Bitlocker Question

Discussion in 'Windows OS and Software' started by Drew1, Oct 18, 2020.

  1. Drew1

    Drew1 Notebook Deity

    Reputations:
    23
    Messages:
    1,832
    Likes Received:
    48
    Trophy Points:
    66
    I just looked at a very old thread I created a while back and saw I cannot post anything to it anymore so I create a new thread.


    So last year or so, I asked about bitlocker and was able to get it enabled on my windows 10 pro dell laptop. I recall i put a pin in it... so everytime i turn on laptop, it ask for me my pin. There was lot of confusion when i did this because i recall there were like 3 ways of doing it... which involved something like


    Pin with TPM
    Pin without TPM
    Password?



    Is that correct? What I did was i put in a pin. So everytime i turn on laptop, i type in pin, then I also put a windows password as well.. then after that, it go to my desktop etc.



    Recently, I removed both the windows 10 password and turned bitlocker off because I wanted to clone my old ssd into the new ssd which I did successfully. I read you should always turn off bitlocker when cloning. So now, I been using my laptop without any bitlocker pin and windows 10 password at startup.



    Now I want to make sure I do this correctly like the first time I did it.. Now because i turned off the bitlocker pin... does that mean when i turn it on again, i will have to do it exactly like how i did it the first time? Or could I turn it on and it would be same pin? Or it would be brand new and thus i have to type in an entire new pin? Now when I do this, if i choose pin... do i pick it without TPM or TPM? Also... when you select pin... does it have to be numbers only? Or could i pick numbers or letters or combination of both?


    Also I asked this last time but the 3rd option of password is not the same as pin with tpm or without tpm? Like Password isn't secure?
     
  2. Drew1

    Drew1 Notebook Deity

    Reputations:
    23
    Messages:
    1,832
    Likes Received:
    48
    Trophy Points:
    66
    Also I recalled last time, I saved a bitlocker recovery key file as well. I still have that. But is that useless now?


    The thing is I do want to type in a new bitlocker pin this time compared to the one I typed last time.
     
  3. Starlight5

    Starlight5 Yes, I'm a cat. What else is there to say, really?

    Reputations:
    687
    Messages:
    3,126
    Likes Received:
    1,509
    Trophy Points:
    231
    Yes.
    No. But you can make it the same as before.
    Yes.
    Pin with TPM.
    No. Numbers only is very stupid on many levels.
    Yes.
    PIN is machine-specific, password is machine-agnostic. In other words, PIN is tied to particular machine you use the drive in, while password is not.
    Yes.
     
  4. Drew1

    Drew1 Notebook Deity

    Reputations:
    23
    Messages:
    1,832
    Likes Received:
    48
    Trophy Points:
    66

    Thanks. But I think i put a pin last time without TPM because my laptop didn't have TPM. That is possible right?


    Starlight, can you help me again later on step by step on this like you helped me over a year ago on this?


    I would be doing it on my my dell xps 15 9550 windows 10 pro laptop... but will respond back to your posts on my chromebook.


    So that mean that bitlocker recovery code file i have right now is completely useless then?


    I'm confused why because wouldn't that revert my laptop to exactly how it was though at the time I created the bitlocker recovery code?
     
  5. Starlight5

    Starlight5 Yes, I'm a cat. What else is there to say, really?

    Reputations:
    687
    Messages:
    3,126
    Likes Received:
    1,509
    Trophy Points:
    231
    Your laptop has at least one TPM - firmware TPM embedded in the CPU. It may also have a discrete TPM, sitting on a separate chip.
    I can try.
    Yes.
    Bitlocker encrypts a storage device with different encryption key every time. State will be the same, but key will be different.
     
    Drew1 likes this.
  6. Drew1

    Drew1 Notebook Deity

    Reputations:
    23
    Messages:
    1,832
    Likes Received:
    48
    Trophy Points:
    66


    Thanks starlight. Will you be online tomorrow for like a 20 minutes or so straight? I just want to make sure you are available online so I can do it while you are here so if there is something im not sure what to press, then I will ask you... like last year when you helped me with this.


    I will make sure i write down the steps on paper this time so if i ever do this again, i can do it myself.


    Also when i first try to do this, I need to click turn on bitlocker, then im going to wait about 1.5 to 2 hours right for it to encrypt? Or i have to do the entire tpm thing first? The tpm or without tpm or password was the thing i was confused last time because it gave me different options.
     
  7. Starlight5

    Starlight5 Yes, I'm a cat. What else is there to say, really?

    Reputations:
    687
    Messages:
    3,126
    Likes Received:
    1,509
    Trophy Points:
    231
    As far as I know, you can do either.
    Let's do a quick roundup of your options:
    1. TPM with PIN - you enter the PIN when you boot the machine, the drive can only be accessed with PIN on your computer, other computers will need a recovery key to access the drive.
    2. TPM without PIN - no pre-boot authentication whatsoever, as we determined before this is not enough for you
    3. Password (without TPM) - you enter the password when you boot, the drive can be accessed with password on any computer.

    The difference between TPM with PIN and password is that password definitely needs to be long & strong, because otherwise it will be easy to bruteforce, while due to use of TPM, PIN can be shorter (although still strong, obviously) without affecting security much, because using your own machine for trying to bruteforce the password is far less convenient for attackers, and TPM will lock them out for some time after a bunch of failed attempts.

    Note that you will have to use hibernation instead of sleep. If you use sleep, it defeats the whole PIN/password thing - so don't.

    Now, the instructions:
    1. Launch Group Policy Editor gpedit.msc
    2. Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
    3. Enable the following settings:
    * Require Additional Authentication at Startup
    * Allow enhanced PINs for startup
    4. Encrypt the drive with your desired setting
    5. Disable sleep via power settings. You need to adjust the following settings in your power profile(s):
    * Sleep after -> 0
    * Allow hybrid sleep -> Off
    * Hibernate after -> adjust to setting you believe most appropriate, you'll be using this instead of sleep
    * Allow wake times -> Disable
    * Lid close action -> Hibernate
    * Power button action -> Hibernate or Shut Down, depending on your preference
    * Sleep button action -> Hibernate
     
  8. Drew1

    Drew1 Notebook Deity

    Reputations:
    23
    Messages:
    1,832
    Likes Received:
    48
    Trophy Points:
    66

    Thanks for that information Starlight. Well what I did last time was TPM with pin right? For some weird reason, I thought it was some other method because I recalled my laptop for some reason didn't had TPM 2.0 or something like that when my laptop only had TPM 1.4? For some reason, this came to my mind. Or am i completely mistaking this all wrong. Yea i remember there was 3 options... and obviously option 2 makes no sense TPM without pin. How many TPM versions are there?


    Why would anyone even choose option 2 then? I mean that is basically no security at all since when you turn on laptop, it goes to your desktop anyway? But it has TPM so im confused why would anyone choose this? How is it even any security then? I mean might as well do nothing then as oppose to TPM without pin or what im missing here?


    Oh so the password option isn't as secure as the TPM with Pin which makes sense. But the TPM with pin option mean there is only a certain number of attempts you can do before the laptop locks up? Do you know how many attempts is that? A few times i have entered my pin incorrectly... i think once i entered it wrong 2 times in a row... then enter it correct and it was fine. But with passphrase, someone can brute force it as many attempts as possible... okay make sense then for security to not choose this.


    I never sleep my laptop. I either turn it off or lock it. But of course you and some mentioned that the windows 10 password isn't secure at all and someone with enough time go bypass that easily right? Thus you said if you going to be away from your laptop for a while, you mentioned just turn it off.


    But if i decide to hibernate my laptop... say i want to go outside for an hour or so and want my laptop to feel secure... i hibernate it so i could restart it quicker then turning on my laptop right? But when i hibernate, are all the programs that i have currently on my laptop still there? Because back then if i was going to leave my computer turned on in my apartment for an hour or more, i typically just powered it off as oppose to just locking it.
     
  9. Starlight5

    Starlight5 Yes, I'm a cat. What else is there to say, really?

    Reputations:
    687
    Messages:
    3,126
    Likes Received:
    1,509
    Trophy Points:
    231
    If I recall correctly, yes.
    The only relevant ones are 1.2 and 2.0. Everything before 1.2 is obsolete.
    For starters, it is the default option. Next, it allows not only PIN or password unlock options, but also biometric options (fingerprint, face unlock) - which are less secure in most situations, but more fast and convenient than typing a long and complex password or PIN.
    Only if you don't setup any Windows authentication. Otherwise, it goes to Windows login screen. The drive unlocks only after you authenticate in Windows.
    It is less secure in theory. In practice, however, TPM may be flawed and vulnerable to skilled hacker attack, so password may end up being stronger. But password definitely needs to be long and complex for that.
    Yes.
    No, I didn't research that. Here is a good starting point for your research.
    When locked, it is at best as secure as when it sleeps. If you don't use Windows authentication setup, only pre-boot authentication - then it is not secure at all when locked or asleep, thus you should not use either.
    I honestly don't remember saying that windows 10 password isn't secure at all. But without pre-boot authentication, a machine without memory encryption can definitely be hacked by a skilled attacker. Newer machines with memory encryption (Ryzen Pro) are much more secure. Also, a lot depends on your threat model.
    In your scenario (TPM+PIN), it's shutdown or hibernate.
    Not sure about the quicker part, but like when you lock or put computer to sleep, all your programs with the work you were doing when you entered hibernation are restored.
    Hibernation basically dumps memory to disk, then shutdowns the machine. When you wake the machine from hibernation, it needs to access your disk, but with pre-boot authentication can't read its contents unless you enter the correct PIN or password. Thus, hibernation with pre-boot authentication is pretty secure.
    As I already mentioned, locking a machine without Windows password is pointless. And even if you have both pre-boot authentication and Windows authentication, locking or putting the machine to sleep degrades your security very noticeably, making it less secure than locking it or putting it to sleep while using Windows authentication and TPM without PIN for Bitlocker.

    There is no point using Windows and pre-boot authentication simultaneously, in my opinion. You should use one of them, not both.
     
    Last edited: Oct 20, 2020
  10. Drew1

    Drew1 Notebook Deity

    Reputations:
    23
    Messages:
    1,832
    Likes Received:
    48
    Trophy Points:
    66


    Hey thanks for the response. Okay option 2 where you have TPM but no pin... yea that was the thing i was curious about since its like how thats secure... and now you mentioned... well you have that windows 10 password that protects you. I remember that now. But many ppl have said a long time ago... that windows 10 password is completely useless and anyone can bypass that easily. So that is true right? HOWEVER, its not true if you have TPM without pin but do have a windows 10 password. Is that CORRECT?


    Okay tpm 1.2 and 2.0... that rings a bell. Im pretty sure i have tpm 1.2 then because i remember when i did it last time, i mentioned my tpm was only so and so version and not 2.0.


    Okay but for me, you still recommend tpm with pin as oppose to password right? Again, my threat would basically be my laptop being in someone's possession and seeing whats in there... but the bigger threat would be if they were to do something funny to it as malware/keylogger, then i use it as if nobody touched it. Yes i know that situation is rare but I just want the computer to be unusable for someone without a pin/password. So that tpm without pin thing... you would not suggest that to nobody right? Like for almost everyone, either pin with tpm or password? The password you mentioned there is unlimited retries... that is scary since someone could literally brute force it as much times as possible right?


    Yea i know if you use bitlocker only but don't have windows password, well that isn't secure because if you lock it... that doesn't do anything at all.


    I had no idea laptops with ryzen pro are more secure. But that make sense those other processors would be in a way.


    I'm confused with your last line. What do you mean by that? Preboot authentication is bitlocker... and windows is windows 10 password right? And you say you should use either both of none or am i mistaken here? Because as you know, my bitlocker setup previously was bitlocker pin.... then you need to type in the windows 10 password in order to get to desktop. So you are saying i shouldn't have both? Well the bitlocker pin should always be there... so no windows 10 password? Or am i mistaking what you say here when you say windows in the last line?


    I want to do the bitlocker thing later today or tomorrow. Do you know typically when you are free starlight? Im not sure where you are located but can you tell me exactly how many hours from now typically you are free for so I could also be online during the time that you are on? Thanks.
     
Loading...

Share This Page