Bitlocker Security Questions

TraderGary · Wednesday at 11:45 PM

@hdmi, you do bring up the point that Microsoft is indeed fallible. No one can ever argue that they are infallible.

For me, BitLocker meets my security requirements, and I am confident using it.

As always, YMMV.

hdmi · Thursday at 12:25 AM

TraderGary said:
@hdmi, you do bring up the point that Microsoft is indeed fallible. No one can ever argue that they are infallible.

For me, BitLocker meets my security requirements, and I am confident using it.

As always, YMMV.

Personally, I, am confident that a lot of people who own one of those computers that aren't 10 year-old computers but that, in spite of the fact that they aren't 10 year-old computers, still have this TPM vulnerability I was talking about, also are confident using BitLocker with TPM on that computer. Again, my only point was that being confident about it does not make the evidence any less valid. Nor does the fact that your TPM is integrated into your CPU. The fact that you aren't affected by this specific vulnerability does not in any way prove that the vulnerability doesn't exist. It does, and, again, my point was that it isn't limited to a 10 year-old computer. It still isn't, and, this is still regardless of anything you wrote. So, no. This isn't about people hating Microsoft. Rather, this is about you not knowing when you've lost an argument. Here's the link again:

BitLocker key sniffing is still possible on modern Windows 11 laptops with discrete TPM modules

10-year-old laptops aren't the only devices in danger of this security flaw.

www.tomshardware.com

TraderGary · Thursday at 12:47 AM

hdmi said:
Personally, I, am confident that a lot of people who own one of those computers that aren't 10 year-old computers but that, in spite of the fact that they aren't 10 year-old computers, still have this TPM vulnerability I was talking about, also are confident using BitLocker with TPM on that computer. Again, my only point was that being confident about it does not make the evidence any less valid. Nor does the fact that your TPM is integrated into your CPU. The fact that you aren't affected by this specific vulnerability does not in any way prove that the vulnerability doesn't exist. It does, and, again, my point was that it isn't limited to a 10 year-old computer. It still isn't, and, this is still regardless of anything you wrote. So, no. This isn't about people hating Microsoft. Rather, this is about you not knowing when you've lost an argument. Here's the link again:

BitLocker key sniffing is still possible on modern Windows 11 laptops with discrete TPM modules

10-year-old laptops aren't the only devices in danger of this security flaw.

www.tomshardware.com

I'm not aware of a BitLocker vulnerability for my current computer, thus my confidence in BitLocker. Yes, you've pointed out a BitLocker vulnerability for computers with a non-integrated TPM. You win! If you're ever in Atlanta, PM me and I'll buy you a beer.

kelper · Thursday at 4:03 AM

TraderGary said:
I'm not aware of a BitLocker vulnerability for my current computer, thus my confidence in BitLocker. Yes, you've pointed out a BitLocker vulnerability for computers with a non-integrated TPM. You win! If you're ever in Atlanta, PM me and I'll buy you a beer.

But will you spit in it?

hdmi · Friday at 1:28 PM

lol...

Patched But Still Vulnerable: Windows BitLocker Encryption Bypassed Again

Discover the flaw in Windows BitLocker that allows attackers to bypass encryption and access sensitive data. No screwdrivers or hardware hacking required.

securityonline.info

kelper · Friday at 2:11 PM

But how is someone going to install an outdated bootloader on my PC? I have secure boot enabled and Windows won't boot from an external device. A bad actor would need my supervisor password to turn off secure boot.

TraderGary · Friday at 2:14 PM

hdmi said:
lol...

Patched But Still Vulnerable: Windows BitLocker Encryption Bypassed Again

Discover the flaw in Windows BitLocker that allows attackers to bypass encryption and access sensitive data. No screwdrivers or hardware hacking required.

securityonline.info

The vulnerability, dubbed “bitpixie” (CVE-2023-21563), was initially addressed by Microsoft in November 2022. However, Lambertz demonstrated how attackers can exploit an outdated Windows bootloader via Secure Boot to extract encryption keys.

Obviously, keep your system updated so that you aren't running an outdated bootloader.

andrew129260 · Friday at 2:53 PM

TraderGary said:
The vulnerability, dubbed “bitpixie” (CVE-2023-21563), was initially addressed by Microsoft in November 2022. However, Lambertz demonstrated how attackers can exploit an outdated Windows bootloader via Secure Boot to extract encryption keys.

Obviously, keep your system updated so that you aren't running an outdated bootloader.

According to the article though, the new certs for uefi will not be available before 2026. There is also the black lotus vulnerability.

This talk explains it more in depth:

Windows BitLocker: Screwed without a Screwdriver

Ever wondered how Cellebrite and law enforcement gain access to encrypted devices without knowing the password? In this talk, we’ll demon...

media.ccc.de

This article summarizes it a bit:

Old BitLocker vulnerability exploited to bypass encryption on updated Windows 11

According to a presentation shown during the recently held Chaos Communication Congress at the Chaos Computer Club (CCC), Windows BitLocker can be screwed without a screwdriver. A...

www.techspot.com

It looks like the best thing to do (which I think has been the case for awhile) is if your using bitlocker I think you should have the bitlocker pin/password prompt at boot. It makes no sense to have the tpm unlock it automatically if you care about security.

Looks like microsoft agrees with me:

BitLocker countermeasures

Learn about technologies and features to protect against attacks on the BitLocker encryption key.

learn.microsoft.com

kelper · Friday at 2:57 PM

If you make security too onerous, people won't use it. If you are going to enter the Bitlocker key at every boot or when you wake the computer from sleep will you enter it from memory? I don't think so. You will have it on a slip of paper or on a USB stick. This is biting off your nose to spite your face!

andrew129260 · Friday at 3:12 PM

kelper said:
If you make security too onerous, people won't use it. If you are going to enter the Bitlocker key at every boot or when you wake the computer from sleep will you enter it from memory? I don't think so. You will have it on a slip of paper or on a USB stick. This is biting off your nose to spite your face!

That is the only way to prevent these mitigations of bitlocker though, so if security is important to you, and you are using bitlocker, you should do the following:

1.) Use a password/pin or usb drive to unlock the machine each time you turn it on. This is currently the only way to prevent these bitlocker bypasses.

2.) Have a bios password and the startup set to only boot to the main hard disk with other startup options disabled.

3.) Using a microsoft account to prevent password reset bypasses.

I think if you use bitlocker, you are someone who has important data that someone would want to try to break into, and if that is the case, you should use all the tools necessary to block/prevent threats.

Nothing is bullet proof, and it is better to have some security vs none at all. But the point still stands. There is no such thing as total security, convenience and security always go back and forth. The tpm unlock is convenient, but it's not the most secure option.

hsehestedt · Friday at 3:19 PM

kelper said:
If you make security too onerous, people won't use it. If you are going to enter the Bitlocker key at every boot or when you wake the computer from sleep will you enter it from memory? I don't think so. You will have it on a slip of paper or on a USB stick. This is biting off your nose to spite your face!

In general I agree you, kelper. There is no way I would make it necessary to enter a key every time the system is booted. The only time I would do that is if I had no TPM. That's the whole point of the TPM - it's a secure way to seal the keys without the user having to supply it.

However - you can create a key that can be memorized because BitLocker allows you to supply your own key. There are some limitations, you cannot simply use anything:

1) The key is a 48-digit key made up of 8 groups of 6 numeric digits each.
2) Each 6-digit group must be evenly divisible by 11.
3) Each group of 6 digits must be no greater than 720885.

But there are easy ways to generate a key that can be memorized or computed in your head within those limitations.

kelper · Friday at 3:19 PM

"Have a bios password and the startup set to only boot to the main hard disk with other startup options disabled."

That is what secure boot does, isn't it? I certainly can't boot from a USB device without disabling SB.

kelper · Friday at 3:21 PM

hsehestedt said:
In general I agree you, kelper. There is no way I would make it necessary to enter a key every time the system is booted. The only time I would do that is if I had no TPM. That's the whole point of the TPM - it's a secure way to seal the keys without the user having to supply it.

However - you can create a key that can be memorized because BitLocker allows you to supply your own key. There are some limitations, you cannot simply use anything:

1) The key is a 48-digit key made up of 8 groups of 6 numeric digits each.
2) Each 6-digit group must be evenly divisible by 11.
3) Each group of 6 digits must be no greater than 720885.

But there are easy ways to generate a key that can be memorized or computed in your head within those limitations.

can you give an example of such a long key that was easy to remember?

I am reading your excellent post on this very topic!

Manage BitLocker From Command Line, Manually Set Key to Same on All Systems

I use BitLocker on the OS drive of every one of my systems. I have always found it to be a pain to manage all the BitLocker keys. Yes, I can store them online, and I even wrote a program to manage keys. But there is a much easier way that I thought I would share: You can manually change the...

www.elevenforum.com

andrew129260 · Friday at 3:22 PM

kelper said:
"Have a bios password and the startup set to only boot to the main hard disk with other startup options disabled."

That is what secure boot does, isn't it? I certainly can't boot from a USB device without disabling SB.

Not exactly. Secure boot verifies that windows install boot sequence is legitimate. Meaning that malware has not slipped its way into the boot process when starting windows. More info here.

You can certainly start your system from a usb or cd or other media with secure boot turned on. Some manufactures motherboards might be different apparently I found out, but some allow this.

hsehestedt · Friday at 3:23 PM

andrew129260 said:
That is the only way to prevent these mitigations of bitlocker though

Completely disagree! Yes, there are vulnerabilities that crop up from time to time but they are such ridiculous exploits that they would require heroic levels of expertise and expenditures to exploit. If I were someone with top secret info, or a bank, or some other party with something really valuable to keep secret, then I might explore this. But no one is going to go through that kind of effort to hack my system at home.

andrew129260 · Friday at 3:26 PM

hsehestedt said:
Completely disagree! Yes, there are vulnerabilities that crop up from time to time but they are such ridiculous exploits that they would require heroic levels of expertise and expenditures to exploit. If I were someone with top secret info, or a bank, or some other party with something really valuable to keep secret, then I might explore this. But no one is going to go through that kind of effort to hack my system at home.

I never said someone would go through that effort on a home user. The point is they can.

What I did say was a fact though. The only way to prevent these current issues in bitlocker is to do what I said. So far anyway. More vulnerabilities are found all the time.

I think if your a home user, reguler device encryption or bitlocker with tpm is adequate enough. It matters how important the data is to you.

I said this quote for a reason:

andrew129260 said:
I think if you use bitlocker, you are someone who has important data that someone would want to try to break into, and if that is the case, you should use all the tools necessary to block/prevent threats.

hsehestedt said:
ridiculous exploits that they would require heroic levels of expertise and expenditures to exploit

that can be easily turned into simple scripts later. Happens all the time.

kelper · Friday at 3:30 PM

andrew129260 said:
Not exactly. Secure boot verifies that windows install boot sequence is legitimate. Meaning that malware has not slipped its way into the boot process when starting windows. More info here.

You can certainly start your system from a usb or cd or other media with secure boot turned on. Some manufactures motherboards might be different, but some allow this.

I did say that MY COMPUTER won't boot from USB when secure boot is enabled. You do not need to gainsay what it true.

andrew129260 · Friday at 3:32 PM

kelper said:
I did say that MY COMPUTER won't boot from USB when secure boot is enabled. You do not need to gainsay what it true.

Interesting. What about network? You cannot choose any other boot source with secure boot enabled? Even tapping F12? Looks like that's the key to boot into other devices

ah looks like the boot menu can be turned off and you have to turn it on in the bios. nice

Found this: If you keep pressing F12 but nothing happens, turn the laptop off and on again, and keep pressing F2. This takes you to the BIOS setup where you can enable the boot menu.

kelper · Friday at 3:48 PM

F2 will open the bios settings but it needs a PIN. This is on my Acer Swift (system 1)

hsehestedt · Friday at 3:51 PM

kelper said:
can you give an example of such a long key that was easy to remember?

I am reading your excellent post on this very topic!

Manage BitLocker From Command Line, Manually Set Key to Same on All Systems

I use BitLocker on the OS drive of every one of my systems. I have always found it to be a pain to manage all the BitLocker keys. Yes, I can store them online, and I even wrote a program to manage keys. But there is a much easier way that I thought I would share: You can manually change the...

www.elevenforum.com

I'm not going to tell you how I do it, but here is one possible idea. I would use something better than this, this is just an idea:

Say you have 2 dates like this:

010220 (For Jan 2, 2020 - the US version where month comes first)
051570 (For May 15, 1970)

Break those down into 6 groups of 2 digits each like this:

01
02
20
05
15
70

Duplicate each 2 digit group:

NOTE: Duplicating numbers or a series of numbers is not the most secure, but this is only meant as a simple example.

0101
0202
2020
0505
1515
7070

Add a 4 digit number at the front and another at the end. Use something that has meaning to you but not obvious so you can remember. You r bank card pin might be a good one:

2397
0101
0202
2020
0505
1515
7070
1371

Now add two more digits to each group to make it divisible by 11. There is an easy trick to do this in your head, just google it.

239701
010109
020207
202004
050501
151503
707003
137104

There you have it - 8 groups of 6 digits that meet the criteria. All you need in this example is two 4 digit numbers (like a pin) and two 6 digit numbers.

Again, there are better ways that I'm sure anyone can figure out for themselves, but you get the point.

As a result of this, I no longer keep my BL keys anywhere, only in my head.

Bitlocker Security Questions

Stock Market Wizard

My Computer

Jack of all trades – master of none

My Computers

Stock Market Wizard

My Computer

Well-known member

My Computers

Jack of all trades – master of none

My Computers

Well-known member

My Computers

Stock Market Wizard

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Similar threads