none
BitLocker TPM only recovery RRS feed

  • Question

  • My manager wants me to put BitLocker on all the machines (about 150 laptops and desktops) on my network. I'm pretty sure my manager wants me to have TPM be the only authentication required, meaning no PIN or startup key. I will also be securing BIOS so that no one can change boot order or even access BIOS.

    I've been looking up BitLocker for a few days now and just want a bit of clarification on 2 things:

    1. If I wanted to put a user's hard drive into a new machine, for instance, I would naturally be prompted for a recovery password, right? Or would the 48-bit recovery password/256-bit recovery key only be created if I used a PIN/USB startup key?

    2. I realize that its a best practice to have a TPM+PIN unlock method, but if I simply restrict access to BIOS and have only TPM authentication, wouldn't that be just as secure? An attacker wouldn't be able to change boot order, or remove the hard drive and place it elsewhere either way, right?




    Thursday, September 29, 2016 7:27 PM

Answers


  • 1. If I wanted to put a user's hard drive into a new machine, for instance, I would naturally be prompted for a recovery password, right? Or would the 48-bit recovery password/256-bit recovery key only be created if I used a PIN/USB startup key?

    there will be a recovery key, it can be a txt file or it can be saved into AD. Depends on the setup of Bitlocker. The recovery key is 48 bit. The key will always be created, depends where you wanna save it.

    2. I realize that its a best practice to have a TPM+PIN unlock method, but if I simply restrict access to BIOS and have only TPM authentication, wouldn't that be just as secure? An attacker wouldn't be able to change boot order, or remove the hard drive and place it elsewhere either way, right?

    Even if the attacker changes the boot order, the drive is still encrypted, so it will be "safe" with




    • Proposed as answer by Jochen Becker Thursday, September 29, 2016 7:35 PM
    • Marked as answer by TechSupport357 Thursday, September 29, 2016 9:37 PM
    Thursday, September 29, 2016 7:35 PM

All replies


  • 1. If I wanted to put a user's hard drive into a new machine, for instance, I would naturally be prompted for a recovery password, right? Or would the 48-bit recovery password/256-bit recovery key only be created if I used a PIN/USB startup key?

    there will be a recovery key, it can be a txt file or it can be saved into AD. Depends on the setup of Bitlocker. The recovery key is 48 bit. The key will always be created, depends where you wanna save it.

    2. I realize that its a best practice to have a TPM+PIN unlock method, but if I simply restrict access to BIOS and have only TPM authentication, wouldn't that be just as secure? An attacker wouldn't be able to change boot order, or remove the hard drive and place it elsewhere either way, right?

    Even if the attacker changes the boot order, the drive is still encrypted, so it will be "safe" with




    • Proposed as answer by Jochen Becker Thursday, September 29, 2016 7:35 PM
    • Marked as answer by TechSupport357 Thursday, September 29, 2016 9:37 PM
    Thursday, September 29, 2016 7:35 PM
  • Hi.

    1. Yes.

    2. Trusted Platform Module (TPM) and BitLocker Drive Encryption

    Enable BitLocker, Automatically save Keys to Active Directory

    Different company create personal plan for protection computer and data, it's complex (encryption, different level access to data and internet, access to server and building) plan.

     


    MCITP, MCSE. Regards, Oleg

    Thursday, September 29, 2016 7:38 PM
  • The previous answers are not complete.

    1 TPM only means that in oder to mount it elsewhere, you need the 48-digit (not 48 bit) recovery key. The startup key is a different protector altogether. If you choose to create it as well, don't give it to the user since he could use it to offline-mount the drive anywhere without having the recovery key and get full control over the windows installation. Save it to a safe place.

    2 No, it would not be as secure for a very simple reason: when the system boots, the TPM releases the key and it gets loaded to RAM. An attacker that has stolen the notebook could simply start it to the logon prompt, turn it off and freeze the RAM, take it to another device and read it out. That's called a cold boot attack and there exist simple tutorials on how to do it. That's why a PIN is needed. Another possible protection against this attack type is unremovable (soldered) RAM. Some devices offer that. That together with secure boot will prevent cold boot attacks even without a PIN.


    Friday, September 30, 2016 9:03 AM
  • Always Upgrade Equipment so that it will reflect the change

     
    Wednesday, October 5, 2016 3:13 AM