none
Bitlock external USB backup drive? RRS feed

  • Question

  •    I'm currently running Windows 10 Pro on a Dell Optiplex 755 and running a weekly (Windows7) file backup and system image to an external USB HD.  I'm considering running Bitlocker on the Windows 10 C: drive and wonder about whether or not the external backup drive should also be Bitlocked.  If it is, and I experience a C: drive failure, I would expect to replace the C: drive, boot up on a Windows 10 Repair Disk and restore the most recent system image to the new drive.  If the external drive is Bitlocked, will the Repair Disk be able to access it?  If yes, will it prompt for the Bitlocker key?  If the Repair Disk won't be able to access the system image on the external drive this would seem to indicate I should NOT use Bitlocker on the backup drive, correct?

       Another question about Bitlocker... if the system is TPM enabled what good is Bitlocker?  If the computer is stolen and the Administrator pw is cracked, won't that give access to the entire HD?  Is it impossible to crack the Administrator account on a Bitlocked drive?

    Wednesday, December 30, 2015 5:33 PM

Answers

  • Hi,

    Yes, you are able to manager BitLocker even under Windows recovery environment so it is not a problem. You could use command prompt “manage-bde F: -unlock” to unlock encrypted drive.

    BitLocker Command-line Tools

    https://technet.microsoft.com/en-us/library/ee706522(WS.10).aspx

    Regarding to TPM, A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a desktop or portable computer, and communicates with the rest of the system by using a hardware bus.

    Computers that incorporate a TPM have the ability to create cryptographic keys and encrypt them so that they can be decrypted only by the TPM. This process, often called "wrapping" or "binding" a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the Storage Root Key (SRK), which is stored within the TPM itself. The private portion of a key created in a TPM is never exposed to any other component, software, process, or person.

    Computers that incorporate a TPM can also create a key that has not only been wrapped, but is also tied to specific hardware or software conditions. This is called "sealing" a key. When a sealed key is first created, the TPM records a snapshot of configuration values and file hashes. A sealed key is only "unsealed" or released when those current system values match the ones in the snapshot. BitLocker uses sealed keys to detect attacks against the integrity of the Windows operating system.

    With a TPM, private portions of key pairs are kept separated from the memory controlled by the operating system. Because the TPM uses its own internal firmware and logic circuits for processing instructions, it does not rely upon the operating system and is not exposed to external software vulnerabilities.

    So if someone want to access your hard drive, he must have your whole device (board and hard drive) and password for decryption, and it is impossible to crack any data from an encrypted hard drive.

    Regards,

    D. Wu


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, December 31, 2015 5:05 AM
    Moderator
  • Hi,

    Yes, a password or pin and you can set what you need.

    Regards,

    D. Wu


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by DFDixon Sunday, September 18, 2016 4:52 PM
    Tuesday, January 12, 2016 1:26 AM
    Moderator
  • DFDixon, it's not clear what your question would ask for.

    If you choose to encrypt the system drive, by default, no PIN is set but only the TPM is taken as protector.

    You'll have to actively set a numerical PIN (4 digits and up) as additional protector. You can, (via GPedit.msc) configure to use an enhanced PIN, which allows more than only numerical characters.

    The PIN is then asked for pre-boot. If you take an enhanced PIN and you don't have an US keyboard, be warned: Microsoft's implementation is US oriented. That would mean, the preboot authentication assumes you use an US keyboard (qwerty) and will, for example on a german keyboard, receive a "y" while "z" is pressed, which could lead to great confusion on bad password attempts. If you have a non-US-keyboard, the official workaround is to switch the keyboard layout to en-us while entering the enhanced PIN.

    • Marked as answer by DFDixon Sunday, September 18, 2016 4:53 PM
    Tuesday, January 12, 2016 8:44 AM

All replies

  • Hi,

    Yes, you are able to manager BitLocker even under Windows recovery environment so it is not a problem. You could use command prompt “manage-bde F: -unlock” to unlock encrypted drive.

    BitLocker Command-line Tools

    https://technet.microsoft.com/en-us/library/ee706522(WS.10).aspx

    Regarding to TPM, A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a desktop or portable computer, and communicates with the rest of the system by using a hardware bus.

    Computers that incorporate a TPM have the ability to create cryptographic keys and encrypt them so that they can be decrypted only by the TPM. This process, often called "wrapping" or "binding" a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the Storage Root Key (SRK), which is stored within the TPM itself. The private portion of a key created in a TPM is never exposed to any other component, software, process, or person.

    Computers that incorporate a TPM can also create a key that has not only been wrapped, but is also tied to specific hardware or software conditions. This is called "sealing" a key. When a sealed key is first created, the TPM records a snapshot of configuration values and file hashes. A sealed key is only "unsealed" or released when those current system values match the ones in the snapshot. BitLocker uses sealed keys to detect attacks against the integrity of the Windows operating system.

    With a TPM, private portions of key pairs are kept separated from the memory controlled by the operating system. Because the TPM uses its own internal firmware and logic circuits for processing instructions, it does not rely upon the operating system and is not exposed to external software vulnerabilities.

    So if someone want to access your hard drive, he must have your whole device (board and hard drive) and password for decryption, and it is impossible to crack any data from an encrypted hard drive.

    Regards,

    D. Wu


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, December 31, 2015 5:05 AM
    Moderator
  • "if the system is TPM enabled what good is Bitlocker?" - this misunderstanding is very popular. The default is to use a TPM for bitlocker and nothing else, no PIN as preboot authentication. That means, anyone who finds the machine can start it.

    -But can he get in? No, at least not if you setup a non-trivial password.

    -Can he crack or blank/reset the password - no, because that would need access to the drive in a form that is not allowed. Now what am i talking about, what "form"? The tpm "says": "this drive may be started by anyone, but not decrypted, nor mounted from any other OS, boot CD or crack device". And that's the whole trick: the TPM is aware of what is being booted.

    -but can't he run a network "hack" against the booted machine to gain control? No, at least not if the defaults are applied which are: firewall is on, no incoming traffic allowed.

    -So is there no way in the world hackers could get in? Oh, there are ways, namely cold boot attacks and DMA attacks, but that is not something you'd expect some thief to do. But since it is nevertheless possible and both attack types can be fought by setting a PIN, do set a PIN! It is just a few numbers you have to enter on each boot, but it makes bitlocker strong against that attack types. Still you might ask "can't that PIN be found through try and error? Sure, it can, but that would require a huge amount of luck because there are so-called "anti-hammering" techniques active that guard against try and error activity.

    --

    As for your other question: "If the external drive is Bitlocked, will the Repair Disk be able to access it?  If yes, will it prompt for the Bitlocker key?" - It will be accessible, yes. manage-bde is your friend as mentioned. You'll need the recovery key, not the password, not the PIN or else, but the recovery key, the 48-digit-number.

    Thursday, December 31, 2015 2:42 PM
  • Thanks for the clarification.  One more question, if the boot drive is Bitlocked, are you presented with a request for a PIN to access the drive before Logon appears?
    Monday, January 11, 2016 5:26 PM
  • Hi,

    Yes, a password or pin and you can set what you need.

    Regards,

    D. Wu


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by DFDixon Sunday, September 18, 2016 4:52 PM
    Tuesday, January 12, 2016 1:26 AM
    Moderator
  • DFDixon, it's not clear what your question would ask for.

    If you choose to encrypt the system drive, by default, no PIN is set but only the TPM is taken as protector.

    You'll have to actively set a numerical PIN (4 digits and up) as additional protector. You can, (via GPedit.msc) configure to use an enhanced PIN, which allows more than only numerical characters.

    The PIN is then asked for pre-boot. If you take an enhanced PIN and you don't have an US keyboard, be warned: Microsoft's implementation is US oriented. That would mean, the preboot authentication assumes you use an US keyboard (qwerty) and will, for example on a german keyboard, receive a "y" while "z" is pressed, which could lead to great confusion on bad password attempts. If you have a non-US-keyboard, the official workaround is to switch the keyboard layout to en-us while entering the enhanced PIN.

    • Marked as answer by DFDixon Sunday, September 18, 2016 4:53 PM
    Tuesday, January 12, 2016 8:44 AM