Can anyone comment on how the auto-unlock feature of bitlocker works. Specifically what I would like to know is how the the unlock key is encrypted and stored and when the unlock process takes place.
If somehow the machine itself is compromised and they have access to the root drive (which is not encrypted). How easy would it be for them to obtain the keys? Would this be nearly impossible to do without the user password?
Edit: Machine is on EC2
Best Answer
Bitlocker is solid technology. It's FIPS 140-2 compliant and there have not been any sort of backdoors discovered in it (to the consternation of certain law-enforcement agencies, who want backdoors into your data.) I highly recommend it.
But is it hack-proof? Nah, of course not. Nothing is hack proof.
In the "transparent operation mode" like you're talking about, the computer will be using a TPM (trusted platform module) chip. This chip is soldered to the motherboard and cannot be removed. This chip stores the key used for encryption using AES with a 128-bit or 256-bit key. (If you do not have physical possession of the machine, you will not be using transparent operation or "auto-unlock" mode. Anything stored on an unencrypted drive such as encryption keys will be recoverable by an attacker, and they can then use that key to unlock anything you previously protected with those keys.)
After the user initializes the TPM chip through the operating system, the TPM chip analyzes certain pre-boot environment conditions. For instance, it will analyze the BIOS, the MBR, etc., and make a record of that state. When the operating system (say Windows 7 or 8) begins to load, it asks the TPM to release the key so that it may decrypt the contents of the drive. (This is one of the functions of that unencrypted 100MB partition on your OS drive that started showing up around the Windows Vista era.) If the TPM detects that any of the pre-boot conditions have been altered or modified, it will not release the key.
What this means is that someone cannot take a Bitlocker-protected drive out of a laptop or PC, transplant it into another computer, and read it. Because it's encrypted, and it can only be decrypted if it is connected to the original TPM which is soldered to the original motherboard, and the TPM detects that none of the pre-boot state has been altered since the last snapshot.
If you are using Bitlocker on your laptop, I will not be able to take your laptop, enter the BIOS, change the boot up order, boot up off of a USB key or Ubuntu DVD or somesuch, and use that to read your disk. Because the TPM chip will not release the encryption key in that scenario.
Possible attacks on Bitlocker are pretty exotic, such as the so-called "cold boot attack," involving spraying the memory chips with compressed air to cool them so that the volatile contents of RAM are readable for a longer period of time, then performing a "cold reboot" on the operating system into an environment that allows a malicious user to read the contents of RAM that were left over from when the OS was running. The persistence of such data would be milliseconds, to seconds, to maybe even a few minutes.
Edit: You can still use Bitlocker-To-Go for removable drives, even though you have no physical access to the machine. Your Microsoft Live account or an Active Directory can escrow the key for you.