If I enable Bitlocker on a regular Windows 10 machine, how does the unlocking process work? I presume I put in my Windows password and at that point it starts the unlock process. Why is there an additional pre boot option and how does this add to security?
2 Answers
No, thats not how BitLocker works. BitLocker has an additional partition thats stores information about the encryption/decryption process together with some metadata. It holds the cipher used, block mode, keysize, number of used slots and authentication method (amongst other things).
With enough information from this partition the decryption process can begin. The user is asked for his passphrase or private key file (in case of USB) and can decrypt the modules, driver and bootstrap executables in order to load the kernel.
The disk is not decrypted at boot, but instead Windows makes use of an additional IO layer. This layer hooks between the file system driver and the disk driver and decrypts the information on retrieval (and encrypts on write). As long as the operating systems runs, the secret is stored in protected (kernel) memory. Therefore it is important you shutdown the computer gracefully and give Windows the time to nullify the memory. The same is true for other systems.
- 3,346
- 14
- 22
-
Excellent explanation. So if I was evaluating risk, would it be safe to say the machine is only 'secure' when it is switched off or the password hasn't been entered yet. If I was explaining risk to a user. – user1102550 Aug 28 '16 at 17:29
-
Where does the preboot pin come into play. Is that for more extreme hack protection, that maybe might apply more to a bank than say say the average small business. – user1102550 Aug 28 '16 at 17:31
-
@user1102550 Whenever the computer is on, it is at risk, yes. PINs are just another authentication method. They are certainly used by users themselves, not only large corporations – Yorick de Wid Aug 28 '16 at 18:54
-
What does the pre boot pin protect against? – user1102550 Aug 29 '16 at 06:13
I don't like @Yorick's answer. This assertion:
The disk is not decrypted at boot, but instead Windows makes use of an additional IO layer
Is misleading*. Once the encrypted volume is mounted the contents are transparently accessible to software running on the device as if it weren't encrypted at all.
FDE protects against offline data theft. Once the volume is mounted it's effectively decrypted and beyond FDE protection.
Regarding OP's follow up question about pre-boot pin:
Bitlocker has 5 different ways of operation:
The least secure is TPM only, where the TPM is used to unlock the drive on boot without additional intervention. This protects the data in case the drive is removed from the device, since it can't be unlocked without the device's TPM. It doesn't protect the drive if the whole device is stole or otherwise accessed by an attacker.
The TPM+PIN mode, which is what the question referred to, adds a pin to the process, so in order for the TPM to be used to unlock the drive the user must input a pin. This protects against device theft as well, adding more security to the previous mode. The trade off is that it requires physical presence at boot. Not a problem for laptops usually, big problem for servers.
Then there's password, smartcard and usb thumb drive containing unlock key (this last one useful when there's no tpm on the device). Some combinations of the different methods are allowed as well.
* I'm not saying the answer is wrong, but that assertion is misleading and unnecessarily confuses begginers
- 2,299
- 1
- 15
- 25
-
Just to double check if the OS has a regular Windows password but has a TPM. The disk isn't mounted until the password is sucessfully entered. – user1102550 Aug 29 '16 at 20:48
-
@user1102550 Yes it is. The lockscreen does not lock the encrypted volume. – GnP Aug 29 '16 at 21:11
-
But when the computer first boots, the disk isn't mounted until the password is entered? – user1102550 Aug 30 '16 at 07:06
-
@user1102550 with pre-boot pin/password/key it's not. The login screen/lockscreen is separate and if you see that screen the volume is unlocked (assuming FDE) – GnP Aug 30 '16 at 11:09
-
So what's the point of encrypting the harddrive if it's mounted at when the machine boots. Is it just in case the hard drive is removed? – user1102550 Aug 30 '16 at 13:56
-
@user1102550 yes, FDE protects against offline data theft. Once it's mounted it's not offline anymore and is beyond the scope of FDE. That's why you should always start with a threat model and then evaluate technologies. The other way around is painful, inefficient and often surprising. – GnP Aug 30 '16 at 14:01
-
In the scenario of data which is not super sensitive - I am protecting against the laptop getting stolen by a regular thief as opposed to the NSA or professional hacker is it reasonable to assume that the only way of accessing the hard-drive is via a cold boot attack or something fairly sophisticated? I.e to get the data you'd have to remove the hard drive and it wouldn't mount without the TPM? – user1102550 Aug 30 '16 at 14:04
-
@user1102550 yes, FDE with any pre-boot auth (pin, passphrase, USB key) will protect your data in case the laptop is stolen, provided it's shutdown/hibernated when it's stolen. FDE with no pre-boot auth won't, but makes remote wiping easier and safer and enterprises appreciate that. – GnP Aug 30 '16 at 14:40