What is the point of Bitlocker on a laptop with NVMe drive?  


  1. Posts : 1,712
    Windows 10 Pro
       #1

    What is the point of Bitlocker on a laptop with NVMe drive?


    I just noticed that the Lenovo 14s laptop I bought last October has my C, D, and D drive partitions all encrypted with Bitlocker. This system is running Win 10, 22H2. To be clear, I never installed Bitlocker, and I'm concerned that if the system dies, and I need to move the NVMe drive to another system, the drive will be unreadable.

    If someone steals my system, then it's easy to reset the Windows password. I had to do that once when I needed to log into the laptops of a relative who passed away. If someone can reset my Windows password, what protection does Bitlocker provide?

    Am I missing something here?
      My Computers


  2. Posts : 594
    Windows 7
       #2

    Someone can remove your non-BitLocker drive, mount it on another system and have full access to files. Or they can boot from USB into a recovery environment, and run tools. If you've used EFS, the security certificate can be recovered from the mounted system to speed up decryption.

    If a normal thief steals your system, your data is essentially unrecoverable. All they can do is erase the disk.

    Before you migrate to another PC, backup the BitLocker recovery key(s) to USB drive, or a printed file. When you boot from the new system, the boot menu will ask for the USB drive, or type the recovery key.

    Backup BitLocker Recovery Key in Windows 10
      My Computer


  3. Posts : 16,201
    Windows 10 Home x64 Version 22H2 Build 19045.3693
       #3

    x509 said:
    What is the point of Bitlocker on a laptop with NVMe drive?
    Why do you think the type of disk is significant?

    x509 said:
    I just noticed that the Lenovo 14s laptop I bought last October has my C, D, and D drive partitions all encrypted with Bitlocker.
    Why do you think they are encrypted with BitLocker?


    Denis
      My Computer


  4. Posts : 15,081
    Windows10
       #4

    x509 said:
    I just noticed that the Lenovo 14s laptop I bought last October has my C, D, and D drive partitions all encrypted with Bitlocker. This system is running Win 10, 22H2. To be clear, I never installed Bitlocker, and I'm concerned that if the system dies, and I need to move the NVMe drive to another system, the drive will be unreadable.

    If someone steals my system, then it's easy to reset the Windows password. I had to do that once when I needed to log into the laptops of a relative who passed away. If someone can reset my Windows password, what protection does Bitlocker provide?

    Am I missing something here?


    I think you are on Home (10S is only for Home)

    Assuming you are on home, you are using Device Encryption which is a cut down version of Bitlocker which only works if you have a TPM and Modern Standby (most new laptops do).

    Device Encryption encrypts all drive but stores passwords in TPM. Pretty sure you do not get an option to backup elsewhere, or option to select which drives to encrypt.

    It is a bit debatable how useful device encryption is but it does give some protection e.g. if laptop is stolen, and you have a secure login password, the hacker can only get access to drives once they have hacked the login. The crucial difference is the hacker cannot simply remove the drive to examine the contents on another pc.

    So yeah - your concern is valid - if laptop dies, the nvme drive would not be readable on new device - you would have to reformat it.

    So where does this leave you?

    1) You can turn off device encryption fully - if you use laptop at home and never take it anywhere, risk of theft is much lower (most thefts are by opportunists e.g. you are at a train station or in a pub/cafe, and somebody sees it unattended for a few moments.

    2) You can turn device encryption off periodically, and make system image and data backups to an unencrypted external drive (but of course that could get stolen). I would advise backing up critical data to onedrive, dropbox, google drive or similar if you go down this route.


    Obviously, same as a laptop theft, less risk of theft if you do not carry and unencrypted external drive out and about.

    3) Use 3rd Party Encryption Tools instead e.g. Veracrypt

    In the end, only you can decide what level of encryption you need.

    I advise using an MS Account with secure password and login PIN as a minimum.
      My Computer


  5. Posts : 15,081
    Windows10
       #5

    Try3 said:
    Why do you think the type of disk is significant?


    Why do you think they are encrypted with BitLocker?


    Denis
    OP is on 10S which is Home -it will be using Device Encryption not full Bitlocker.

    A lot of new Home laptops with TPM and Modern Standby (most these days) come with Windows pre-installed and Device Encryption enabled by default.

    Device Encrypition is, as I am sure you know, a cut down version of Bitlocker and is essentially all or nothing i.e. all drives are encrypted (Device Encryption enabled) or unencrypted (Device Encryption enabled).

    It is not like full Bitlocker, where you can choose which ones to bitlock.
      My Computer


  6. Posts : 1,712
    Windows 10 Pro
    Thread Starter
       #6

    Actually my laptop runs Windows PRO.

    - - - Updated - - -

    garlin said:
    Someone can remove your non-BitLocker drive, mount it on another system and have full access to files. Or they can boot from USB into a recovery environment, and run tools. If you've used EFS, the security certificate can be recovered from the mounted system to speed up decryption.


    If a normal thief steals your system, your data is essentially unrecoverable. All they can do is erase the disk.
    I understand that, and until last year, I would have believed that physical access of a laptop alone does not allow file access, because the bad guy doesn't know my password.

    THEN I discovered just how easy it is with the proper utility to reset a Windows 10 password. Considering what I thought of the individual whose laptops I needed access to, my new password was "schmuck."

    This same individual also had Win XP and Vista laptops. For those systems, I was not able to recover passwords, so I just removed the hard drives and could access data files. However, I could not run programs on those systems.


    Before you migrate to another PC, backup the BitLocker recovery key(s) to USB drive, or a printed file. When you boot from the new system, the boot menu will ask for the USB drive, or type the recovery key.

    Backup BitLocker Recovery Key in Windows 10
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 19:26.
Find Us




Windows 10 Forums