BitLocker Questions

[primexx]

Hello,

 

My Surface obviously has BitLocker enabled out of the box, and I'm considering enabling it on my laptop too. I've never gone thorugh the process of enabling BitLocker (since Surface was OOBE), so I want to clarify some questions to decide whether BitLocker is suitable for my purpose. Searching online has only yielded very unspecific guides.

 

I don't consider BitLocker to be Secure?, but I'm considering enabling it to thwart common thieves rather than government agents. Because of this I also don't want to set up a pre-boot password.

 

1. Is it possible, with a TPM, to set it up like it works on the Surface where it's completely transparent to me?

 

2. Does enabling BitLocker with TPM-only protect against rudimentary attacks like, for e.g. the old NTLM trick where you can just delete the Windows login password? Basically, I just want to force somebody to not be able to by-pass the Windows authentication (and its flood controls) trivially.

 

2b. More general form of the above: if somebody uses a boot disk/live CD/etc, what can they do if BitLocker is enabled with TPM-only?

 

3. What affects does enabling BitLocker have on taking and restoring full disk images with CloneZilla?

 

Thanks a bunch!

[BritBronco]

I had to alter the GPO to get it to prompt for a password on my Surface Pro 2. I think by default it encrypts but you don't need a password/key unless you move the drive to another PC.

 

I take backups using AOMEI Backupper Standard, and they end up much larger than a pc without bitlocker. I can browse the images but i have not attempted a full restore.

[Argi]

1. Yes, if you have a TPM.  You won't need a USB Key or password prompt to boot.

 

2. Bitlocker is independent from any auth.  If you can break past the login screen somehow, you can do it encrypted or not.  I'm not sure what attacks specifically you're thinking of.

 

2b. If you allow it to boot from CD or USB in the BIOS, it will behave exactly the same.  The content of the drive they won't be able to see but they can format it and do a fresh install.

 

3. I can imagine it won't play nicely with any sort of drive-level image backups.  Maybe if you restore it, and you have the 32-bit key (different to the unlock password), then another WIndows PC could access it.

 

And just in general, I think you can treat Bitlocker as extremely secure.  Even if you don't have a pre-boot password, they would have to somehow read off the drive while it's on the login screen.  If they tried to pull the key out of the TPM it will trip and signal a self destruct of the data.

[primexx]

 

2. Bitlocker is independent from any auth.  If you can break past the login screen somehow, you can do it encrypted or not.  I'm not sure what attacks specifically you're thinking of.

I'm thinking of the classic trick where you boot to a live CD then just edit the password store to blank out the password field. It appears that I got the wrong name for it (it's been a while). I would assume that BitLocker will prevent that if it's stored in the encrypted portion rather than the bootloader portion. But wanted to double check with somebody who might know more. Basically, I wonder if it'll enforce "you have to use this hardware with this device's rate limiting restrictions if you want to break into an existing account, rather than being able to take what you want out and breaking it on your own hardware".

 

 

3. I can imagine it won't play nicely with any sort of drive-level image backups.  Maybe if you restore it, and you have the 32-bit key (different to the unlock password), then another WIndows PC could access it.

Yea, trying to restore the image onto another devices will be a problem, but I don't see why restoring the image onto the same device in the future should pose a problem, unless the TPM saves state information. Not a huge concern for me I guess.