BitLocker...what about it?

All things storage here: hard drives, DVD RW drives, little wicker baskets.

Moderators: morphine, Steel

BitLocker...what about it?

Postposted on Fri Sep 28, 2012 10:36 pm

Win 8 will have it. Some versions of 7 have had it for years already.

Until now, I have avoided it because of a fear of complexity ..unreasonable maybe, but I'm increasingly concerned about the security of my data drives in my personal laptop and workstation systems. Especially the workstation, with it's drives all being easily removed...but also laptops sometimes grow their own legs. Or wings.

Does anybody have experience with BitLocker either in 7 or 8?
BIF
Gerbil Jedi
Gold subscriber
 
 
Posts: 1629
Joined: Tue May 25, 2004 7:41 pm

Re: BitLocker...what about it?

Postposted on Fri Sep 28, 2012 10:43 pm

Give it a miss and try Truecrypt instead. One big issue with Bitlocker is that MS doesn't even offer it on most versions of Windows. For example, using Windows 7 Professional? No Bitlocker. You need either Enterprise or Ultimate, which may greatly limit your use of Bitlocker.

EDIT: See the feature grid here: http://windows.microsoft.com/en-US/wind ... e?T1=tab15
4770K @ 4.7 GHz; 32GB DDR3-2133; GTX-770; 512GB 840 Pro (2x); Fractal Define XL-R2; NZXT Kraken-X60
--Many thanks to the TR Forum for advice in getting it built.
chuckula
Gerbil Elite
Gold subscriber
 
 
Posts: 584
Joined: Wed Jan 23, 2008 9:18 pm
Location: Probably where I don't belong.

Re: BitLocker...what about it?

Postposted on Fri Sep 28, 2012 10:46 pm

It debuted with Vista (Enterprise & Ultimate), actually.

7 had Bitlocker and a new version just for removable media called Bitlocker to Go (7 Enterprise & Ultimate).

It's a straight forward implementation of whole disk encryption.

The boot drive must have the 100MB system partition to use it. Other drives will just work with it.

Most documentation details you must have a TPM for the boot drive. That's good advice as a TPM also provides boot loader integrity checks (albeit UEFI's secure boot will also do that).

It's possible to use Bitlocker on the boot drive without a TPM via a group policy. Instead you must provide a USB key to unlock the boot drive at boot.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3598
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: BitLocker...what about it?

Postposted on Tue Oct 09, 2012 7:38 pm

Thanks for the info. Some followup questions:

Can Bitlocker be used with UEFI?

Is it effective on SSDs?

All of my hard drives are SATA, but some are a few years old. How can I check my hard drives to confirm whether or not they have TPM?

Is it fair to say that Bitlocker (and the others) are good for preventing the casual hacker from accessing my data but not the experienced or persistent one?
BIF
Gerbil Jedi
Gold subscriber
 
 
Posts: 1629
Joined: Tue May 25, 2004 7:41 pm

Re: BitLocker...what about it?

Postposted on Tue Oct 09, 2012 8:10 pm

BIF wrote:Thanks for the info. Some followup questions:

Can Bitlocker be used with UEFI?

Yes.

BIF wrote:Is it effective on SSDs?

Shouldn't be any less effective from a security standpoint than on a mechanical drive. There might be some other implications though (e.g. I am not sure if it reduces the effectiveness of TRIM).

BIF wrote:All of my hard drives are SATA, but some are a few years old. How can I check my hard drives to confirm whether or not they have TPM?

TPM is a feature of the motherboard, not the drives. Some motherboards have a socket for an optional TPM module.

BIF wrote:Is it fair to say that Bitlocker (and the others) are good for preventing the casual hacker from accessing my data but not the experienced or persistent one?

Properly used, it should even be resistant to experienced/persistent hackers.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 38088
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: BitLocker...what about it?

Postposted on Tue Oct 09, 2012 8:36 pm

Thanks!

I didn't know TPM was a motherboard option. My Asus P5KC surely won't have it, although I'm sure my one year old Asus laptop probably does.

At this time, I think I'll wait for hardware upgrade to be complete and for Windows 8; I think that would be better timing.
BIF
Gerbil Jedi
Gold subscriber
 
 
Posts: 1629
Joined: Tue May 25, 2004 7:41 pm

Re: BitLocker...what about it?

Postposted on Tue Oct 09, 2012 8:44 pm

BIF wrote:My Asus P5KC surely won't have it, although I'm sure my one year old Asus laptop probably does.

I wouldn't count on it. AFAIK it tends to be a feature that is offered mainly on "business class" hardware, so it probably depends on the model.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 38088
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: BitLocker...what about it?

Postposted on Tue Oct 09, 2012 8:47 pm

Ah, BitLocker. Great idea that can be sabotaged by poor implementation.

I've opined several times here on the infosec policies of Federal Agency X, who supplies me with a laptop with which to perform the activities they can't get to due to resource constraints. Said laptops have a BitLocker keycode that must be entered before the machine will boot.

Every single laptop issued by Agency X has the same BitLocker keycode. The keycode is a telephone number well-known to any employee of Federal Agency X.
Life is hard; but it's harder if you're stupid. Big Al.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20636
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: BitLocker...what about it?

Postposted on Tue Oct 09, 2012 8:49 pm

Captain Ned wrote:..Every single laptop issued by Agency X has the same BitLocker keycode. The keycode is a telephone number well-known to any employee of Federal Agency X...


NICE! :D

:o
BIF
Gerbil Jedi
Gold subscriber
 
 
Posts: 1629
Joined: Tue May 25, 2004 7:41 pm

Re: BitLocker...what about it?

Postposted on Tue Oct 09, 2012 9:01 pm

BIF wrote:
Captain Ned wrote:..Every single laptop issued by Agency X has the same BitLocker keycode. The keycode is a telephone number well-known to any employee of Federal Agency X...


NICE! :D

:o

Without going into detail... you'd be amazed (and appalled) at how often stuff like this is done.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 38088
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: BitLocker...what about it?

Postposted on Tue Oct 09, 2012 9:33 pm

just brew it! wrote:Without going into detail... you'd be amazed (and appalled) at how often stuff like this is done.

Agreed. The previous generation of laptops from Agency X all had the same BitLocker keycode (not the same one as today), and one that employees of Agency X recognized as an internal phone number.

EDIT: JBI & I have both flown too close to the Sun of Federal contracting. Icarus got off easy.
Life is hard; but it's harder if you're stupid. Big Al.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20636
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: BitLocker...what about it?

Postposted on Wed Oct 10, 2012 7:48 am

Isn't there an option to have a startup key on a USB drive in Bitlocker? I know Truecrypt doesn't have the option to use a key on a flash drive, but I wish it did.

This brings up another interesting question. If the drive has builtin hardware encryption, does anyone actually need encrypted partitions?
Flatland_Spider
Gerbil Elite
 
Posts: 875
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Re: BitLocker...what about it?

Postposted on Wed Oct 10, 2012 11:06 am

Flatland_Spider wrote:Isn't there an option to have a startup key on a USB drive in Bitlocker?


Yes, in group policy.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3598
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA


Return to Storage

Who is online

Users browsing this forum: No registered users and 2 guests