Excellent reply, thank you for this! PGP Whole Disk Encryption works much the same way, as do most other disk encryption schemes right? We had the same usability/protection decisions to make when we deployed PGP WDE, and we see the same Sleep/hibernate questions as well.
David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 503.548.5229 // (Cell) 503.267.9764 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Thursday, February 24, 2011 1:44 PM To: Thor (Hammer of God); Per Thorsheim; focus-ms Subject: RE: Bitlocker without PIN Shang, Your question has triggered a healthy discussion. I want to start by saying that I work for Microsoft. I am by no means an experienced security analyst, I am a Technical Professional that has had numerous conversations with customers and partners around disk encryption. Let me start by directly answering your questions: First, let us assume we are protecting our data from a thief who is going to steal our laptop. In my mind, it's very important that we focus on the type of threat we are trying to mitigate. More on this below... 1.> We are on the process of setting up Bitlocker on our laptops for OS encryption and we are wandering if we should set up a PIN or not. If we do not, the attacker can get to Windows login screen, but this is where he will stop. You are correct, BitLocker is designed to protect your OS and data from offline attacks when it is implemented properly. Once Windows is up and running, BitLocker does not do anything to protect the computer from network or user based attacks. Once Windows has booted, Windows trusts the password complexity to prevent the thief from logging into Windows. Any user that has a valid username and password will have access to the BitLocker encrypted OS and data. Again, BitLocker is to prevent offline attacks. 2.> What happens if he boots with a linux live CD/USB? Can he decrypt the drive? The key is stored in the TPM. Does linux have access to the TPM? This is the offline attack scenario, and right up BitLockers alley! The drives protected with BitLocker are encrypted on the disk. Any other OS instance (including other Windows installations) can see the BitLocker partitions, but they are unreadable. These other OS instances "see" these partitions as either 1) encrypted partitions 2) unusable partitions, or 3) unused space. Another OS could delete or reformat BitLocker volumes. The value TPM brings is that the TPM chip "uniquely pairs" to your unique installation of Windows. If the user boots from any other OS, even another copy of Windows, that "other instance" is foreign to the TPM; hence the TPM will not share the information that is needed to read the BitLockered drive(s). TPM is built to do a very good job of
