How secure is BitLocker without a TPM, using SED?

1

1

I'm trying to find a source for some basic information about BitLocker. Say I have a self-encrypting drive (SED) like a Samsung EVO, but no TPM. I enable BitLocker. There are two options:

  1. Password only
  2. Password and key on USB drive

My seemingly quite basic questions are:

  1. With the "password only" option, is the key a hash of the password or is it stored somewhere in the pre-boot authentication environment? If it is stored, is it encrypted with the password?

  2. With the password and key on USB drive, how is the key protected? Is it encrypted with the password?

  3. How is the key protected while the machine is running? With SED only the drive needs the key to operate, but when you sleep the machine it forgets it and the PC has to supply it agian. Does Windows prompt you for the password/USB drive again, or does it store the key in RAM somewhere?

It's really not clear how the key is protected if you don't have a TPM. Is the password really secure? What if the USB key is stolen along with the PC?

user237698

Posted 2016-01-31T13:59:43.097

Reputation:

Some info here: https://technet.microsoft.com/en-us/magazine/2007.06.bitlocker.aspx

– None – 2016-01-31T14:07:22.890

http://windows.microsoft.com/en-in/windows-vista/bitlocker-drive-encryption-overview – None – 2016-01-31T14:07:31.513

That confirms that the startup key on USB drive is at least protected with the password. – None – 2016-01-31T14:07:47.330

I though bitlocker was software encryption, does it work with the drive's built-in SED, and how? – Xen2050 – 2016-02-02T02:22:30.873

Related: https://superuser.com/q/810270 .

– sampablokuper – 2018-03-13T17:29:16.127

Answers

0

  1. (Skipping this Question for now.)
  2. The external key file (*.bek) on the USB drive is not protected. It does not require a password. The *.bek file unlocks the key which was actually used for encryption. So you can delete this external key file from the protector list of the drive and generate a new external key file if it is ever lost. (Re-encryption not required.) A password is an additional protector/key of a drive to unlock a drive. You can either use the password to unlock the drive or the USB drive. You do not need both.
  3. The operating system will not ask for the key again after it has woken up from stand-by-mode. Waking up from hibernation does require the USB drive or password. (Sorry, omitting any claims on where the key is actually saved; cannot find the right source to validate.)

Side note: Encrypting the USB drive (holding the StartUp external key *.bek) will not work for system-encrypted drives as the USB drive needs to be accessible during boot. It will work for non-system encrypted drives. Then you first unlock the USB drive with a password, then click to unlock the encrypted drive and click [Load key from USB-station]. In this manner you have actually created two-step unlock requiring a password and a key-file (read USB drive). The RecoveryPassword (numbers) bypasses this all by the way.

A71

Posted 2016-01-31T13:59:43.097

Reputation: 392

Asked: 2016-01-31T13:59:43.097

Viewed: 1 748 times

Active: 2016-05-10T08:48:31.140