Shang, Your question has triggered a healthy discussion. I want to start by saying that I work for Microsoft. I am by no means an experienced security analyst, I am a Technical Professional that has had numerous conversations with customers and partners around disk encryption. Let me start by directly answering your questions:
First, let us assume we are protecting our data from a thief who is going to steal our laptop. In my mind, it's very important that we focus on the type of threat we are trying to mitigate. More on this below... 1.> We are on the process of setting up Bitlocker on our laptops for OS encryption and we are wandering if we should set up a PIN or not. If we do not, the attacker can get to Windows login screen, but this is where he will stop. You are correct, BitLocker is designed to protect your OS and data from offline attacks when it is implemented properly. Once Windows is up and running, BitLocker does not do anything to protect the computer from network or user based attacks. Once Windows has booted, Windows trusts the password complexity to prevent the thief from logging into Windows. Any user that has a valid username and password will have access to the BitLocker encrypted OS and data. Again, BitLocker is to prevent offline attacks. 2.> What happens if he boots with a linux live CD/USB? Can he decrypt the drive? The key is stored in the TPM. Does linux have access to the TPM? This is the offline attack scenario, and right up BitLockers alley! The drives protected with BitLocker are encrypted on the disk. Any other OS instance (including other Windows installations) can see the BitLocker partitions, but they are unreadable. These other OS instances "see" these partitions as either 1) encrypted partitions 2) unusable partitions, or 3) unused space. Another OS could delete or reformat BitLocker volumes. The value TPM brings is that the TPM chip "uniquely pairs" to your unique installation of Windows. If the user boots from any other OS, even another copy of Windows, that "other instance" is foreign to the TPM; hence the TPM will not share the information that is needed to read the BitLockered drive(s). TPM is built to do a very good job of resisting TPM based attacks, but without implementing a PIN in combination with BitLocker, all of the information needed to access the encrypted partitions is within the confines of our laptop. Given enough time and enough resources, the thief *may* be able to eventually access the data on the computer. Adding the PIN increases the time and resources required to compromise the BitLocker volumes. I agree with Thor, I do not deal in absolutes. If someone has access to a physical resource and enough resources and desire, most likely they will eventually be able to access your encrypted data. From everything I've seen, BitLocker with a PIN usually requires years of energy to compromise the encrypted data. The PIN requirement prevents Windows from booting until the proper PIN is entereed. This PIN is also needed to access the encrypted volumes. The PIN requirement provides a very high level of confidence that your data will not be compromised, but again, this is not an absolute! I view the PIN as a tool that will prevent an attacker from repeatedly booting the OS in an effort to try and extract the BitLocker key using a tool like the Passware Forensic Toolkit, or chip cooling. Without the correct PIN, the OS will not boot, hence the OS will not "contain" the BitLocker key to be harvested. 3.> We are just not sure if the extra security worths having the users to type 2 passwords to boot a laptop. This is a business decision. As Thor said, BitLocker without a PIN does a very good job of protecting your data in the event of a loss from the majority of the people trying to steal a computer for the value of the computer. For the typical thief, BitLocker without a PIN *may* be good enough. For those people that are determined to steal your computer for the value of the data, and have the time and resources to do so, they will most likely eventually be able access your data. Encryption is a time vs. value of data discussion. In my opinion, the goal with encryption is to drive the "time" required to access your data high enough that your data is "not that valuable". What type of "thief" are you protecting your data from? 1. Accidental computer loss? -- The PIN *may* not be necessary, 2. Intentional theft by a professional thief who is trying to harvest your data for the value of the data? -- I think you should do everything you can to protect your data. In my mind, a PIN is a requirement! What about standby and hibernate? -- If you deploy BitLocker properly, encrypt your OS volume and your data volumes, hibernate is still able to be used since the hibernate file will be written (by default) to your OS (encrypted) drive. When you resume from hibernate, you will have to enter your PIN. Standby on the otherhand does not require PIN entry. Someone that acquires a machine in standby has the benefit of having a computer that has already passed the pre-boot PIN requirement. There is a very good best practices document here: http://technet.microsoft.com/en-us/library/dd875532(WS.10).aspx This document talks about disabling standby on BitLocker enabled machines. Disabling standby means that the user can either hibernate Windows, or shut it down. Either way, a PIN will be required upon reboot or resume from hibernate. This URL also talks about setting group policies so that the BitLocker recovery key is always uploaded to AD. This way if the user forgets their PIN or corrupts their OS installation, the Domain Administrator can leverage this recovery key to access and recover the user data from the BitLockered drive(s). There is also a good document that discusses BitLocker vs. EFS. http://technet.microsoft.com/en-us/library/cc162807.aspx While these documents make mention of Windows Vista in places, please know that BitLocker for Windows 7 is a superset of BitLocker in Windows Vista. Windows 7 also gives you the ability to use "BitLocker to go" for removable drives. You can set a policy that your computer is not allowed to write to a removable drive unless it is encrypted. By forcing BitLocker to go, you can ensure your users don't put critical data on unencrypted removable media. I've blogged about the encryption offered in Windows. Please feel free to check out these blog entries, they may help explain some of the details. http://blogs.technet.com/b/uspartner_ts2team/archive/2010/03/17/what-is-bitlocker-what-does-it-do-what-does-it-not-do.aspx I've also blogged about other forms of encryption Windows can natively take advantage of here: http://blogs.technet.com/b/uspartner_ts2team/archive/2010/03/18/other-forms-of-encryption-you-need-to-consider.aspx I'm required to say that while I feel the information I've provided is acurate, my responses are my opinion and not necessarily the views of Microsoft. I hope this helps... ________________________________________ From: [email protected] [[email protected]] on behalf of Thor (Hammer of God) [[email protected]] Sent: Thursday, February 24, 2011 11:07 AM To: Per Thorsheim; focus-ms Subject: RE: Bitlocker without PIN I don't agree with blanket statements like "is not a good idea in terms of security." I'm willing to wager that insofar as "real world" application of security is concerned, that most people on this list are not designing solutions around what keys can be extracted from live memory via firewire. Sure, it's cool, and l337, and provides for jazz-hand presentation content, but it is not the use-case that we are solving for. If it is, then additional mechanisms should be employed. Security is about risk mitigation - as such, transparent TPM-based Bitlocker can be an absolutely fantastic security control. It can be seamlessly rolled out, controlled by group policy, and data can be protected by way of recover agents. It provides disk encryption without requiring the user to remember PINs, etc. Sure, PINs are better as I stated in my last email, but they require more administration. This solves for the 90th percentile (if not more) of the cases I've seen where the asset is lost or stolen. I have to reply like this because it would be a real shame if people saw the "not good for security" post and figured "ah, screw it then" and moved on. We should solve for reasonable use cases appropriately in cost effective ways that reduce administration where possible. Sure, they can extract keys from live memory via firewire - - and I can extract PINs from live people with a box cutter. I think you see where I'm going with this... >From a security standpoint, transparent bitlocker is a fantastic feature. >PINs are better. Everything should be put in proper perspective. t -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Per Thorsheim Sent: Thursday, February 24, 2011 1:35 AM To: focus-ms Subject: RE: Bitlocker without PIN "Transparent" Bitlocker with TPM and direct boot to Windows Logon is not a good idea in terms of security. At the Passwords^10 conference in Dec 2010, Passware revealed their newest versio of their forensic toolkit. You probably want to see that: ftp://ftp.ii.uib.no/pub/passwords10/ Using Passware Forensic Toolkit you can extract the bitlocker key using live memory dumping through Firewire (either by using an existing Firewire port, or by inserting an pcmcia/expresscard firewire card). No need to logon to Windows there... Depending on your configuration, the hibernation file may be unencrypted. This can then be extracted from the disk and analyzed to get the bitlocker decryption key as well. Lessons learned: 1. Superglue for your Firewire and pcmcia/expresscard ports 2. Do not allow hibernation mode OR encrypt the hibernation file as well 3. Always use Pre-Boot Authentication (PBA) in some form (pin, password, smartcard..) -- Best regards, Per Thorsheim securitynirvana.blogspot.com On Wed, 2011-02-23 at 21:45 +0000, Alexander Kurt Keller wrote: > Speaking as an individual and not representing my institution. If you can > handle the support overhead I would require the PIN or physical key in > addition to the transparent TPM key for added protection. > > Re: What happens if he boots with a linux live CD/USB? Can he decrypt the > drive? The key is stored in the TPM. Does linux have access to the TPM? > > No. This is not a viable attack, these links explain in a nutshell how TPM > works: > http://windows.microsoft.com/en-US/windows-vista/BitLocker-Drive-Encry > ption-Overview > http://geekswithblogs.net/sdorman/archive/2006/07/04/84045.aspx > > There are a number of viable attacks (and plenty more theoretical attacks) > against all types of full drive encryption, including BitLocker, but it is > not as trivial as using a Linux bootdisk. > > Re: We are just not sure if the extra security worths having the users to > type 2 passwords to boot a laptop. > > If the attacker can gain physical access to the computer, and it uses TPM and > boots straight to Windows, then they could attack the computer at the network > layer and at the console, or via one of the more advanced hardware attacks > (chip cooling, hibernation file excavation, etc.). Requiring a PIN at boot > adds an extra layer of protection before the OS starts. > > It comes down to a risk analysis of your environment and what you are trying > to protect. For my laptop I use TrueCrypt (which by design requires a PIN) > because it is a transient computer at risk for theft and contains information > that could be leveraged in an attack against our infrastructure. Furthermore > I use KeePass to encrypt all passwords, and AxCrypt for all sensitive > documents, which offers a second layer of protection should the computer be > compromised while it is booted. > > It should be pointed out that BitLocker/TrueCrypt/EFS/etc. will do little or > nothing to stop an attack inbound from the network or malicious code that has > been allowed to execute on the running OS. > > Best, > alex > > > Alex Keller > Systems Administrator > Academic Technology, San Francisco State University > Office: Burk Hall 153 Phone: (415)338-6117 Email: [email protected] > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Shang Tsung > Sent: Thursday, February 17, 2011 3:07 AM > To: [email protected] > Subject: Bitlocker without PIN > > Hello all, > > We are on the process of setting up Bitlocker on our laptops for OS > encryption and we are wandering if we should set up a PIN or not. If we do > not, the attacker can get to Windows login screen, but this is where he will > stop. > > What happens if he boots with a linux live CD/USB? Can he decrypt the drive? > The key is stored in the TPM. Does linux have access to the TPM? > > We are just not sure if the extra security worths having the users to type 2 > passwords to boot a laptop. > > ST
