Will enabling additional authentication on startup provide any extra security with Bitlocker? At the moment, my laptop boots straight into a Windows login where I use a pin. If I chose to not use pin, and a complex password, would that provide the same level of security as authentication at startup?
Thanks,
Operating system authentication never provides the same level of security than a power-on password. If the TPM gives the encryption key at startup without extra authentication, it's vulnerable against
Problem is that that means that the machine can always be booted up to a state where it has encryption keys in memory where they can be stolen using a cold boot attack. - -
None of these mitigations help if you have removable RAM. Then you can do the original cold boot attack from 2008.
Direct Memory Access (DMA) attacks (Firewire, Thunderbolt, PCI, PCCARD...)
An attacker may be able to search for BitLocker encryption keys in system memory by spoofing the SBP-2 hardware ID by using an attacking device that is plugged into a 1394 port. Alternatively, an active Thunderbolt port also provides access to system memory - -
and sniffing Low Pin Count (LPC) bus.
As the decryption happens automatically, if we can sniff the VMK as its being returned by the TPM then we can enter that information into any number of BitLocker libraries and decrypt the drive. - -
TPM2.0 devices support command and response parameter encryption, which would prevent the sniffing attacks. Windows doesn’t configure this though, so the same attack a TPM1.2 device works against TPM2.0 devices.
Therefore, Microsoft recommends using TPM+PIN and disabling standby mode i.e. always shutdown or hibernate.
