Laptop Security Encryption

Page 5 of 6 FirstFirst ... 3456 LastLast

  1. Posts : 1,077
    Windows 10
    Thread Starter
       #41

    @lx07


    Wait a minute. So basically if someone gets into your laptop, they have all your password? So basically if someone knew your windows 10 pin... you are screwed then? Make sure you use keepass. I don't how i would do passwords without it.


    No you can't do that which is why I don't use a bitlocker PIN. If you have a bitlocker pin you must physically enter it at the actual machine to unlock your boot drive. You can't do it remotely. If you unlock with TPM by the time the boot process gets to the login screen then Remote Desktop is working and you can enter your Windows password from another PC (note not your Windows PIN - it doesn't work remotely).


    Can you explain the 2nd part of this? Im confused what you mean by this. So you like to remotely access your laptop while somewhere else?



    That is right. If you want a bitlocker PIN just run manage-bde -protectors -add c: -tpmandpin - you don't need to undo anything with your existing set-up first.

    Similarly you can also change or remove the pin using manage-bde -changepin c: or manage-bde -protectors -delete c: -tpmandpin without decrypting or pausing bitlocker.

    See here : manage-bde protectors | Microsoft Docs



    Okay but don't i need to make changes to group settings first?


    The person who was helped me set up bitlocker with tpm in the first place tells me this when i said how do i setup bitlocker pin now without going through the whole process again. He says


    1. Enable strong PIN via group policy:
    Enable or Disable Enhanced PINs for BitLocker Startup in Windows 10

    2. Enable Bitlocker PIN by following this guide:
    https://www.howtogeek.com/262720/how...in-on-windows/


    I explained my security measures, my threat model, and arguments behind both. I explained pros and cons of other security measures, notably Bitlocker PIN that you are willing to implement, and what additional measures you need to take to make them work as intended and actually improve your security, particularly:
    * disable sleep and never use lock so that your Bitlocker with PIN setup is actually more secure than Bitlocker TPM auto-unlock I use;
    * protect BIOS from casual low-skilled attacker that can wreck havoc if you don't, and increase time and effort required from skilled hacker to perform the attack.

    I also noted that you shouldn't blindly follow someone's threat model - including mine. My security measures may be imperfect from someone's point of view but they work for me, allowing to achieve reasonable compromise between security and usability. I couldn't care less what the other guy on the forum has to say about them, I never asked his opinion or advice.

    In all honestly I believe the information and additional links in this thread are enough to decide what exactly you want to implement. Maybe re-read it from the beginning to refresh and systematize the information?


    So I don't need to do the those 2 steps first and can i just do what you suggested? Because when i was initially setting bitlocker up, i know when you set up bitlocker with pin... you had to do that group policy setting change...


    * disable sleep and never use lock so that your Bitlocker with PIN setup is actually more secure than Bitlocker TPM auto-unlock I use;


    So this guy is telling me to never lock? Is he referring to something else? Because i mentioned to you i want to lock it so to speak when im out of the apartment for a short while and come back. You said what i said is correct... start and then lock. Then when i come back enter password and computer is unlock. But he says don't unlock it?


    If you Windows PIN is locked you can sign on using your password instead (or fingerprint if you have a fingerprint reader). To allow PIN logon again you just need to reboot the PC.


    So whether its a windows pin or bitlocker pin, after x attempts it gets locked? Do you know how many there are? But if your bitlocker pin gets locked... how do you access it? I assume the bitlocker recovery code?


    That wouldn't work at all. If you have your recovery key stored on your PC (whether in keypass or a text document) and you need it to unlock your PC you are out of luck. You can't unlock your PC because you don't know your recovery key and your recovery key is stored on the PC you need the recovery key to unlock.Definitely don't do that!

    You could keep it on another PC and put it in keypass, or write it on a piece of paper and keep that in a safe. I keep mine on OneDrive and also on a USB key kept separate from PC.


    Hi there. I think I might have confused you with this. I meant the only way for someone to get into your computer is your windows 10 pin right? And let say you added a bitlocker pin as well... they need both bitlocker win and windows 10 pin right? I have keepass on my computer. I also have a backup copy of it on a usb flash drive. I also put a copy of it on google drive.


    Now i know ppl say that is bad... but in order for them to open my keepass...

    1. They need to first get into my gmail password

    2. They need to know the master passwod


    So isn't that hard enough? Now if your computer is compromised with malware/keylogger i know you are screwed.


    So you could access your keepass file in another computer or phone if anything happens to your computer as long as you have access to your google drive account. The thing is i have a backup of keepass on a usb drive but i always felt you need an online backup... in case something physically happens to your computer or hard drive. Do you agree/disagree on this? Lot of ppl disagree on it and i think if you don't have an online backup, you are screwed. Now if you put it say in a bank deposit box a usb drive, sure that would work.
      My Computer


  2. Posts : 1,077
    Windows 10
    Thread Starter
       #42

    Wanted to also add. Do you update your bios and is it always updated? Someone told me to check my bios and this is what i got for my dell xps 15 9550

    Bios Version/Date Dell Inc. 01.00.07, 11/2/2015
    SMBIOS Version 2.8
    Embedded Controller Version 255.255



    Someone mentioned my bios is from the middles ages...


    Do you by any chance know if this could affect not only my security... but my battery as well?
      My Computer


  3. Posts : 1,077
    Windows 10
    Thread Starter
       #43

    @lx07


    That is right. If you want a bitlocker PIN just run
    manage-bde -protectors -add c: -tpmandpin - you don't need to undo anything with your existing set-up first.


    Similarly you can also change or remove the pin using manage-bde -changepin c: or manage-bde -protectors -delete c: -tpmandpin without decrypting or pausing bitlocker.

    See here : manage-bde protectors | Microsoft Docs



    I'm going to do this right now. So after i type it in


    manage-bde -protectors -add c: -TPMAndPIN

    I get message


    Error: An attempt to access a required resource was denied.


    Check that you have administrative rights on your computer. Does it have to do with how many spaces i leave after certain words? I did leave one space and even 2 space after the colon but i still get this error message. I did not leave any space between the user name and typing in manage. Thus when i entered command prompt... i started typing manage. Every word after that... i left one space.


    Am i type it wrong?
      My Computer

  4. lx07's Avatar
    Posts : 5,479
    2004
       #44

    use administrator command prompt
      My Computer


  5. Posts : 1,077
    Windows 10
    Thread Starter
       #45

    @lx07


    I did this.

    I just put in my bitlocker pin. Put it once and then again to confirm. What i noticed was it didn't seem to show any spaces such as say you type a few numbers or letters when you want to check it so to speak.


    After i did this,


    It shows


    Key protectors added

    tpm and pin

    ID: A very long mix of letters and numbers.
    PCR Validation Profile:
    number, number, number


    Key Protector with ID Very long lix of letters and numbers was deleted


    Do I need to write down the id and pcr validation profile or copy it or this is nothing?


      My Computer


  6. Posts : 1,077
    Windows 10
    Thread Starter
       #46

    When i type in manage-bde -status it shows this


    Volume E: New Volume
    Data Volume
    Size: 29.282gb
    Bitlocker version: None
    Conversion Status: Fully Decrypted
    Percentage Encrypted: 0%
    Encryption Method: None
    Protection Status: Protection Off
    Lock Status: Unlocked
    Identification Field: None
    Automatic Unlock: Disabled
    Key Protectors: None Found




    Volume C:OS Volume
    Size: 232GB
    Bitlocker version: 2.0
    Conversion Status: Fully Encrypted
    Percentage Encrypted: 100%
    Encryption Method: XTS-AES 128
    Protection Status: Protection
    OnLock Status: Unlocked
    Identification Field: Unknown
    Key Protectors:
    Numerical Password:
    TPM and PIN


    So that mean everything here looks good right? There seems to be nothing showing next to numerical password and the tpm and pin right?


    So right now close this command prompt.



    Click restart computer... then it will have that message enter your bitlocker pin.


    Then i enter it... then it goes straight to win10 screen, type win10 password... and thats all correct?


    Im going to not close the Select Administrator: Command Prompt until I make sure of all this.
      My Computer


  7. Posts : 1,077
    Windows 10
    Thread Starter
       #47

    Can anyone here confirm what I did here is correct when setting up the bitlocker pin?

    Do i need to copy the

    Key protectors added

    tpm and pin

    ID: A very long mix of letters and numbers.
    PCR Validation Profile:
    number, number, number


    Key Protector with ID Very long lix of letters and numbers was deleted




    The power in my apartment and my area just went out so we don't have electricity at the moment. And i don't want to close the command prompt screen yet until im sure. Can someone here confirm this?
      My Computer


  8. Posts : 1,077
    Windows 10
    Thread Starter
       #48

    I shut down computer. Then waited a bit and turned it on. It then ask me for my bitlocker pin on the screen... i typed it in and then it goes to win10 screen and now log into with win10 password.


    Im curious but if someone were to try to enter the bitlocker pin... they don't have a clue if its just numbers or letters or mix of both right?


    Also its very easy to disable this bitlocker pin or change it to another one? I like this bitlocker message asking for the pin. Seems much more secure than it going straight to win10 password screen.
      My Computer

  9. lx07's Avatar
    Posts : 5,479
    2004
       #49

    paulyjustin said:
    Also its very easy to disable this bitlocker pin or change it to another one? I like this bitlocker message asking for the pin.
    Good news

    Yes it is easy to change.

    You can see what protectors are defined :
    manage-bde -protectors -get c:
    change the pin :
    manage-bde -changepin c:
    or delete it :
    manage-bde -protectors -delete c: -type tpmandpin

    Don't bother writing down the details - you only need the recovery key.
      My Computer


  10. Posts : 1,077
    Windows 10
    Thread Starter
       #50

    @lx07


    Thanks man. Now i feel secure with my laptop. Seems really nice turning it on and having to input a bitlocker pin first before the win10 password.



    One other thing i want to add to this. Is it pretty easy to encrypt my hard drive and usb sticks? I have a few of these. I assume you encrypt all these as well right? Thus if i do this, i would use bitlocker to encrypt it but that would require a pin similar to this? Im wondering what happens when you connect the external hard drive to your laptop. It ask for the pin? Now what about if i try to connect the external hard drive or usb to say another computer i have...? Does it allow it or not?


    Thus the other worry is well if a hacker has access to my external hard drive and usb sticks, well they could stick it to a laptop... put a virus on it... then say i connect it to my laptop as is... well the malware/keylogger/virus would be there automatically? Or only if i were to open that program in the external hard drive or usb stick? Obviously this would be a much more advanced thing. The other thing though is well if a thief cannot turn on my laptop... well if they have the external hard drive and usb sticks... well they can't stick it in my encrypted laptop right? Thus they either have to have their own with them or put my usb and external hard drive in their computer to do anything to it?


    Could they view my files if i they connect my external hard drive and usb stick to their own laptop? This is assuming those documents are encrypted with axcrypt? Now what if i have some programs there that are not encrypted. Let say i put itunes and a few other programs in my external and usb stick. Could they put a virus in my usb stick or external hard drive... put it back to where it was in my apartment... then i plug it in... then im screwed? Or only if i open those programs?
      My Computer


 
Page 5 of 6 FirstFirst ... 3456 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 05:41.
Find Us




Windows 10 Forums