none
Is Bit Locker secure? RRS feed

  • Question

  • Hi,

    I have a new laptop and want to encrypt it as I need to keep sensitive data on it. It has a TPM so I do not need to modify any group policies to allow me to use Bit Locker like I did previously on older laptops without a TPM. So because of that it does not ask for a password before booting to the login screen where it requests the "local user account" password (not Microsoft account or part of a Domain).

    There also are no other admin accounts on the laptop and so I was wondering how secure this actually is? What is mean is...

    I know that if the drive is physically removed it is locked and needs the recovery key/password to unlock it and it is probably "virtually" uncrackable. But if it's still in the machine and actually booting into the login screen is it not already unlocked and liable to login being cracked in some way? Such as a brute force attack or resetting the user password in some way?

    If it is liable to being hacked/cracked I will probably just edit the group policy to allow bit locker to be used without a TPM (even though it has one) so it at least asks for a password to unlock the drive. In either case, is this not more secure anyway?

    Thanks for your time reading this and your help.


    Saturday, June 15, 2019 6:19 PM

Answers

All replies

  • My thoughts what it does still stop is booting from a USB stick and resetting passwords and \ or creating a local admin account to hack with. That is pretty straight forward to do on a non encrypted Windows machine.

    Do not know anyways to hack the login (even thinking of things like USB Rubber Ducky and Bash Bunny i.e. hardware hack tools as they need a logged in user), and if any vulnerability was found and know to hack a login prompt it would fixed with update very quickly.

    I use TPM without worries, it does stop at the first boot if the hardware is modified in any, i.e. BIOS updates etc) But I guess it depends if you think nation states or leet hackers may be targeting you as you have beyond top secret information on the device. So risk management I would say.

    Saturday, June 15, 2019 8:57 PM
  • So secure that if you don't take precautions and write down or print the Encryption Key it will lock you out and the only thing you can do to fix it is formatting the disk
    Saturday, June 15, 2019 9:17 PM
  • Hi Guys,

    So as long as I don't need to worry that if it was stolen, turned on and they are at the login prompt to my windows account it's no less secure because at that point the drive is unlocked is it not?

    Thanks.


    Regards David

    Monday, June 17, 2019 7:16 PM
  • Hi,

    If we want to open the bitlocker encrypted drive, we always need recovery key to decrypt it.

    If you store your recovery key in your Microsoft account and the account be decoded, the bitlocker could be insecure. It's recommended change your password of Microsoft account immediately after you lose your pc. 

    Best regards,

    Yilia 



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, June 18, 2019 7:37 AM
    Moderator
  • You should set a PIN if you are worried that you will be facing more than the common thief. Else, just leave it as is.

    To set up a PIN: https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/

    • Marked as answer by David--- Thursday, June 20, 2019 4:10 PM
    Thursday, June 20, 2019 7:32 AM
  • Thanks Ronald, that's the answer I was looking for. It is more secure setting a pin so I will be doing this.

    Regards David

    Thursday, June 20, 2019 4:10 PM