Bitlocker with key on USB, how secure?


Recommended Posts

Hi,

 

I've come across a friend's setup where he has secured his boot/system hard drive using Windows 7 Bitlocker using a key stored on a USB drive that he always leaves in the computer (with no startup PIN). If his PC was stolen how secure would it actually be?

 

We've discussed it at length as I'm pretty sure that it is the equivalent of locking your house but leaving the keys in the door. Do any of you know for a fact how secure this actually is? I'd also appreciate any articles or references that state the facts about this?

 

Any help greatly appreciated!

Link to comment
Share on other sites

just to clarify this is security from a "relatively determined  techie willing to spend some time on it" point of view and not from a "hide stuff from the FBI" point of view!

Link to comment
Share on other sites

Well if you always leave the usb key in, what exactly is the point?

I am going to have to agree with you, but if someone didn't know and they inadvertently took it out and wiped the usb then the information on the hard drive would be useless, but common theft really aren't after what is on the hard drive,.... They want the hardware.

  • Like 1
Link to comment
Share on other sites

Well if you always leave the usb key in, what exactly is the point?

I am going to have to agree with you, but if someone didn't know and they inadvertently took it out and wiped the usb then the information on the hard drive would be useless, but common theft really aren't after what is on the hard drive,.... They want the hardware.

 

Well the Windows install does have password protected users so if a thief powered it on they would see a logon prompt. I'm not 100% sure of how the PC would operate if the thief tried a basic recovery disk or even just reinstalled Windows over the top. Would it just find the key on the USB drive and allow access to all the PC's files as though it was not even encrypted for example or is it better than that?

Link to comment
Share on other sites

The windows password can be easily cracked it is about as secure as a twisty tie keeping thieves away. There are plenty of password reset utilities available by a Google search.

Link to comment
Share on other sites

The windows password can be easily cracked it is about as secure as a twisty tie keeping thieves away. There are plenty of password reset utilities available by a Google search.

 

But would Bitlocker block them being able to do the pw reset though (at least the typical/mainstream ones)? Or would the PC boot into password reset utility and access the Bitlocker'd drive using the USB drive's encryption key?

Link to comment
Share on other sites

If he leaves it in all the time it's completely useless. If nothing else, the thief could just boot into Windows To Go, and then decrypt the C:\ drive and take all the data that way.

I know you're not talking about the FBI and stuff, but it's legally safer to have a password instead of a USB key, since the government can force you to hand over a physical key, while they can't force you to incriminate yourself by telling them the encryption password.

Link to comment
Share on other sites

But would Bitlocker block them being able to do the pw reset though (at least the typical/mainstream ones)? Or would the PC boot into password reset utility and access the Bitlocker'd drive using the USB drive's encryption key?

Yes and no. If you can uninstall bit locker with the usb installed that is moot, uninstalling bit locker will negate the security bit locker provides

Link to comment
Share on other sites

The way he has it setup is like putting your car in a vault, but leaving the vault door open. The only real defense left is the car's door locks (Windows Password), the vault itself (Bitlocker) is totally useless unless you lock the door.

  • Like 1
Link to comment
Share on other sites

All of the above pretty much mirrors my thoughts on it. I was hoping for some clear cut reference though that demonstrates it's a futile step without having to resort to testing it in practice. Does anyone know of any or is it so bad that nobody has given it any serious consideration?

Link to comment
Share on other sites

I would say don't bother unless its on a HDD that in a system supports TPM. What I see happening a lot is for BL is doing it for a USB key the data does get corrupted easy. I have had 5 of these to get corrupted in this past year alone. I am not sure what it is about usb keys but not HDDs.

Link to comment
Share on other sites

 

?When BitLocker is suspended, BitLocker keeps the data encrypted but encrypts the BitLocker volume master key with a clear key.? ? Is that so? 

More digging around the documentation did finally reveal that yes, Microsoft knows that the system must be logged out "gracefully" for encryption to work.

Source

 

Unlock BitLocker under Windows PE

 

 

To unlock a BitLocker encrypted drive from the command prompt, you need the Windows command manage-bde. However, if you only have a common bootable Windows PE USB stick, your heroic deed will miserably fail with this error message:

ERROR: An error occurred (code 0?80040154):

Class not registered

Link to comment
Share on other sites

Actually, if he has this set up properly it is secure, as you'd need to log in to make use of the bit locker locked files, and while windows passwords can be "easily" broken, that doesn't apply when the profile is protected by bit locker.

So basically without knowing his windows password you're getting nowhere, and with a bit locker protected profile you can't get it.

Also windows passwords aren't that easy to break in windows 7 and 8 either even without encryption. And if the password is long enough you can't break it anyway. You can only remove it, which again isn't possible in this situation.

Link to comment
Share on other sites

If you look up Kon-Boot the basic windows password requirement is removed as is the by-pass using a command window on boot up to gain admin rights.

Link to comment
Share on other sites

It isn't just the profile that would have to be locked, it would have to be the Sam too. If the Sam is left unlocked the password can be reset and the encrypted profile would be useless to password hacks. I don't think windows did away with the Sam database.

Link to comment
Share on other sites

I believe it was said that if you used bitlocker it would be encrypted as well.

 

even if you managed to wipe that password though, you still wouldn't get access to any of the data or the actual profile since it would still be encrypted and you wouldn't have the password. 

Link to comment
Share on other sites

If you do not have a Trusted Platform Module, usage of a PIN in conjunction with a USB drive is advised.

The USB drive will not prevent thieves from accessing data if both the laptop and its USB drive were stolen. Bitlocker would be useless.

Link to comment
Share on other sites

Despite the helpful replies I didn't quite get the definite confirmation I was looking for so I decided to take the time and test it myself.

 

I setup a PC with bit locker and the startup key on the USB drive (not the recovery key). I took out the hard drive, connected via a USB SATA connector. I then used the USB's key filename.bek file and unlocked the drive using the manage-bde command. Took less than 2 minutes and I could see all the files on the drive so it was absolutely owned!

 

I'm not going to bother trying an ERD disc but I'm sure the principle the same.

 

End result: encrypting with a USB drive that you leave in the computer is just like locking your car but leaving the keys in the lock. It's technically locked but might as well not be!

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.