The PIN is for added security. Without a PIN, someone who knows the password to the user account can logon to the box. Any code will have "access" to the TMP, but it won't have access the other key information required to decrypt the drive.
I use a PIN, but the PIN makes it more complex for recovery agent decryption. It all depends on what problem you are trying to solve, and what the value of the data you are trying to protect is. Password-only access could be just fine if you want to provide general protection for medium risk data. If it is critical data, you should have a strong passphrase that one can't brute force. A PIN may not be necessary. If the password can be compromised in a different manner, then a PIN provides additional security. Does that help? t -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Shang Tsung Sent: Thursday, February 17, 2011 3:07 AM To: [email protected] Subject: Bitlocker without PIN Hello all, We are on the process of setting up Bitlocker on our laptops for OS encryption and we are wandering if we should set up a PIN or not. If we do not, the attacker can get to Windows login screen, but this is where he will stop. What happens if he boots with a linux live CD/USB? Can he decrypt the drive? The key is stored in the TPM. Does linux have access to the TPM? We are just not sure if the extra security worths having the users to type 2 passwords to boot a laptop. ST
