Some general questions about Bitlocker

pokeefe0001 · 04 May 2021

Today I was told I should look into Bitlocker so I'm trying to determine if it fits my needs and can be implemented without too much pain.

I currently have a 20GB VeraCrypt "container" on a NAS drive. A script commands VeraCrypt to mount this as a specific drive letter (which it does when given the password). Another script commands VeraCrypt to unmount it. The file / drive can be mounted to any of 4 computers, but only one at a time. When not mounted this Veracrypt container can be backed up and restored.

Today I read that a VHD / VHDX "disk" can be encrypted by Bitlocker. I guess that could serve my purposes if the underlying file can be on a NAS drive. Can it?

Is the password requested whenever the VHD is mounted?

Only one of my 4 computers has a TMP chip. I'm very unclear how Bitlocker works when TMP is not available. Most of what I've read seems to assume the computer's system disk is encrypted which is not the case for me. Do the encryption keys (or whatever is stored in the TMP) have to be available at boot time or only when the encrypted drive is mounted? And does this encryption data have to be on an external device like a USB memory stick? (Since one of my computers is accessed almost exclusively via Remote Desktop I would need to have this USB device permanently mounted.)

My gut feeling is that Bitlocker may be overkill here. I'm just trying to keep some data from casual prying eyes, not protecting national security information.

sygnus21 · 05 May 2021

I use BitLocker, but I can't answer your VHD question as I don't used VHD. Anyway...

BitLocker frequently asked questions (FAQ)

And I'm assuming you mean TPM (Trusted Platform Module). Not TMP. Anyway - BitLocker overview

Steve C · 05 May 2021

I use a VHD protected by bitlocker. See Create BitLocker Encrypted Container File with VHD or VHDX in Windows

sygnus21 · 05 May 2021

Thanks Steve, forgot about that tutorial

pokeefe0001 · 06 May 2021

sygnus21 said:

... And I'm assuming you mean TPM (Trusted Platform Module). Not TMP. Anyway - BitLocker overview

Dyslexia strikes again. Yes, I meant TPM.

Upon reading the overview again, and comparing it with the VHD / VHDX tutorial pointed to by Steve C, I'm pretty sure my worry about the USB key for systems without TPM applies only to encrypted system drives. I think I'll give VHDX a try.

- - - Updated - - -

One more necessary requirement I need addressed if I'm to switch from VeraCrypt to the combination of VHDX and Bitlocker: I need the VHD to be "ejected" (or have Bitlocker stop decrypting it) after a period of inactivity, when the computer enters a low-power state, when the user logs off or locks the computer, etc. These are configuration options of VeraCrypt that I use (although I'm not sure the inactivity option works).