none
Bitlocker with USB key or TPM RRS feed

  • Question

  • I'm considering deploying bitlocker on my servers that have a TPM or USB key, however I wonder if this even makes sense.
    If someone has psychical access to the server they can also access the TPM or USB key and access the data, correct?

    Then what is the point in using bitlocker? It makes sense if someone removes the SSD or HDD from the server, but not when they have access to the entire system.

    Monday, July 6, 2015 8:06 PM

Answers

  • It's like this: with tpm in effect, you can boot the server hands-free, so if it crashes, it will restart automatically unattended, which is a very important thing. Also, it will not require attendance for maintenance reboots like for updates.

    If an attacker steals the machine, he can boot it but he cannot logon. If it is outside the domain environment, the network firewall will by default block all network access. In other words, there's no way to get in.

    The only attack scenario would be the cold boot attack as shown here https://www.youtube.com/watch?v=JDaicPIgn9U which is a realistic scenario if the memory is removable and you think the attacker is really prepared to do it.

    Tuesday, July 7, 2015 9:32 AM
  • Surely, USB thumb drives are supported as protector, but for a server, it would make no sense, because it should be able to restart unattended. Therefore, we would have to leave the usb key plugged in which is non-sense.

    About theft being a "low risk situation" - watch my linked youtube clip, it all depends on who we have to fear.

    Thursday, July 9, 2015 6:58 AM

All replies

  • It's like this: with tpm in effect, you can boot the server hands-free, so if it crashes, it will restart automatically unattended, which is a very important thing. Also, it will not require attendance for maintenance reboots like for updates.

    If an attacker steals the machine, he can boot it but he cannot logon. If it is outside the domain environment, the network firewall will by default block all network access. In other words, there's no way to get in.

    The only attack scenario would be the cold boot attack as shown here https://www.youtube.com/watch?v=JDaicPIgn9U which is a realistic scenario if the memory is removable and you think the attacker is really prepared to do it.

    Tuesday, July 7, 2015 9:32 AM
  • Hi Gijs007,

    BitLocker encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. Therefore If you enabled the Bitlocker the computer theft is very low risk situation.

    The TPM is import component in Bitlocker, but as far as I know USB dongle is not supported when you use Bitlocker.

    More information.

    BitLocker Frequently Asked Questions (FAQ)

    https://technet.microsoft.com/en-us/library/hh831507.aspx#BKMK_WhatIsBitLocker

    Using Smart Cards with BitLocker

    https://technet.microsoft.com/en-us/library/dd875530(v=ws.10).aspx

    I’m glad to be of help to you!


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, July 9, 2015 2:39 AM
    Moderator
  • Surely, USB thumb drives are supported as protector, but for a server, it would make no sense, because it should be able to restart unattended. Therefore, we would have to leave the usb key plugged in which is non-sense.

    About theft being a "low risk situation" - watch my linked youtube clip, it all depends on who we have to fear.

    Thursday, July 9, 2015 6:58 AM
  • But if someone in the datacenter can just boot up the server don't they have access to the data as well?
    I've noticed that even if the server is just booted (but no user has logged in) applications that run as a service can already access the data on the encrypted hard drive (at least when autounlock is enabled, which is desired because we want the server to be up and running after a power outage without admin intervention).


    I don't see how it's safe to use a TPM or USB key, isn't it like leaving a key inside your door, so that anyone can unlock it?
    • Edited by Gijs007 Thursday, July 16, 2015 12:49 AM
    Thursday, July 16, 2015 12:48 AM
  • You read my description, I hope. What is unclear about it?

    If you use a firewall, which is the default, you cannot drive network attacks. And you cannot logon without having a password. And you cannot take out the drive and read it elsewhere. What scenario are you thinking of?

    Thursday, July 16, 2015 7:17 AM