For those who were around during the release of Microsoft’s BitLocker, earlier known as Secure Startup, you will know that it was meant to totally eliminate the need for third-party security software. Yes, BitLocker was going to protect the devices against all kinds of attack and make sure we never again lost files.
BitLocker is really good. It is nicely incorporated into Windows, it does its work well, and it is really easy to operate. As it was intended to “shield the reliability of the operating system,” most who use it applied it in TPM mode, which needs no user connection to boot the system.
Here the actual problem is started.
How many users have a TPM chip on their laptop? Everybody, we bet. It’s a universal piece of hardware these days. You remember going through the personalization period of the chip, allowing it in the BIOS, etc.? Remember, all TPMs are deactivated and shipped disabled.
You didn’t do that before you installed your laptops? In that case, BitLocker will be a bit of a tussle for you.
Point 1) Using BitLocker without giving additional verification, you need an enabled, owned TPM with hardware chip.
Point 2) BitLocker with TPM only safety is susceptible to cold boot, Firmware, and BIOS keyboard buffer bouts.
There are a few simple attacks on TPM machines. Search for “BitLocker cold boot,” “BitLocker forensic tool” or “BitLocker Firmware and you’ll find multiple research, and even a few tools that will solve your “protected” device and recover the data. There was even an unimportant method that permitted an attacker to gain access to a BitLocker secure system; this has only recently been patched.
To make a device secure, and by that we mean give you safety against having to reveal lots of personal data to all your users if the machine goes missing, you have to use some form of pre-Windows authentication. Even Microsoft suggests this mode of operation.
For BitLocker, turning on authentication gives you a pair of choices. You can set a pin for the device, and, if you want, you can also use a USB storage device as a token. We wrote “pin”; we certainly did not write “your Windows user ID and password.” In fact, we didn’t comment users at all. BitLocker particularly supports one login, so if more than one person uses a device, you’re going to have to share that with everybody.
Point 3) BitLocker is safe only if you use a pin or USB stick for verification.
Point 4) There is no relation between your Windows identifications and BitLocker identifications.
Point 5) BitLocker does not support the idea of more than one user.
Even Microsoft’s experts tell to use a six char pin, plus TPM for authentication and no using it in TPM mode.
So now you’re lucky BitLocker users have PCs secure, maybe with a TPM, but particularly with some form of verification that is shared among the owner of the device and administrator. You possibly have an Excel spreadsheet with everybody pin.
Point 6) BitLocker PINs are particularly Fn key based. BitLocker does not support non US keyboards.
For all of you who have applied public key infrastructure smart cards, bought laptops with fingerprint sensors, or who have tokens such as Safe Net cards, Data key cards, Active Identity, personal identity verification, common access cards, e-token keys, etc. You’d like to be able to use them for verification to your PCs, wouldn’t you?
Point 7) BitLocker supports only USB storage gadgets and PINs no integration with any other token.
Point 8) Active Directory and other servers are needed to administrate BitLocker in a corporate atmosphere.
You want to use BitLocker to encrypt your devices as when they get lost or stolen, you won’t have to pay fines, or tell everybody you lost their data. You lost the device, sure, but because the data was converted, no one can get access to it.
To use this “get out of jail” card you essential to be able to prove a couple of things:
- The safety method was suitable given the type of data.
- That the data was certainly secured at the time of loss.
So, smearing those tests, a rule appears:
Point 9) You require additional software to prove BitLocker was allowed and protecting the hard drive at the time of the theft to claim safety from personally identifiable data laws.
Point 10) BitLocker encryption supports only Windows—with no support for other operating systems, like the Mac or Linux.
You may think that we are not huge fans of BitLocker—yet that’s far from the truth. We would use it, and would suggest it to friends. We see it as really good for technical, reliable users. But that’s not the market it’s being endorsed for. Nothing fills us with terror more than a creativity product that needs yet another password, needs precise hardware that is not allowed by default, presents a black screen with white text to users, does not obey to our probable password/PIN lifetime policies, does not work on non-USA devices, and does not have audit-friendly output for the main purpose it serves, namely, to tell us whether this stolen machine is a problem. Avail technical support for Microsoft Windows 10, if facing any issues.
One of us really likes it for the following causes:
- It just likes things to be done the hard way.
- BitLocker is mostly controlled through a command-line script.
- It never forces to change the PIN.
- It allows using the TPM chip, even though it took him a whole day to work out how to enable it.
- It can turn it on and off when he likes without business IT people knowing.
- It can write fancy scripts to turn it on and off.
- It gets a nice DOS-like screen when it turns on his machine, just like 20 years ago.
- Its local IT team can’t come and use his machine, or see what’s stored on it without knowing.