Security of BitLocker with no PIN from WinPE

bitlockerdisk-encryptionencryptionwindows-pe

Say you have a computer with the system drive encrypted by BitLocker and you're not using a PIN so the computer will boot up unattended. What happens if an attacker boots the system up into the Windows Preinstallation Environment? Will they have access to the encrypted drive?

Does it change if you have a TPM vs. using only a USB startup key?

What I'm trying to determine is whether the TPM / USB startup key is usable without booting from the original operating system. In other words, if you're using a USB startup key and the machine is rebooted normally then the data would still be protected unless an attacker was able to log in. But what if the hacker just boots the server into a Windows Preinstallation Environment with the USB startup key plugged in? Would they then have access to the data? Or would that require the recovery key?

Ideally the recovery key would be required when booted like this, but I haven't seen this documented anywhere.

Best Answer

TPM is secure because it's "watches" the boot process; when your normal Windows installation boots, it follows the "normal" boot path and TPM recognizes this and will only store/retrieve keys when this process has been followed. If you boot any other way, even just safe mode, you'll "change" that process and TPM will not "unlock".

Technically the key is stored in the TPM chip, and it's theoretically possibly to slice open this chip and get to the data. TPM is a vault like any other, it's always theoretically possible to break into a vault given enough time and resources. To publicly available knowledge, this has never happened. But this half the reason the PIN and USB Key options exist. Trying to brute-force the actual AES-256 encryption key would take a ridiculous amount of time.

If your drive only requires the USB Key, then it would be possible to use only that even from WinPE to unlock the drive.

We use BitLocker where I work. Each drive has to protectors, the TPM key and a Recovery Key that is automatically published to Active Directory. The computer starts like normal and users don't know it's encrypted except if they look. When I take the computer in to be serviced/wiped/etc I use the manage-bde command line tool in WinPE to unlock and access the drive, using the Recovery Key to unlock the drive.

Also keep in mind that the GUI doesn't present all of the available BitLocker options. The command line tool manage-bde does. For most people the GUI is good enough to get started, but the CLI tool will be necessary for advanced setups and may present you with a better understanding of the technology.

Related Solutions

How to set the BitLocker PIN

Found the answer, assuming you have BitLocker up and running, make the changes:

To enable TPM & PIN at boot:

Using the Group Policy Editor (Start -> gpedit.msc and press Enter), go to :

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives

and open the key

"Require additional authentication at startup"

Then enable that Key and set "Configure TPM startup Pin:" to "Require startup PIN with TPM"

To set the actual PIN use in a CMD prompt

manage-bde -protectors -add c: -TPMAndPIN

This will prompt you for a PIN which it then requires you to enter at Boot.

Moving BitLocker startup key from flash memory to USB key

To answer my own question, using the "Manage Bitlocker" option in the control panel allowed me to create a duplicate key onto a USB flash drive and it now allows me to boot from the USB port (the MemoryStick still works as well). I'm not sure exactly what it changed in the boot process, but it worked.

Best Answer

Related Solutions

How to set the BitLocker PIN

Moving BitLocker startup key from flash memory to USB key

Related Topic