1

When I enabled BitLocker on my system-drive, I wasn't asked to select an unlock-method. I didn't have to enter any new passwords/keys. I only selected a few options for the encryption, and the process completed.

I'm not very familiar with how BitLocker works.

My questions are thus. With what key has my system-drive been encrypted? Is the key in any way related to the password for my Administrator-User-Account? How is it that I did not have to enter any new keys when setting up BitLocker or when booting the system?

Daniel
  • 151
  • 1
  • 6

2 Answers2

2

Bitlocker generates the encryption master key, and then encrypts it with additional keys derived from "key protectors". Everything that BitLocker does (when used on the system volume) happens before Windows is fully booted. Your Windows passwords are not used at all.

The available key protectors are:

  • TPM (Trusted Platform Module): On supported hardware, the TPM can be used to "measure" the operations the system does when booting, up to the point in the Windows boot process where the kernel starts (the kernel cannot live on the encrypted volume, since it must be decrypted so it can load the BitLocker driver). If the system boots normally, the TPM releases its key protector and Windows proceeds to the lock screen. If the boot process is modified - such as by the system being lifted into a VM or a Linux Live CD being used to boot - then the TPM cannot be used to unlock the key. Using the TPM alone is relatively weak protection; there are ways to extract the master key from memory after the OS boots, even when the attacker doesn't know any login password. However, a relatively unsophisticated attacker will be stymied if they don't know your Windows login password.
  • PIN: A numeric password. For reasons of compatibility with some hardware, a BitLocker "password" is by default numeric only. If you change a configuration setting, it becomes possible to use all characters (including letters, symbols, etc.) as well.
  • Key file: A file, typically stored on a flashdrive or other USB device, which contains a random blob of data. The idea is that you would only insert the device when booting, and thus it would not get stolen along with the PC.
  • Recovery key: A very long random sequence of numbers, used as a last resort if the user can't unlock the system any other way. Ideally stored somewhere secure, such as a safe. Can be retrieved by the domain controller on domain-joined machines, so that IT can unlock your PC if needed.

Some protectors can be used together, as a form of stronger and possibly multi-factor authentication. For example, requiring a PIN + a key file is "something you know" and "something you have". Using a PIN + TPM makes offline attacks against the PIN impossible, which makes brute-forcing it totally impractical, and also means that you aren't vulnerable to the weaknesses of using just the TPM as a protector; attackers would need the PIN too.

By default, if the TPM is available, BitLocker will set up two key protectors: TPM (only), and a recovery key (you should have gotten a prompt insisting that you save or print the recovery key). This is "user-friendly" in that TPM-only is so invisible you might forget it's on, but it's also the weakest option in some ways. If the TPM is not available, Windows won't let you turn on BitLocker until you configure it to use some other protector(s).

If you want to require a boot-time PIN/passphrase, turn off BitLocker (you don't have to wait for it to fully decrypt), set it up to require a PIN (optionally without restricting to numbers only) and probably also TPM (no good reason not to use both), and turn it on again; you'll be prompted for a PIN or passphrase. Note, again, that this is not your Windows password - any of them - and is totally unrelated to the Windows login process.

When using BitLocker, you should also use Secure Boot (if available). Secure Boot tells the PC's firmware (the lowest-level software, which lives in a chip on the motherboard and runs before anything else; the old PC firmware was called BIOS) to only load a bootloader (the program which loads the OS kernel; if you have ever had more than one OS on a machine or remember the old screen with options like "Safe Mode", that was a bootloader menu) that comes from Microsoft and hasn't been messed with. The bootloader in turn will only load the kernel if it hasn't been messed with.

This is important because, without Secure Boot, the attacker could modify the Windows bootloader and/or kernel, and do things like steal the user's PIN as they enter it, or take the master key out of RAM after the system boots. The TPM does provide some protection against these attacks even without Secure Boot, but they work better together.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • Some vendors, e.g. HP, automatically synchronizes the boot-time passwords with Windows passwords. That's not related to BitLocker in any way but might be a source of confusions like this. – Esa Jokinen Aug 18 '20 at 10:04
1

By default, BitLocker encryption uses a security device, the TPM chip, for key storage. So windows stores the key inside the TPM and makes sure that the TPM does not "hand out" the key unless the original windows system on which the key was created is booted.

So how does this protect your data? You're protected because there's still the windows logon password. This logon password is between someone hostile and your data. The password cannot be brute-forced at the logon screen in a reasonable time. if you don't believe that, please try to enter 100 guessed passwords and see if you can do it in less than 15 minutes. Now imagine someone would plan to brute force your machine. Even with a programmable keyboard, this would take years even for a password of length 6.

Al Francis
  • 278
  • 1
  • 11
Hans Hase
  • 51
  • 1
  • 1
    It may be worth expanding the answer slightly to talk about Secure Boot, which is another important part of the overall security of Bitlocker. – David Nov 21 '19 at 23:13