0

I'd like a solution that autounlocks Bitlocker, VeraCrypt or similar FDE on Windows 10 while I have a device plugged in. When it's not plugged in (or I lose/destroy the device) it should just ask for a password of considerable length (not just a PIN).

  • It can be boot time or not, I'm interested in either way.
  • If I remove the device once the PC started, nothing should happen until next restart.
  • I'm home mostly all day, but I'd take the key with me in the rare case that I leave.
  • It's a desktop PC that doesn't have TPM chip.
  • I know it's not best practice, but compared to not having any encryption now, it's better than nothing.
  • Encryption is not mission critical, just want to protect against random theft from burglary.
  • And I don't necessarily wish to tap a YubiKey or enter a password daily. If it reads fingerprints before sending the password, then I'd consider it.
  • Possibly the plugged in state could help facilitate login to password managers.

What I tried: Set up Bitlocker on Windows system drive, created a USB key and password. Then when booting, it only ever recognized the drive if I restarted from within the BIOS. I played with USB settings in the BIOS, full initialization, xHCI handoff, and tried various ports. By the way should plugging in the Key automatically progress the blue screen or do you always need to restart after trying a different port? Anyway, it didn't work when starting normally, not even the recovery (it prompted to continue into Windows, but then it just restarted to the blue screen again). What's weird to me is why not offer a choice between key and password at boot time? If I'm too lazy the get the key but I have the keyboard nearby I could type the password. If I'm too lazy to type, but the USB drive is plugged in already just let me through. Even if the autounlock worked without restarting from the BIOS, I never saw the alternate option to boot with password when I also had the key "protector" enabled. Yes, I added-removed these with command prompt manage-bde and played with the group policy editor settings too.

Also, not sure what benefit would a TPM configured with autounlock provide. If someone steals the whole computer including the motherboard, it's not going to provide any security. If it's not autounlock then yeah a PIN may be useful but I'm lazy to type in even that. The USB acting as a real "key" with optional password seems to be an utopistic idea for the casual home user. Decrypted them all for now as this is useless, will try again on my next PC in the future. Also write speeds on the SSD were cut in half, pretty bad (i7 CPU).

Firsh - justifiedgrid.com
  • 131
  • 4
  • please clarify: when you take the usb out, the device should remain unlocked and usable, ie. *I store key material on my usb, but once I unlock the device, the key will be stored in RAM for as long as it's mounted*, or should it auto-lock? – brynk Dec 09 '20 at 21:40
  • See https://www.yubico.com/works-with-yubikey/catalog/egosecure/ for a solution that is similar to what you describe. – mti2935 Dec 09 '20 at 22:58

0 Answers0