Bitlocker Security Questions

hdmi · Feb 27, 2025

TraderGary said:
I plan to continue using my password manager, making daily drive images, using encrypted cloud storage, and using BitLocker. As you advocate @hdmi, BitLocker is only one part of my total computer security strategy.

I was talking more about other things like, e.g., Windows Measured Boot, Device Health Attestation (DHA), intrusion detection, and surveillance. Here's more recent evidence to show that BitLocker on Windows 11 still can't always properly protect the keys: Intro

Again, when it comes to the subject of protecting your data after your laptop gets stolen or an attacker gains physical access to the hardware, the marketing that surrounds BitLocker Drive Encryption is an emperor. Unfortunately however, the emperor is wearing no clothes.

TraderGary · Feb 27, 2025

hdmi said:
I was talking more about other things like, e.g., Windows Measured Boot, Device Health Attestation (DHA), intrusion detection, and surveillance. Here's more recent evidence to show that BitLocker on Windows 11 still can't always properly protect the keys: Intro

Again, when it comes to the subject of protecting your data after your laptop gets stolen or an attacker gains physical access to the hardware, the marketing that surrounds BitLocker Drive Encryption is an emperor. Unfortunately however, the emperor is wearing no clothes.

Yes, I know that there is nothing that's 100% secure. I'm more concerned with a total security strategy that keeps me as safe as possible. BitLocker is only a small, minor part of my total security strategy. It's built-in to Windows and costs nothing to implement. Let me ask this then, do you think it is better to not use BitLocker at all?

andrew129260 · Feb 27, 2025

hdmi said:
I was talking more about other things like, e.g., Windows Measured Boot, Device Health Attestation (DHA), intrusion detection, and surveillance. Here's more recent evidence to show that BitLocker on Windows 11 still can't always properly protect the keys: Intro

Again, when it comes to the subject of protecting your data after your laptop gets stolen or an attacker gains physical access to the hardware, the marketing that surrounds BitLocker Drive Encryption is an emperor. Unfortunately however, the emperor is wearing no clothes.

The bypass you linked requires windows to boot first so that its in ram. And it's tricky as admitted by the own author.

Pin / startup key at boot prevents this bypass.

Again, I think if your using bitlocker and you care about security, I think the pin at boot is a minimum requirement.

While other attacks are still possible, it seems to me we are trying to make the goal of preventing a super experienced hacker, super spy or government agency from getting into your computer, which at that point is pointless anyway. There will always be a way. Once your targeted its over. Regardless of the security you have, it will only slow them down.

hdmi · Feb 27, 2025

TraderGary said:
Yes, I know that there is nothing that's 100% secure. I'm more concerned with a total security strategy that keeps me as safe as possible. BitLocker is only a small, minor part of my total security strategy. It's built-in to Windows and costs nothing to implement. Let me ask this then, do you think it is better to not use BitLocker at all?

The point was that an attacker with physical access to the hardware can still copy all your secrets when you're not looking so as a result you wouldn't even know what happened before it's already too late. In a best case scenario, the attacker would steal your laptop so at least you'd be given the chance to find out on time that it's been stolen (although the "on time" here would still depend on a number of things anyway). Everything else meets the criteria of what I like to call wishful thinking. So yes, if the goal is to protect the kind of sensitive data that is high-valued, BitLocker is out of the question for me.

As a matter of fact, I am not even allowed to let any of my work related data come in contact with systems that run Windows or Windows Server. We have other (non-Microsoft) solutions we use for this purpose.

hdmi · Feb 27, 2025

andrew129260 said:
if your using bitlocker and you care about security

That is an oxymoron.

TraderGary · Feb 27, 2025

Brute forcing an AES 256-bit encryption key is theoretically possible, but it's still never been done.

andrew129260 · Feb 27, 2025

hdmi said:
That is an oxymoron.

It does add security. You act like everything is as trivial as a one click bypass when that is not the case. Does security to you only mean that its 100% bulletproof?

Just because a security solution has flaws does not make it pointless.

The whole point of security is to slow someone down and make it annoying enough to not be bothered. If you are hunted / targeted, none of that matters regardless of the security solution you have. The whole thing goes out the window. Anyone determined will get in, it doesn't matter what you use.

I think you are confusing your job / confusing security as a whole of being specifically targeted, which seems to be more likely in your line of work, vs someone wanting a bit more than average security on their systems to protect their data from a casual thief.

TraderGary · Feb 27, 2025

While it's theoretically possible to brute force an AES 256-bit encryption key, it would take an impractical amount of time and computational power to do so. The sheer number of possible combinations (2^256) makes it infeasible with current technology.

To give you some perspective, if you had a supercomputer that could check a trillion keys per second, it would still take longer than the age of the universe to exhaustively search through all possible keys. This is why AES 256-bit encryption is considered highly secure for protecting sensitive information.

kelper · Feb 27, 2025

hdmi said:
That is an oxymoron.

No, an oxymoron is a quasi-contradictory juxtaposition of opposites.
But it has to make sense like bitter-sweet or sweet-sorrow. Terms like military intelligence are NOT real oxymorons.

hdmi · Mar 1, 2025

Windows BitLocker bug leaks AES-XTS encryption - IAES

A bug was discovered in the Windows BitLocker encryption tool identified as CVE-2025-21210. This vulnerability has exposed the BitLocker encryption system to

www.iaesjournal.com

kelper · Mar 1, 2025

CVE-2025-21210 was patched on January 14th (Patch Tuesday).

hdmi · Mar 1, 2025

kelper said:
CVE-2025-21210 was patched on January 14th (Patch Tuesday).

The OP's questions about how safe is BitLocker goes back to December 26, 2022. I mean, if I have to wait for more than 3 whole years before it probably will be "safe", then my own personal conclusion will be that it probably won't be very trustworthy at all. I won't go as far as to claim that it is pure snake oil, but once you see the similarities, you can't unsee them. Or maybe you can, but personally, I, definitely can not. To me, personally, this isn't so much about how safe is "safe enough". It's more about how blatant is the discrepancy between what Microsoft has kept claiming about BitLocker in the past versus all the hard evidence that has kept piling up. Especially when it comes to things like security IMO, reputation comes on foot and leaves on horseback.

Also IMO, having a false sense of security can sometimes tend to be more detrimental than the significant drawbacks that are commonly associated with deciding to keep critical data always separate. In a lot of cases, it pays off to at least try to investigate and evaluate how critical is crictical enough to justify that decision, and to re-evaluate, from time to time, this and the logical relationship that exists between it and other security related factors.

kelper · Mar 1, 2025

If I sent you my laptop, encrypted with Bitlocker and with a BIOS and Boot password set, could YOU access my data. I'm not gainsaying you, I'm just curious.

BruceR · Mar 1, 2025

hdmi said:
It's more about how blatant is the discrepancy between what Microsoft has kept claiming about BitLocker in the past versus all the hard evidence that has kept piling up.

What exactly has Microsoft kept claiming about Bitlocker in the past? (Please provide references.)

The following sections cover mitigations for different types of attackers.

BitLocker countermeasures -- Attacker countermeasures

TraderGary · Mar 1, 2025

All known BitLocker vulnerabilities have been patched. Despite the clever word salads, I'm confident using BitLocker.

hdmi · Mar 1, 2025

kelper said:
If I sent you my laptop, encrypted with Bitlocker and with a BIOS and Boot password set, could YOU access my data. I'm not gainsaying you, I'm just curious.

If it had a sticky label with your PIN on the bottom cover, maybe I could.

BruceR said:
What exactly has Microsoft kept claiming about Bitlocker in the past? (Please provide references.)

One example is explained after 20 seconds in the video below.

That and the fact that this hack turned out to be still possible on a variety of modern Windows 11 laptops:

BitLocker key sniffing is still possible on modern Windows 11 laptops with discrete TPM modules

10-year-old laptops aren't the only devices in danger of this security flaw.

www.tomshardware.com

The Lenovo X1 Carbon Gen 11 is from 2023, it was released several months after this discussion thread was created, and, it isn't the only modern Windows 11 laptop that has this vulnerability. What makes this still relevant IMO is that this particular part of security shouldn't have to depend on what modern Windows 11 laptop you bought. Not when Microsoft claimed that "BitLocker provides maximum protection when used with a TPM". In the same Tom's Hardware article I linked above, you'll also find a link that points to a page on GitHub where you can read more about the subject of TPM sniffing. TPM sniffing isn't the only problem, though.

TraderGary said:
All known BitLocker vulnerabilities have been patched. Despite the clever word salads, I'm confident using BitLocker.

At the time when the OP created this thread, all known BitLocker vulnerabilities had also been patched. Yet, despite that, it took only 43 seconds to get in, and took only 43 seconds regardless of who does or who doesn't like clever word salads.

kelper · Mar 1, 2025

Is Macrium's own encryption any better?

TraderGary · Mar 1, 2025

I know how much you love jumping up and down about your "43 seconds", but that one has also been patched.

TraderGary · Mar 1, 2025

kelper said:
Is Macrium's own encryption any better?

Macrium uses AES, the same as BitLocker.

TraderGary · Mar 1, 2025

AES supports key lengths of 128, 192, or 256 bits. These key sizes determine the level of security, with longer keys being more secure. Even the lowest 128 key length has never been broken and is considered secure.

Bitlocker Security Questions

Jack of all trades – master of none

My Computers

Stock Market Wizard

My Computers

Well-known member

My Computers

Jack of all trades – master of none

My Computers

Jack of all trades – master of none

My Computers

Stock Market Wizard

My Computers

Well-known member

My Computers

Stock Market Wizard

My Computers

Well-known member

My Computers

Jack of all trades – master of none

My Computers

Well-known member

My Computers

Jack of all trades – master of none

My Computers

Well-known member

My Computers

Well-known member

My Computer

Stock Market Wizard

My Computers

Jack of all trades – master of none

My Computers

Well-known member

My Computers

Stock Market Wizard

My Computers

Stock Market Wizard

My Computers

Stock Market Wizard

My Computers

Similar threads