My laptop doesn't have TPM. If I enable BL PIN and someone steals my laptop and remove the drive, will they be able to read it's content on another computer? How am I vulnerable without TPM?
Asked
Active
Viewed 2,597 times
2
-
Bitlocker is not that good with or without TPM. It's been proved as a disaster in certain cases. – Overmind May 25 '20 at 12:08
1 Answers
1
With just a PIN and no TPM (or removable key storage such as a USB drive or a smartcard that you need to insert to boot), it's impossible to have any meaningful security against an adversary who can access the encrypted drive. It's only a protection against someone casually walking to your desk, inserting a USB stick and rebooting your computer from the stick.
The adversary can just try all possible PIN, since all the information needed to decrypt the drive has to be present on the drive apart from the PIN. There are too few possible values for a PIN for it to be more than a moderate barrier to attack. For example, if unlocking takes 1 second of CPU time (which is an overapproximation), then a 6-digit PIN will resist for less than 12 days. A 4-digit PIN would fall in less than 1 hour and even an 8-digit PIN is manageable in 3 years of cumulated CPU time.
A strong password is a different deal because there are far more candidates for the attacker to try. A “correct horse battery staple”-type password (4 randomly generated words) would resist for around 300,000 years of cumulated CPU time.
A TPM changes the deal because when it's available, the encryption key is not derived from the PIN, but stored in the TPM. The TPM adds an additional protection: if there are too many failed attempts at guessing the PIN, it locks itself against further attempts. For the adversary to have a meaningful chance of decrypting your data, they would need to attack the TPM itself and extract the key from it, which is a lot harder than plugging the hard disk into a PC and making its CPU churn.
Gilles 'SO- stop being evil'
- 50,912
- 13
- 120
- 179