issued by Agency X has the same BitLocker keycode. The keycode is a telephone number well-known to any employee of Federal Agency X.
What we have today is way too much pluribus and not enough unum.
 
BIF
Minister of Gerbil Affairs
Topic Author
Posts: 2458
Joined: Tue May 25, 2004 7:41 pm

Re: BitLocker...what about it?

Tue Oct 09, 2012 8:49 pm

Captain Ned wrote:
..Every single laptop issued by Agency X has the same BitLocker keycode. The keycode is a telephone number well-known to any employee of Federal Agency X...


NICE! :D

:o
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: BitLocker...what about it?

Tue Oct 09, 2012 9:01 pm

BIF wrote:
Captain Ned wrote:
..Every single laptop issued by Agency X has the same BitLocker keycode. The keycode is a telephone number well-known to any employee of Federal Agency X...


NICE! :D

:o

Without going into detail... you'd be amazed (and appalled) at how often stuff like this is done.
Nostalgia isn't what it used to be.
 
Captain Ned
Global Moderator
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: BitLocker...what about it?

Tue Oct 09, 2012 9:33 pm

just brew it! wrote:
Without going into detail... you'd be amazed (and appalled) at how often stuff like this is done.

Agreed. The previous generation of laptops from Agency X all had the same BitLocker keycode (not the same one as today), and one that employees of Agency X recognized as an internal phone number.

EDIT: JBI & I have both flown too close to the Sun of Federal contracting. Icarus got off easy.
What we have today is way too much pluribus and not enough unum.
 
Flatland_Spider
Graphmaster Gerbil
Posts: 1324
Joined: Mon Sep 13, 2004 8:33 pm

Re: BitLocker...what about it?

Wed Oct 10, 2012 7:48 am

Isn't there an option to have a startup key on a USB drive in Bitlocker? I know Truecrypt doesn't have the option to use a key on a flash drive, but I wish it did.

This brings up another interesting question. If the drive has builtin hardware encryption, does anyone actually need encrypted partitions?
 
Ryu Connor
Global Moderator
Posts: 4369
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA
Contact:

Re: BitLocker...what about it?

Wed Oct 10, 2012 11:06 am

Flatland_Spider wrote:
Isn't there an option to have a startup key on a USB drive in Bitlocker?


Yes, in group policy.
All of my written content here on TR does not represent or reflect the views of my employer or any reasonable human being. All content and actions are my own.

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On