BitLocker questions

TraderGary said:

Of course no product can be proven to be totally secure.

Click to expand...

So as a result of this fact, we should all just continue to be satisfied with this particular type of merry-go-round? What do you think would happen to my career as an Enterprise Java developer if I told that to the IT managers at every major corporation I work for?

TraderGary said:

BitLocker uses AES 128bit and 256bit encryption.

Click to expand...

As long as they don't fix massive problems related to leaving the key under the proverbial doormat while at the same time also they persistently repetitively keep holding back the truth about this, as a matter of fact I don't think I would even consider to care if they use 1-bit encryption or 1024-bit.

TraderGary said:

I feel secure using BitLocker on my two laptops and on my portable SSD drives. You're free to believe that BitLocker is "snake oil".

Click to expand...

What "feels" safe doesn't necessarily make you any safer. The bottom line is that I don't just "feel" that this is so. I can prove it.

@hdmi You've not convinced me. I will continue using BitLocker.

TraderGary said:

@hdmi You've not convinced me. I will continue using BitLocker.

Click to expand...

I wasn't trying to convince you, and, even if I was, then I still fail to see how that could be in any way relevant to the OP.

hdmi said:

Yes, it really is easy. So easy in fact, it took him only 43 seconds to get in... Beating Bitlocker In 43 Seconds

Click to expand...

Attack not possible if pre-boot authentication PIN is set; as mentioned in that video, transcript and links:

Change how BitLocker Unlocks OS Drive at Startup in Windows 11

You can lead a horse to water………

hdmi said:

Here's another video about the fact that, the farther you dig back in time, the more hard evidence piles up to show that it never was safe.

Click to expand...

No TPM in play there. Isn't that a bit last millennium?

Author says in comments: "Forgive me, but I recorded this video quite some time ago and I no longer use the software. Don’t be paranoid with cryptography. ... Also use a TPM 2.1 module on your laptop. This is a good protection mechanism. Since this video was recorded crypto has come on along way."

TraderGary said:

He's talking about TPM 1.2. I wonder what's changed in TPM 2.0? Windows 11 requires TPM 2.0.

Click to expand...

BruceR said:

Attack not possible if pre-boot authentication PIN is set; as mentioned in that video, transcript and links:

Change how BitLocker Unlocks OS Drive at Startup in Windows 11

Click to expand...

Remember that the PIN authentication cannot be protected by the TPM, as that would require the key to be released by the TPM, when the goal of adding the PIN is to... err... well, prevent the key from being released by the TPM till after the correct PIN has already been entered. Granted, adding the PIN authentication would slow the hacker down, probably enough to be able to justify that particular part of what Microsoft has claimed, i.e., that physical access to the hardware for a lengthy period of time is on the list of what's needed for the attack to be able to succeed. But then, you are still forgetting that Microsoft hadn't said anything at all much about the fact that the PIN authentication is on this same list also, just like you are still forgetting that this PIN authentication is disabled on Windows 11 by default. Finally, if the whole computer gets stolen, it will be only a matter of time before an experienced hacker can get in. All it factually does in that regard is, it just adds an additional pile of proverbial doormats to check.

In a corporate environment, BitLocker can be used in concert with TPM 2.0, Secure Boot, Trusted Boot, Measured boot and Device Health Attestation (DHA) to detect any tampering that would alter the normal boot process in some way. That's because Measured Boot allows the PCR registers of the TPM to be used to record these detections, and also to protect these recorded detections against being manipulated after they are stored in the PCR registers. It doesn't actually prevent the boot process from being able to be tampered with, though. Rather, it merely adds the ability to verify that no tampering has occurred, to report back to the AM (Anti-Malware) service, to analyze what went on, and to take the appropriate actions if needed (also with optional ability to automate such actions). Appropriate actions here meaning, after the tampering has been detected.

hdmi said:

Remember that the PIN authentication cannot be protected by the TPM,

Click to expand...

But it is:

• TPM with PIN: ... TPMs also have anti-hammering protection that is designed to prevent brute force attacks that attempt to determine the PIN.

BitLocker countermeasures

Click to expand...

TraderGary said:

@hdmi You've not convinced me. I will continue using BitLocker.

Click to expand...

Amen. I am of the same mind. Also. that one video was clearly ancient as he stated that the latest version of TPM is 1.2. 2.0 has been around for years.

BruceR said:

No TPM in play there. Isn't that a bit last millennium?

Click to expand...

That's my point. "Windows Security":

BruceR said:

Author says in comments: "Forgive me, but I recorded this video quite some time ago and I no longer use the software. Don’t be paranoid with cryptography. ... Also use a TPM 2.1 module on your laptop. This is a good protection mechanism. Since this video was recorded crypto has come on along way."

Click to expand...

Yeah, it's come a long way, and, as long as Microsoft (and many other companies like them) can keep getting away with holding back the truth about their own flawed implementations of it, the cash will also keep coming a long way into their deep pockets. Legal theft is legal, and, we can't use morality to pay our bills, now can we? So, just keep buying all our latest products. Among various other things, they are so much more secure I mean... don't be paranoid about the fact that security doesn't work how you always thought it would work, and especially don't be paranoid about our blatant fake advertising. Instead, just move on to the next topic. Let widespread pixi mentality cover up the entire problem. Or don't...

BruceR said:

But it is:

Click to expand...

It isn't truly protected, as the PIN can still be spoofed with relative ease when the attacker has physical access to the hardware. Attempts can also be made to steal the TPM owner password. For these reasons, Microsoft wants everyone to move to passwordless authentication, and that's good. But after you've seen all the fake advertising that went on, you can't un-see it. Zero Trust starts with secure access. However, trust starts with not having a proven record of continuously trying to cover things up........

Dear Ancient,
I have used TrueCrypt, Veracrypt, and Bitlocker, for about 15 years.
I had upgraded to windows "X" pro to get the bitlocker features.
I have it set up to REQUIRE the bitlocker code (your 8-or-so character code) to unlock at BOOT time (if you forget that, you need to enter the 36+ char recovery code)
I have encrypted other enclosed hard drives, and external hard drives.
I want my data to be a BRICK if it is stolen.
I use it in local administrator accounts.
I have backups of the recovery keys, STORED in my KeePass password manater program, and on other uploaded encrypted data. I DO NOT RELY on the microsoft backup of the key (even though microsoft does this anyway)
I back up mh computer data regularly also so in event of a complete system blow-up (not just with bitlocker) I have backups of my data, encrypted in the cloud.

STORING the recovery keys/files fr teh drive is not any different than you making sure to have adequate username/password storage of your logon sites. if you do not have a good mechanism for storing them, then you don't have adequate mechanism to store your bitlocker keys or to encrypt the drive.
with the right procedures, and bitlocker, your computers will be safer than some of the government notebooks out there.
i can provide more details if needed.
NOTE, i am inquiring in other threads about WINDOWS 11 HOME now providing bitlocker, in the 24h2 upcoming release because i just bought a new computer, and if i am able to enable it in windows 11 home, on new computer, i will hold off on buying windows 11 pro.
i am staying tuned...

hdmi said:

It isn't truly protected, as the PIN can still be spoofed with relative ease when the attacker has physical access to the hardware.

Click to expand...

How?

BruceR said:

How?

Click to expand...

For one, an attacker who has physical access to the hardware can steal the motherboard, the CPU, and the SSD while at the same time also replacing these specific internal hardware components with different ones the only purpose of which would be to introduce a fake PIN authentication screen that is indistinguishable from the real PIN screen, i.e., to spoof the correct PIN and to transmit (e.g. through a wireless connection) that PIN. Such an attack would seem like it should need to be rather sophisticated for it to be able to succeed, which immediately helps to explain the "relative" part in "with relative ease", but then, this argument swings both ways, as the fact that the attacker had physical access to these hardware components already confirms that it shouldn't necessarily always have to be that sophisticated anyway after all.

It's one of those reasons why other security measures like MFA, passwordless (or PIN-less) authentication methods, additional protections against theft of the relevant hardware components, early detection of such theft (e.g. surveillance, chassis intrusion detection mechanisms, monitoring of peripheral connection or cable connection drops, etc.) are a lot more critically important than many think. A lot of these additional security measures are not directly related to BitLocker, which also is part of the reason why most users tend to overlook this critical importance.

Microsoft is enabling BitLocker device encryption by default on Windows 11​

Wolfzz said:

Microsoft is enabling BitLocker device encryption by default on Windows 11​

Microsoft is enabling BitLocker device encryption by default on Windows 11

You can avoid device encryption by using a local account.

www.theverge.com

Click to expand...

Looks like the first thing to check and disable when doing a clean install with a local account. I have no need for it and I'm not going to create a MS account in order to log in.