none
Bitlocker, TPM and Windows password. RRS feed

  • Question

  • I have a laptop that has a TPM (ver 2.0).  It also has an SSD (OS drive) and a platter hard drive (data drive).  I have encrypted both with Bitlocker.  I know if someone removes the drive from the laptop they will not be able to decrypt them.

    My question is:  With previous versions of Windows you could get around a forgotten local login password by using a Windows install disc (I assume--perhaps falsely--this is still true with Windows 10).  If someone stole my laptop and changed the Windows password (without knowing mine and I'm not using a startup PIN) would the TPM and/or Bitlocker prevent them from unlocking/decrypting the drives?

    Friday, November 20, 2015 8:39 PM

Answers

  • To start with, a thief could not change your Windows password at all. With a Bitlocker-encrypted hard drive utilizing a TPM, they would not be able to access the data on your hard drive without your Bitlocker recovery key. If they could, Bitlocker would be pointless. This process you refer to of resetting local admin passwords would still work on Windows 10 if not for you encrypting it.

    When the machine boots into some media other than your standard hard drive, the TPM will recognize that some other media is being used. As a result, it won't unlock your hard drive. If an attacker booted from a Windows install disc (or a Linux distro), all of your Windows 10 data would still be secured by Bitlocker, fully encrypted. It would require the attacker having your Bitlocker recovery key to be able to interact with your encrypted hard drive from his bootable media.

    I am not entirely sure how Bitlocker works for external drives, but I think it would work the same way.

    Friday, November 20, 2015 9:03 PM

All replies

  • To start with, a thief could not change your Windows password at all. With a Bitlocker-encrypted hard drive utilizing a TPM, they would not be able to access the data on your hard drive without your Bitlocker recovery key. If they could, Bitlocker would be pointless. This process you refer to of resetting local admin passwords would still work on Windows 10 if not for you encrypting it.

    When the machine boots into some media other than your standard hard drive, the TPM will recognize that some other media is being used. As a result, it won't unlock your hard drive. If an attacker booted from a Windows install disc (or a Linux distro), all of your Windows 10 data would still be secured by Bitlocker, fully encrypted. It would require the attacker having your Bitlocker recovery key to be able to interact with your encrypted hard drive from his bootable media.

    I am not entirely sure how Bitlocker works for external drives, but I think it would work the same way.

    Friday, November 20, 2015 9:03 PM
  • The above comment is true and yes, also for non-OS drives.

    But, since you say you run BL with only the tpm as protector (no startup PIN), there's still the chance to break in using DMA attacks which are well documented and can be carried out by script kiddies. The attacker would connect to your firewire port (if any) and circumvent the login - it's an old trick.

    So to be secure, set a startup PIN! Instead, you could also disable firewire (and other DMA devices/interfaces) in the BIOS. Re-enabling it (if the attacker went for it) would cause BL to make him enter a recovery key, which he hasn't got ;)

    Also, in Win10's latest update 1511, MS introduced a DMA-attack-blocker, but made it unusable for the end user, at least we cannot set it manually, see my thread 

    Monday, December 21, 2015 1:09 PM
  • Thanks for the heads up Ronald.

    Luckily, I have no firewire ports or expresscard slots so I think I'm good.

    Monday, December 21, 2015 2:04 PM
  • You make a valid point about the DMA ports, but most newer computers have moved away from these as they do more harm (security) than good.

    But while we're discussing theoretical attack vectors, don't forget that a no-PIN setup is also vulnerable to a cold-boot attack... but would the average thief bother with it? Nope.

    If you're protecting secrets related to national security, use pre-boot authentication (PIN, etc.), but if you're an average user, a TPM should suffice.

    What is a cold boot attack? : https://www.cs.princeton.edu/~jcalandr/papers/coldboot-usenix08.pdf

    How feasible is a cold boot attack? : http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078 (not very)... sorry for the sketchy link, but it's legit and Microsoft links to it as well (https://technet.microsoft.com/en-us/library/dn632182.aspx)
    • Edited by ClearWindows7 Monday, December 21, 2015 2:23 PM Clarification
    Monday, December 21, 2015 2:22 PM