1

I've been reading a bit about using BitLocker without a TPM chip and I've seen here and there that some people advise to use a USB stick for ease, and plug it into an internal USB header converter and configure BitLocker to require it present every startup.

Which leaves me wondering, is that really secure? If someone gets physical access to your computer (which, as far as I know, is the only reason you'd want to have disk encryption anyway) would a USB key that is permanently attached be just as secure as a TPM chip? (in both cases assuming you don't have to enter any passwords to boot windows but do need a password to log into your account)

I haven't been able to find anyone saying anything on this and I'm really curious.

Gelunox
  • 113
  • 3

1 Answers1

0

An USB stick is even less secure than a TPM. The latter at least tries to check whether the system is in a trusted state before giving away the key, but the former doesn't even care and has no way to do so.

TPM attacks exist but still require some effort to pull off, and possibly some hardware (soldering wires to the LPC bus to talk to the TPM chip directly). USB "attacks" would simply involve unplugging the stick and copy/pasting the keyfile that's inside, or just booting the machine off a Linux disc and reading the keyfile from there without even touching the actual USB.

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • so, you're saying you might as well not use drive encryption at all if you do it like that because it's child's play to decrypt it? – Gelunox Oct 08 '16 at 18:36
  • 1
    @Gelunox i would certaintly think so. Perhaps a clueless cracker would grab the hdd and not notice the very unusal internal USB drive, but we all know how well wecurity through obscurity goes... – aidanh010 Oct 08 '16 at 20:29