BitLocker Basic Questions (Version 1909)

I was wondering if BitLocker has been activated on the C drive and on the D drive (which is my data drive) is there any security reason for having an additional Windows operating system password? i.e.

(1) For BitLocker boot entry (C drive)
(2) For Windows operating system (non-BitLocker password)
(3) For D Drive (data)

Also has BitLocker ever created unrecoverable errors due to disk faults or moving a storage drive to another computer or an external caddy?

I guess the whole point in BitLocker is to have additional security so that if your storage drive is stolen or accessed, no data can be read, written or copied from it.

You can require a password to be entered before the system will even boot into Windows or a physical security device such as a USB flash drive, or best of all, a TPM module, but even then, much of Windows security relies upon account authentication. Most notably, you still would want your network connections secured so an account password is still important.

As for bitlocker actually being at fault for disk faults - I've never encountered this. Just make sure to store your bitlocker recovery key in a safe place if you plan to move your drive to another system.

Your assessment is correct - typically an account password would prevent someone from accessing your computer data via the network or by preventing them from simply logging into your system. But, if someone were to steal the HD and attach it to another machine, data can be read from the drive. So bitlocker addresses the physical access problem.

Here is a good article that has more information:

https://docs.microsoft.com/en-us/win...iew-windows-10

... and a tutorial to get you started:

Lock BitLocker Encrypted Drive in Windows

NOTE: There are several good tutorials related to various aspects of bitlocker. Just search on "bitlocker" in tutorials and you will find them.

Many thanks for your reply.

It makes sense in this day and age to encrypt storage drives if possible. I was actually wondering if an encrypted drive prevents hackers accessing operating system files and data, when the computer is connected to the internet?

I know I had to 'Allow BitLocker without a compatible TPM' in gpedit.msc on this computer (which is nine years old) otherwise BitLocker would not start encrypting. I guess if there is no TPM in the computer's hardware there is less security encryption wise?

From my understanding (if I am correct...) if BitLocker is installed with a TPM (in other words where there is a TPM chip on the motherboard) it would not be possible to remove and access the storage drive data externally through another computer even with BitLocker recovery keys?

It makes sense to keep the Windows password as you mentioned. I guess it would also make sense to have a different password for both Windows and BitLocker. If you wanted to be really pedantic then have three different passwords for BitLocker C drive, BitLocker D drive and Windows.

It's good to hear that BitLocker is a stable platform. I will definitely read up more about it in detail when I get the time...

@meridius,

Bitlocker does not really do anything to protect network connections. Once the bitlocker volume is unlocked, be that via password, TPM, etc., communications via network don't know that bitlocker is even there. Bitlocker transparently handles the encryption and decryption as the filesystem is accessed.

I wouldn't say that operating without a TPM is less secure in general. It just means that you need another trusted method of unlocking the the drive such as password, USB key, etc. The nice thing is that with a TPM it is completely transparent to you, you don't have to enter a special password, provide a key, etc.

However, even with a TPM you can still recover data if the drive is moved to another system, you will simply need your recovery key. Otherwise, what would you do if your TPM or motherboard died? You would be stuck with no means of recovery (other than backups). That would not be good.

BTW, I use bitlocker on all my systems and have been for years. I have never ever had a single issue other than one disk imaging program that didn't understand how to do an image of a bitlocker encrypted volume. Granted, my sample size is small, but take it for what it is worth.

Many thanks. That's a lot more essential information which helps me to begin to understand BitLocker.

However, even with a TPM you can still recover data if the drive is moved to another system, you will simply need your recovery key. Otherwise, what would you do if your TPM or motherboard died? You would be stuck with no means of recovery (other than backups). That would not be good.

This is good to know as an article I read online seemed to suggest otherwise: What is a TPM, and Why Does Windows Need One For Disk Encryption? unless I have misunderstood it or what was written was taken out of context...

This means an attacker can’t just remove the drive from the computer and attempt to access its files elsewhere.

I noticed that boot on my computer is slower and possibly some decrypt/encrypt operations may slow down processes but it's a price worth paying.

There is so much of our data floating around now and especially in the cloud I think encrypting our storage drives should be standard procedure.

Technically, that article is correct. Someone cannot take that drive and read it in any other system - unless of course they obtain the recovery key from you. I think that the article is assuming that you are not going to do something as foolish as slapping a sticker with the recovery key on the back of your computer

Well, there may be a small minority of people who have done that, but then it's probably the same people that keep their house door open, leave personal information on computers in internet cafes and put all their life savings in the name of someone else...

meridius said:

There is so much of our data floating around now and especially in the cloud I think encrypting our storage drives should be standard procedure.

Not necessarily. Use of BitLocker or other systems of disk encryption creates its own problems. For one thing, it complicates the management of backup images.

If sensitive user data is not kept in the OS partition but in other partitions, it´s not necessary to encrypt the OS partition. The sensitive data can be protected using encrypted containers, which are much more flexible and easier to manage.

If sensitive user data is not kept in the OS partition but in other partitions, it´s not necessary to encrypt the OS partition. The sensitive data can be protected using encrypted containers, which are much more flexible and easier to manage.

Can you specify alternatives i.e. for encrypted containers?...

I would have thought it is important to protect the C Drive through encryption because the operating system drive is important for the functionality of the computer. There may be some sensitive information stored in apps and in temp files (if these are not cleared out).

If my storage drive was stolen why would I surely not wish my operating system partition to be as encrypted as my data partition...

Not necessarily. Use of BitLocker or other systems of disk encryption creates its own problems. For one thing, it complicates the management of backup images.

I don't know about backup images and BitLocker but Acronis seems to support it: Acronis True Image and BitLocker FAQ | Knowledge Base

My 2 cents on the latest discussion:

1) The only backup software that I've encountered so far that doesn't handle bitlocker is Active@ Disk Image. There may be others, but programs that I have used personally that work perfectly include:

The entire line of Acronis products (consumer and business)
Veritas System Recovery
Macrium Reflect
O+O Software Disk Image

As for whether to use encryption or not on your OS drive, it all depends upon what you store on your OS drive. If you keep all your important data on another drive, then there may be no need to encrypt the drive. For something like a laptop where you may only have a single drive letter, it makes a lot of sense.

I know that some people use encrypted containers, and that's a preference. For me personally, I like bitlocker because I don't have to worry about storing important stuff in some container. No matter on my HD it is located, it is protected. But again, it's largely a preference thing.

It's also completely transparent to me. I don't even know that bitlocker is there unless I go looking for it and even with encryption I still get data transfer rates on my notebook in excess of 3,000 MB/s (yes, I have a fast NVMe SSD).