Laptop Security Encryption

Page 4 of 6 FirstFirst ... 23456 LastLast

  1. lx07
    Posts : 5,478
    2004
       New #31

    paulyjustin said:
    However, i found out that because i did not secure bios... my computer is not protected right? Thus i have to put a bios password otherwise its useless?
    Wrong - you do not need a BIOS password for your computer to be protected.

    I use TPM to unlock bitlocker and a PIN or fingerprint (in place of Password) to unlock Windows. This is not a BIOS PIN - see here: Add PIN to your Account in Windows 10 | Tutorials

    This is what MS recommend - see: BitLocker Security FAQ (Windows 10) | Microsoft Docs

    paulyjustin said:
    Now here is the other issue. If i do that, is my computer protected or not since there is no password or pin? Again what concerns me most is either theft but more the if someone access my laptop and i do not know, install some malware or keylogger and then i use it as if it was only me who uses it.
    No-one can access your disk without either your bitlocker recovery key or without using your Windows logon credentials. When system drive is encrypted with bitlocker you can't reset Windows password or PIN from boot media so your only risk is leaving it unlocked which applies to any encryption. As such locking your BIOS to stop people changing boot order and booting from USB is pointless as it doesn't help.

    If you want extra security then you can use any or all of of a BIOS password, a harddisk password (if your BIOS supports it), a bitlocker startup password or setting bitlocker to require a USB key or smartcard to be present when booting.

    paulyjustin said:
    Now what if i want to decrypt bitlocker? It took 2 hours or so to encrypt it. Does it take that long to decrypt it? I ask this because i read others say better to use veracrypt for encryption as oppose to bitlocker... thoughts on this?
    I never used veracrypt but as it is software based encryption it will have some effect on battery.

    Microsoft suggest software based bitlocker adds low single digit percentage CPU use but I can't say I ever noticed it. It depends on your setup I imagine but I'd be surprised if veracrypt was more efficient than bitlocker.

    If you want to try vercrypt decrypt (not just disable) bitlocker first. This takes the same time as encrypting more or less.
      My Computer
    Quote Quote

  3. paulyjustin
    Posts : 1,035
    Windows 10
    Thread Starter
       New #32

    @lx07


    Okay so this is very confusing then. I had 2 or 3 different people tell me different things about this. Such as one person said the other guy is wrong... but one person said well the other person is right to a certain extent.



    You say


    Wrong - you do not need a BIOS password for your computer to be protected.

    I use TPM to unlock bitlocker and a PIN or fingerprint (in place of Password) to unlock Windows. This is not a BIOS PIN - see here: Add PIN to your Account in Windows 10 | Tutorials

    This is what MS recommend - see: BitLocker Security FAQ (Windows 10) | Microsoft Docs



    Both of those guys did agree on if you don't have bios secured with a password and disable usb or something like that... then someone could open up your laptop and take out your hard drive and put that hard drive on their computer to view its contents. So that is incorrect? They said if you don't do that, it is not secure... bitlocker or veracrypt won't help. They said if you put a password on bios and secure it... then if they were to take hard drive out and put it on their computer, they can't view it unless they know the password for it. So they are incorrect here?


    Okay so your setup at the moment is this.


    1. No bios password or secured. Thus you didn't do anything with bios whether update or anything like this.


    2. Startup laptop, it ask for a windows pin. So your pin.. you put a combination of numbers and letters right? Why is it called a pin then if you could use both? Then you enter the pin... now you are using your computer right? So basically the setup you have is the same as mine except i am using a windows 10 password as oppose to pin?


    When you say you use tpm to unlock bitlocker, you mean when you turn on your computer, it goes straight to the windows 10 pin or password screen right and there is no bitlocker pin or password you need to enter in order to get to the win10 pin or password screen?



    No-one can access your disk without either your bitlocker recovery key or without using your Windows logon credentials. When system drive is encrypted with bitlocker you can't reset Windows password or PIN from boot media so your only risk is leaving it unlocked which applies to any encryption. As such locking your BIOS to stop people changing boot order and booting from USB is pointless as it doesn't help.

    If you want extra security then you can use any or all of of a BIOS password, a harddisk password (if your BIOS supports it), a bitlocker startup password or setting bitlocker to require a USB key or smartcard to be present when booting.

    So just to confirm. They need either bitlocker recovery key or my windows login pin or windows password right? But they also need my physical computer to do the second part right? Thus having my windows login pin or windows password without my computer is useless? So someone with my bitlocker recovery key could just log into my computer on their own computer with my recovery key?


    Well the IT guy told me your windows 10 password is useless and can be bypassed within 2 minutes. I said but bitlocker encrypt it though. He said well if your bios is not secure with a password, then its completely useless. This is an IT guy so he's wrong here? The other guy who helped me with the process and said do it tpm unlock, he said the win10 password protects you from that. But he also said if you dont have bios secured and disable usb boot, its not secure as a cold boot attack works. But what they both agreed on was if you encrypt bitlocker and secure bios...even if u put tpm unlock that is safe. But the other guy said with a bitlocker pin to boot would be better. When you say only risk is leaving it unlocked, what do you mean by this? You mean if im at a coffee shop and leave my laptop there for a minute and then come back and that would be a threat if someone put a usb malware into my computer within that time frame?
      My Computer
    Quote Quote

  4. paulyjustin
    Posts : 1,035
    Windows 10
    Thread Starter
       New #33

    What do you mean any or all of a bios password? You just mean setup a bios password right? But first make sure you disable bitlocker first before you do this? I was told you have to do this first otherwise you would run into huge issues with the computer right? Well the bitlocker password was what i wanted to do initially. But when i followed the tenforums guide to do this, it asked me for a pin instead. I thought... i dont want to put pin for bitlocker, because its numbers only right? I wanted password but it didnt give me this option. Then the other guy on the other forum said make it simple do tpm unlock and said most ppl do that.


    Do you know if that is true or not? TPM unlock? I thought... how is that safe and the IT guy said the same thing... But thats what you do and you say its safe.


    That guy did say using encryption might affect battery a little. But bitlocker has no affect at all right... only veracrypt? The IT guy told me no encryption affects battery life... he seem pretty confident on this. But now you say it does but only veracrypt... not bitlocker. So its like im getting 3 different type of answers here... I thought something like this when i ask... it would be a crystal simple answer. That is why i was so hesistant doing this in the first place. The IT guy told me go with veracrypt. But i went with bitlocker because someone on another forum was helping me with the process.


    So what do you suggest for me now based on all this based on all this info i gave you?


    As of now... i did not do anything with bios. Whether secure it with password or disable usb boot. Going to bios scares me because im afraid something goes wrong. But you say its good idea but not a must? Both those guys said i had to secure bios with password and disable usb boot.


    So you want me to add a windows 10 pin instead. So you want me to remove the windows10 password? Or could i keep both?


    Do you recommend me going from tpm unlock to either a bitlocker pin or password to boot windows 10? Absolutely not right? Brink the mod on the forum suggested a pin as more security. But its just an extra layer of security? But you have to remember one more password right which is the negative thing? The thing was do you know why when i set up bitlocker, it did not give me option to put password and only pin? And could we use letters? Because i didnt want pin because i thought it ask for 6-20 digits. I thought... someone with my laptop could just type in 80000000, 80000001 and keep going etc... and eventually hit the number right?


    Also there was discussion about your security threat. For example mine is pretty basic... if a thief has access of my laptop and then tries to access my files which is what i don't want... but the bigger threat would be if someone got access to my laptop, gets into it... then installs a trojan/malware/keylogger. Then shuts down my laptop and then leaves. Then i turn on my computer and type in my win10 password and then log into my computer. Then i log into program like lastpass or keepass and email accounts and every keystroke i type and view is recorded by them. Then they could log into my email and lastpass/keepass etc. Thus my computer would be compromised. So if these are my security threats, is what i have at the moment okay? But you suggest putting a pin instead. Im confused how im getting so many different answers from different ppl...
      My Computer
    Quote Quote

  6. lx07
    Posts : 5,478
    2004
       New #34

    paulyjustin said:
    Both of those guys did agree on if you don't have bios secured with a password and disable usb or something like that... then someone could open up your laptop and take out your hard drive and put that hard drive on their computer to view its contents. So that is incorrect?
    That is incorrect.
    paulyjustin said:
    They said if you put a password on bios and secure it... then if they were to take hard drive out and put it on their computer, they can't view it unless they know the password for it. So they are incorrect here?
    That may be correct but it is unclear what you are saying. There seems to be some confusion about which password is which. If you have encrypted a drive you can't take it out and read it without the bitlocker recovery key (for OS drive) or bitlocker password or recovery key (for external drives). It has nothing to do with BIOS password though.

    You do need a password or PIN or some authentication somewhere in the login process - having your boot disk encrypted, unlocked by TPM and then auto-logon to Windows would mean anyone could see your data as long as the drive was in your PC by just booting it up. Again, if the drive was removed it could not be read as the TPM wouldn't unlock it.

    To avoid this you could set a bitlocker PIN, or a firmware password for your hard disk or use Windows login credentials (either Password or PIN). As what I'm protecting against seems to be similar to you (losing my laptop again is my main concern) I use Windows authentication.
    paulyjustin said:
    Okay so your setup at the moment is this.

    1. No bios password or secured. Thus you didn't do anything with bios whether update or anything like this.

    2. Startup laptop, it ask for a windows pin. So your pin.. you put a combination of numbers and letters right? Why is it called a pin then if you could use both? Then you enter the pin... now you are using your computer right? So basically the setup you have is the same as mine except i am using a windows 10 password as oppose to pin?
    Correct. My pin is numeric but can be alphanumeric if you want. I find PIN easier than password and it is more secure in some ways but it is an alternative way of entering your Windows credentials - same as Fingerprint, Face recognition or other Windows Hello login methods. It is actually nothing to do with bitlocker in particular.

    paulyjustin said:
    When you say you use tpm to unlock bitlocker, you mean when you turn on your computer, it goes straight to the windows 10 pin or password screen right and there is no bitlocker pin or password you need to enter in order to get to the win10 pin or password screen?
    Correct.
    paulyjustin said:
    So just to confirm. They need either bitlocker recovery key or my windows login pin or windows password right? But they also need my physical computer to do the second part right? Thus having my windows login pin or windows password without my computer is useless?
    Correct - they need your computer. They can log on remotely using your Windows password (if they know it - I suggest you make it complex) if you have set-up your computer to allow this and it is turned on. You can not log on remotely using PIN or bitlocker recovery key.

    paulyjustin said:
    Well the IT guy told me your windows 10 password is useless and can be bypassed within 2 minutes. I said but bitlocker encrypt it though.
    You are correct, he is wrong. I don't know who said what in what context but while it is trivial to change a Windows password on a non-encrypted drive but if it is encrypted with bitlocker it isn't.

    paulyjustin said:
    When you say only risk is leaving it unlocked, what do you mean by this? You mean if im at a coffee shop and leave my laptop there for a minute and then come back and that would be a threat if someone put a usb malware into my computer within that time frame?
    If you didn't lock the screen then obviously yes - anyone can do what they want to an unlocked computer. Is that the sort of thing you are likely to do? You should take care of your stuff - if I did that where I live it would be stolen in seconds...

    paulyjustin said:
    That guy did say using encryption might affect battery a little. But bitlocker has no affect at all right... only veracrypt? The IT guy told me no encryption affects battery life... he seem pretty confident on this. But now you say it does but only veracrypt... not bitlocker.
    No, I said any software based encryption will affect battery but probably not much. I don't notice it in bitlocker and I've never used veracrypt so can't comment but it must use at least some energy - nothing is free

    paulyjustin said:
    So what do you suggest for me now based on all this based on all this info i gave you? So you want me to add a windows 10 pin instead. So you want me to remove the windows10 password? Or could i keep both?
    I suggest you keep it more or less as you have it set now.

    • Unlock bitlocker with TPM - this will protect you if disk is removed from computer.
    • Use Windows password to unlock. This will protect you while disk is in computer.
    • Optionally set up a Windows PIN as well (it is always in addition to password, not instead - see tutorial above). I find a PIN more convenient than entering a complex password but if you are happy entering password then don't bother.


    I also suggest you check your computer requires log-in after resuming from sleep (it does by default) and that you lock it ( + L) when you leave it unattended.
      My Computer
    Quote Quote

  7. paulyjustin
    Posts : 1,035
    Windows 10
    Thread Starter
       New #35

    That may be correct but it is unclear what you are saying. There seems to be some confusion about which password is which. If you have encrypted a drive you can't take it out and read it without the bitlocker recovery key (for OS drive) or bitlocker password or recovery key (for external drives). It has nothing to do with BIOS password though.

    You do need a password or PIN or some authentication somewhere in the login process - having your boot disk encrypted, unlocked by TPM and then auto-logon to Windows would mean anyone could see your data as long as the drive was in your PC by just booting it up. Again, if the drive was removed it could not be read as the TPM wouldn't unlock it.

    To avoid this you could set a bitlocker PIN, or a firmware password for your hard disk or use Windows login credentials (either Password or PIN). As what I'm protecting against seems to be similar to you (losing my laptop again is my main concern) I use Windows authentication.



    Well at the moment, i turn on my laptop, it goes straight to the windows 10 password screen. So because of that, anyone could see my screen? So my windows 10 password means nothing right? But then you say if the hard drive was removed, it could not be read as tpm can't unlock it. In other words putting hard drive on their computer won't work. But they could view it on my computer because i only have tpm unlocked and only win10 password? Thus if i added a bitlocker pin or password... then im good?


    One person said if you have a bitlocker pin or password to boot, that is good. But you need to secure bios. Both of them mentions bios is absolutely necessary.


    At the moment... i have a windows 10 password. Is that windows login credential? But isn't that useless?
    So the windows password is useless but windows pin is not?


    So the pin you put... couldn't someone type 88888, 88889 etc and eventually get it correct? Or after x attempts, it gets locked?


    Correct - they need your computer. They can log on remotely using your Windows password (if they know it - I suggest you make it complex) if you have set-up your computer to allow this and it is turned on. You can not log on remotely using PIN or bitlocker recovery key.


    When you say they cannot log in remotely using pin.. you mean bitlocker pin or windows10 pin?




    If you didn't lock the screen then obviously yes - anyone can do what they want to an unlocked computer. Is that the sort of thing you are likely to do? You should take care of your stuff - if I did that where I live it would be stolen in seconds...


    The thing is i almost never take out my laptop out in public almost ever. So that is not a concern. But yes i get what you mean if you say you go to a coffeeshop, get your coffee and come back to it. Well someone could steal your laptop during that time or put a usb malware into it. Im much more concerned of the 2nd situation than the 1st. But i would usually not leave my computer unattended. Yes there would a chance its gets stolen pretty quickly. But my threat is not this because well my laptop is in my apartment almost all the time. Again i almost never take it outside ever.


    I suggest you keep it more or less as you have it set now.


    • Unlock bitlocker with TPM - this will protect you if disk is removed from computer.
    • Use Windows password to unlock. This will protect you while disk is in computer.
    • Optionally set up a Windows PIN as well (it is always in addition to password, not instead - see tutorial above). I find a PIN more convenient than entering a complex password but if you are happy entering password then don't bother.



    I also suggest you check your computer requires log-in after resuming from sleep (it does by default) and that you lock it (    + L) when you leave it unattended.


    Okay well i have bitlocker with tpm now. I also have the windows password to unlock. So you have the same thing as me except instead of windows password, you have that windows pin which is all numeric numbers?


    When you say optionally set a windows pin... what do you mean by this? You mean the windows 10 pin? How do you make it only optionally? Im confused what you mean by this. So you are allowed to put a windows 10 password as i do? Or use a pin? Or use a windows 10 password and a windows 10 pin? But when would they ask you for your pin?


    You say check your computer requires log in after resuming from sleep. First off... i am guilty of not doing this. Even though i previously never put a windows 10 password, i didn't like it when i go outside for a bit, come back and computer is sleeping and then i have to press a few buttons to wake it up. Of course i dont have to type in a password since i have no windows 10 password. But now... always do this since if im outside my apartment for a bit and my laptop is on, well someone can access it easily right? How do you set it up with sleep? Do you have it sleep if you don't touch your computer or move the arrow for 5 or 10 minutes? Or do you go to start and click on sleep? Or is it hibernate? I always was worried about clicking sleep or hibernate because an old computer i had, whenever it went to sleep or hibernate... it took like over 2 minutes for it to wake up. This was with an old asus laptop windows 7 that no longer works anymore.


    What would be your suggestion for me make your computer require login from sleep? The thing is i dont want it to go to sleep say if i dont do anything on my computer for 5 minutes... such as okay im going to make some food in my apartment...im still in the same room as the computer though... then it sleeps after 5 or 10 minutes. I just looked at the start menu now and there are options of


    Switch user
    log off
    lock
    restart
    sleep
    hibernate


    So if i want to only have it locked when i want to such as me manually clicking it... do i click or lock, sleep or hibernate?


    The thing is say im watching youtube for a bit on my computer and don't touch the mouse or anything, i don't want it to suddenly hibernate or sleep etc.


    At the moment, when im on the computer, even if im not doing anything for 1 hour or few hours, they screen always stays on. Im okay with that when im in the apartment. But obviously i dont want that when i go outside. I also do not like turning off my computer when i go outside for a bit because when i turn it back on, i have to open many programs etc that takes a while. But what do i click on to make sure when i want it closed temporary, then whenever i go back to my computer, one click would make it go to the windows 10 screen and ask me for password?


    Lock, sleep or hibernate?



    Thanks a lot man for your help. Would you mind if i mention what you said about the bios thing to the other ppl? Again 2 of those ppl said bios is required to be secure. They said even with bitlocker encrypted and with tpm unlock or pin or password... is not secure...
      My Computer
    Quote Quote

  8. lx07
    Posts : 5,478
    2004
       New #36

    paulyjustin said:
    Well at the moment, i turn on my laptop, it goes straight to the windows 10 password screen. So because of that, anyone could see my screen? So my windows 10 password means nothing right?
    Wrong. They can only see the login screen.

    paulyjustin said:
    In other words putting hard drive on their computer won't work. But they could view it on my computer because i only have tpm unlocked and only win10 password?
    Again wrong - unless they know your password they can't see your data.

    paulyjustin said:
    Thus if i added a bitlocker pin or password... then im good?
    What are you hoping to stop by doing this? If you want to stop someone in possession of your PC seeing the Windows lock screen then yes. Otherwise I don't see the point. Microsoft do say it is more secure to use a startup PIN in their FAQ (BitLocker Security FAQ (Windows 10) | Microsoft Docs ) but I don't bother as I find it too annoying.

    A bitlocker pin would apparently help against DMA/memory attacks as suggested here BitLocker Countermeasures (Windows 10) | Microsoft Docs and here Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker - if you want to set one just enter manage-bde -protectors -add c: -tpmandpin in administrator command prompt.

    Security is always balancing risk against hassle. I am protecting myself against common thieves basically so TPM + Windows credentials is good enough for me - if someone wants to go to that much effort to get at my data they will but I just don't think it is even remotely likely.

    paulyjustin said:
    One person said if you have a bitlocker pin or password to boot, that is good. But you need to secure bios. Both of them mentions bios is absolutely necessary.
    Necessary for what purpose? If they said securing BIOS is necessary for bitlocker to work they are wrong. I can't really comment on other peoples opinions if I don't know the context but have a look at Microsoft recommendations I linked before. Surely if locking BIOS was absolutely required they would at least mention it.

    paulyjustin said:
    At the moment... i have a windows 10 password. Is that windows login credential?
    Yes.

    paulyjustin said:
    But isn't that useless?
    No. Windows passwords are only completely useless on unencrypted volumes.

    paulyjustin said:
    So the windows password is useless but windows pin is not?
    Neither are useless. Both PIN and Password can be used to logon. Either will stop people accessing a bitlocker encrypted drive.

    paulyjustin said:
    So the pin you put... couldn't someone type 88888, 88889 etc and eventually get it correct? Or after x attempts, it gets locked?
    It gets locked. See here Why a PIN is better than a password (Windows 10) | Microsoft Docs

    paulyjustin said:
    When you say they cannot log in remotely using pin.. you mean bitlocker pin or windows10 pin?
    You can't logon remotely with either.

    paulyjustin said:
    Okay well i have bitlocker with tpm now. I also have the windows password to unlock. So you have the same thing as me except instead of windows password, you have that windows pin which is all numeric numbers?
    Almost - if you set up a pin you still have your Windows password (see the tutorial I linked before). I can log in with either Windows PIN or Windows password. I usually use the PIN as it is shorter and has less annoying characters in it than my password.

    paulyjustin said:
    When you say optionally set a windows pin... what do you mean by this? You mean the windows 10 pin? How do you make it only optionally? Im confused what you mean by this. So you are allowed to put a windows 10 password as i do? Or use a pin? Or use a windows 10 password and a windows 10 pin? But when would they ask you for your pin?
    "Optional" means you don't have to do it. If you have a PIN at logon you can choose to enter a PIN or password. If you want to set up a PIN then do - if not continue as you are.

    paulyjustin said:
    How do you set it up with sleep? Do you have it sleep if you don't touch your computer or move the arrow for 5 or 10 minutes? Or do you go to start and click on sleep? Or is it hibernate?.
    I don't use sleep but the default is to sleep after 15 minutes of inactivity if I remember right. See here Sleep Computer in Windows 10 | Tutorials

    paulyjustin said:
    What would be your suggestion for me make your computer require login from sleep?
    It does this by default but you can check as described here : Turn On or Off Require Sign-in on Wakeup in Windows 10 | Tutorials

    paulyjustin said:
    if i want to only have it locked when i want to such as me manually clicking it... do i click or lock, sleep or hibernate?
    I use the and L keys to lock but the the require sign on wake-up applies to all. Hibernate is different to sleep in that it saves your state to disk so if you hibernate and then your battery runs out it still restarts at the same point. Sleep stores the current state in memory so needs some battery to maintain it. Hibernation is a bit slower than sleeping (both to enter and wakeup) but good if you want to restart at the same point the next day for example.

    paulyjustin said:
    The thing is say im watching youtube for a bit on my computer and don't touch the mouse or anything, i don't want it to suddenly hibernate or sleep etc.
    Don't worry - it doesn't do that.

    paulyjustin said:
    At the moment, when im on the computer, even if im not doing anything for 1 hour or few hours, they screen always stays on. Im okay with that when im in the apartment. But obviously i dont want that when i go outside. I also do not like turning off my computer when i go outside for a bit because when i turn it back on, i have to open many programs etc that takes a while. But what do i click on to make sure when i want it closed temporary, then whenever i go back to my computer, one click would make it go to the windows 10 screen and ask me for password?
    See the tutorials above but this is what it does by default - probably you don't need to change anything.

    paulyjustin said:
    Thanks a lot man for your help. Would you mind if i mention what you said about the bios thing to the other ppl? Again 2 of those ppl said bios is required to be secure. They said even with bitlocker encrypted and with tpm unlock or pin or password... is not secure...
    Sure. I expect they meant TPM and auto-logon wasn't secure but as you now have a password this isn't an issue.

    There is nothing wrong with setting BIOS password but from what you said I don't think you need one. I don't have one set and can change BIOS order to boot from USB but, and this is why it isn't a problem - bitlocker will prompt for recovery key if boot settings are changed and even if I boot from USB I can not access C drive without entering recovery key as it is encrypted.

    Perhaps there is a reason but I can't think of one and Microsoft don't recommend to do it (they don't recommend not to do it either come to that).

    If I was you I'd leave your setup as it is and add a Windows PIN for the sole reason that it is easier to enter a 4 or 6 digit PIN on resume from sleep/locked than a long password. If it is easy for you to unlock then you are more likely to lock your PC when you are away from it and therefore it is more secure.

    If you don't want to set a Windows PIN though then don't - it is still as secure as long as you remember to lock it when there is a chance someone else could access it. Conversely if you think a bitlocker PIN is worth it for the threats you envisage then it is easy to set up at any time with managebde as mentioned above.
      My Computer
    Quote Quote

  9. paulyjustin
    Posts : 1,035
    Windows 10
    Thread Starter
       New #37

    @lx07

    Wrong. They can only see the login screen.

    Again wrong - unless they know your password they can't see your data.


    Hey lx07, you are 100% sure of this correct?



    What are you hoping to stop by doing this? If you want to stop someone in possession of your PC seeing the Windows lock screen then yes. Otherwise I don't see the point. Microsoft do say it is more secure to use a startup PIN in their FAQ (BitLocker Security FAQ (Windows 10) | Microsoft Docs ) but I don't bother as I find it too annoying.

    A bitlocker pin would apparently help against DMA/memory attacks as suggested here BitLocker Countermeasures (Windows 10) | Microsoft Docs and here Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker - if you want to set one just enter manage-bde -protectors -add c: -tpmandpin in administrator command prompt.

    Security is always balancing risk against hassle. I am protecting myself against common thieves basically so TPM + Windows credentials is good enough for me - if someone wants to go to that much effort to get at my data they will but I just don't think it is even remotely likely.


    When you say common thieves, you mean those that would take your laptop.. then turn it on to make sure it works, then sell it? Thus you are not concerned about thieves that would take your laptop and then check your email or try to hack into anything? But you do have important information in your laptop right? You do encrypt documents using programs like axcrypt? Sorry if i asked you this earlier or not but i don't believe i did. I assume you use a password manager like keepass or lastpass? So do you have pretty important programs, documents, files on your laptop or not so much?


    Okay so you say bitlocker pin protects against those things mentioned, dma memory attacks. Well isn't that similar to someone taking out your hard drive or that is what its talking about? If so, you do not care about that because that does not concern you right?


    Well that IT guy told me if you don't even a bitlocker pin or password and its tpm unlock and goes straight to windows 10 password screen, that is not secure at all because the windows password can be bypassed even if the hard drive is encrypted. But then thats when i thought, then why would they even give you the option to choose tpm unlock then? That is the 1st option they give you.


    So you are saying if you have very important things on your laptop, you would add a bitlocker pin? And maybe even add the bios secure with password?


    Necessary for what purpose? If they said securing BIOS is necessary for bitlocker to work they are wrong. I can't really comment on other peoples opinions if I don't know the context but have a look at Microsoft recommendations I linked before. Surely if locking BIOS was absolutely required they would at least mention it.


    They said Bios and bitlocker works independently of each other. They didn't say securing bios is necessary for bitlocker to work. They said if you secure bitlocker but not bios, you are not secure. If you secure bios but not bitlocker, you are not secure. Both seem to imply that. The IT guy stressed that a lot more though. Well they said even if you set up bitlocker encrypted and with password pin, yes its secure against a common thief. But they said if the thief was a hacker, he could do something as simple as put a usb stick into your laptop for a few seconds and then unplug it and now you are compromised. I believe they said this even if your computer is not turned on. That is thus the big worry here. And they said if you don't secure bios, they could do the cold boot attack which is rare... or take hard drive out and put it on another computer because your bios is not secure. Then they said either windows 10 password can be reset easily... IT guy.... the other guy says even if you had that windows 10 password, having no bios would make it compromised.


    That is what i said to both of them. I said if bios was absoutely necessary, why was it not mentioned in the tenforums guide or articles then. I did not see any of it mention that. I think they said well they probably don't address it because its something else. But still... i said shouldn't they mention it? If not, whats the purpose of following this guide then if its not secure without bios.


    It gets locked. See here Why a PIN is better than a password (Windows 10) | Microsoft Docs


    I read this. So basically if you have a windows pin but not password... someone who has your bitlocker recovery key, cannot restore it on another computer right? Thus let say someone got your recovery key? But if it was a password... let say someone got your bitlocker recovery key and windows 10 password, then what do they have access to? So if you have a windows 10 password and also put in a windows pin, when you start up windows, which will it ask? What about when computer is locked... same thing... either option?


    Okay so you have both windows 10 password and a pin? So for the pin, let say i just want to put something 7 numbers or letters. Would it be safe using a 6 or 7 digit number code? Obviously not something like 123456 or 2222222 etc. But if it was like 3910209 that would be safe and secure? Or would you say use even a shorter pin since its easier to remember? I always thought shorter pins is less secure.


    I don't use sleep but the default is to sleep after 15 minutes of inactivity if I remember right. See here Sleep Computer in Windows 10 | Tutorials


    My laptop when i first got it, i did not do any change settings with it. But the issue was after like 10 minutes, it would go to sleep. I did not like this. Because of that, i made the settings to never sleep. Also i have my laptop charged almost always to power outlet. Reason is even though it gets to 100%, i let it stay charged... otherwise every 1 hour, i have to plug it back in again. The reason i do this is when im on the laptop during the day, im busy doing something where i cannot afford to have a power outage... then only have like 15 minutes battery left. Where im located now... there are power outages. Sometimes its few minutes or an hour. Rare times it could be hours or very rare even a day or so. The thing is when im on the computer, i need to be online at least 8 hours at the minimum. I also recently bought a powerbank for my laptop but i think even with it, it gives me maybe 1h-1.5 hour at the very max. So like if i have a power outage, i get maybe 2 hours or a bit more max on it and thats all.


    I just looked at the turn or and off sign in options. So based on this, you would first suggest because of what i do... just keep the never sleep option right? I have that for both the without battery or plugged in. Previously a long time ago, i recall it would sleep after x minutes and i did not like this. Okay so looking at that don't bother with hibernate or sleep right? Just do lock?


    This is what i want to make it simple. Say im in my apartment with my computer on. I want to go outside to buy something and be back in say 30 minutes. I previously just left my laptop on as is so if anyone was to get in, well my computer is right there. But i do make sure i close programs like keepass... otherwise they have access to it. Of course if a hacker wanted to put a keylogger on it... well thats easy since my computer would be there. Again, these are not concerns i have where im located... theft however is. Where im located... even in the nicer areas theft happens here.


    Anyways, so what i want is whenever i go outside for 30 minutes and come back, i want to lock my computer such okay lock it now. Then its locked. When i come back, it should have that windows password screen right? Or would my screen be turned off and i need to press a button on my keyboard first before it shows? Like when i leave my apartment, does it show this computer is locked screen or something else?


    So i could click start... then click lock right? Then its locked? Then i come back 30 minutes. Then there is the lock screen where i enter either my windows 10 password or pin if i choose to add this... then im good? So even if someone was to try and put malware or anything into it... they cannot because its locked... similar to like how my laptop is when its not turned on right?

    Sure. I expect they meant TPM and auto-logon wasn't secure but as you now have a password this isn't an issue.

    There is nothing wrong with setting BIOS password but from what you said I don't think you need one. I don't have one set and can change BIOS order to boot from USB but, and this is why it isn't a problem - bitlocker will prompt for recovery key if boot settings are changed and even if I boot from USB I can not access C drive without entering recovery key as it is encrypted.

    Perhaps there is a reason but I can't think of one and Microsoft don't recommend to do it (they don't recommend not to do it either come to that).

    If I was you I'd leave your setup as it is and add a Windows PIN for the sole reason that it is easier to enter a 4 or 6 digit PIN on resume from sleep/locked than a long password. If it is easy for you to unlock then you are more likely to lock your PC when you are away from it and therefore it is more secure.

    If you don't want to set a Windows PIN though then don't - it is still as secure as long as you remember to lock it when there is a chance someone else could access it. Conversely if you think a bitlocker PIN is worth it for the threats you envisage then it is easy to set up at any time with managebde as mentioned above.


    When i installed bitlocker with tpm unlock, the first guy said to make it tpm unlock even though I didn't understand why. He said to then put a windows 10 password as I did not have one. When i said am i secure now.... he said yes. But when i asked him a bios question... this had nothing to do with security. It had to do with me buying a powerbank and saying how it asked me to update bios and i never did and thats when he mentioned make sure your bios is secure with password and disable usb boot. That is when i said... what? What do you mean? That is when he said you need bios secure in order for it to work. You need bitlocker + bios secure to be secure... not just one. The IT guy told me straight up my computer was not secure because all i had was bitlocker encrypted with windows 10 password? He said not having the bitlocker pin or password automatically made it not secure. He said if it goes straight to windows 10 password screen at startup, that is immediately not secure. Then he said because i dont have bios secure, what i did is completely useless...


    Well isn't the cold boot attack or the someone sticking malware via usb stick or them taking out hard drive out and putting it in new one to read it... a reason? Or all of them have no effect because hard drive is encrypted?


    Well i like my windows 10 password and don't want to change it. So i can add a pin as well. So you recommend it being all numbers? Well I don't mind typing in my password... yes its a bit long but i dont think that is a big issue. But you said its more secure though with pin so that makes me want to use that.


    So you never put a bitlocker pin before ever? Do you know why when i first set up bitlocker following the tenforums guide... it ask for bitlocker pin as oppose to bitlocker password? I followed the steps exactly as on the guide and when it ask for pin... i thought hey that is not secure... its all numbers... me thinking someone could just trial and error it. Then the first guy told me tpm unlock no pin. Then windows 10 password. Then i followed his steps. And thats when i thought im secure. But then IT guy said im not... then he suddenly say im not because of bios.


    So if you have very important things on your machine, would you put a bitlocker pin on it? Would you do the bios thing? Im curious but if its very easy to do it, you don't because you don't have that threat level correct? Also because it requires you to remember another pin... the bitlocker pin? Or do you have very important things on your computer but still believe what you have is very safe already.


    I asked Brink the mod here and he said bios does make it more secure. He did say he agreed with everything you wrote.
    So im thinking... two guys say not secure... two guys say secure. This to me is so confusing because i thought this should be like a simple yes or no question on if its secure or not.


    Thanks man.
      My Computer
    Quote Quote

  10. lx07
    Posts : 5,478
    2004
       New #38

    I have the usual stuff - bank and tax details, work things etc which I definitely want to keep private. Certainly enough for a decent identity theft. TPM and Windows credentials is enough in my opinion to protect against that as I don't imagine any common thief being able to bypass it.

    You can't reset the Windows password from outside Windows if it is bitlocker encrypted without unlocking it first using your recovery key (whoever told you that you could is wrong) and you can't get access by simply booting from USB without recovery key. I'm 100% sure of this as (a) I've tried and have to enter key, and, (b) it is completely obvious - if you could then bitlocker would be basically useless.

    A thief in my opinion isn't going to try and use memory exploits etc to try to get the bitlocker recovery key as it is way too complicated. They'll just wipe the disk and resell the computer. Having a bitlocker PIN is annoying for me as I like to do remote reboots so balancing that against my imagined risk I don't have one set.

    Still you aren't me. If you want to set a bitlocker PIN (as recommended by Microsoft) then do so. It is easy to do and only one more thing to enter on starting up your PC.

    As booting from USB isn't an additional risk (you can't access the encrypted drive) then I don't see how locking BIOS would help. If someone is in a position to boot from USB then they could simply remove the drive to overcome BIOS locking. Perhaps I've missed something but I can't imagine any real benefit.

    As for Windows PIN complexity and sleeping/locking regime you can just do what you like/what you are comfortable with. As long as you don't leave the PC in an unlocked state it doesn't much matter. For what it is worth I use a 4 digit PIN and it is locked after 4 attempts so there is a 0.01% chance someone could guess it. If you want you can use more digits or less retries to reduce this risk. If I'm at home I (almost) never lock my PCs unless I have guests or something. At work I always do - whether I'm going for lunch or just a cigarette break.

    If you want a "Yes"/"No" answer as to whether TPM unlock and Windows authentication to log on is "secure" you'll not get one. It is good enough for me, and I'd venture for most people, but that is just my opinion.
      My Computer
    Quote Quote

  12. paulyjustin
    Posts : 1,035
    Windows 10
    Thread Starter
       New #39

    @lx07


    Thanks for that information. You do have a password program like keepass or lastpass on your computer right? Thus to store all your passwords? You use something like axcrypt to encrypt your documents as well i assume?


    Well that what i thought if you could reset the windows 10 password with bitlocker encrypted... how in the world is bitlocker any use then?


    Wait you do remote reboots. Can you tell me what you mean by this? You mean you like to access your laptop computer in different locations? So you are telling me this... if i leave my laptop in my apartment... then i use another computer... enter the bitlocker recovery key on that computer... you telling me i could view exactly the same thing on that computer as my main computer that i left in my apartment? But you have put in a bitlocker pin before on your computer right? But you did not like it so didn't bother with it right? So you did it exactly the way the instructions you gave me earlier if i want to just add the bitlocker pin? Thus you don't have to go through that entire process of removing tpm unlock and then switching to bitlocker pin right? So you mean if you enter a pin... its still tpm but now its tpm with bitlocker pin as oppose to tpm unlock?


    You get to choose how many attempts your windows pin you put before it gets locked? So if that does happen, how do you fix the issue? I assume you never intentionally put in the wrong pin a few times right? If you did, was it easy to fix this issue or it would be a huge hassle?


    Well the way i want my computer to be locked so to speak is whenever im going outside somewhere and want my computer on... i want to have it locked. Then when i come back... i have to enter the windows 10 password or pin. So the way i want to do this would be... click start menu... click lock right? Then it goes to the windows password screen? Or does it go there and say locked? Then later on i come back and then enter my windows 10 password or pin and im good right?



    If you want a "Yes"/"No" answer as to whether TPM unlock and Windows authentication to log on is "secure" you'll not get one. It is good enough for me, and I'd venture for most people, but that is just my opinion.


    Okay I will give an example here. Let say you were to put your bitlocker recovery key in keepass. I assume you obviously do not do that right? I know almost all ppl put their passwords for email and bank accounts there. So do you recommend someone put their bitlocker password phrase in keepass assuming they encrypt it with axcrypt? But let say you had bitlocker recovery key in keepass, would you say you 100% would put a bitlocker pin then? Because the way you have things set up now, which is tpm unlock and windows pin only... someone CAN or CANNOT get into your keepass program assuming your computer is turned off or locked?

      My Computer
    Quote Quote

  13. lx07
    Posts : 5,478
    2004
       New #40

    paulyjustin said:
    Thanks for that information. You do have a password program like keepass or lastpass on your computer right? Thus to store all your passwords? You use something like axcrypt to encrypt your documents as well i assume?
    No - I don't use either. I probably should use a password manager just for convenience but I don't. I keep my passwords in a document rather unoriginally called Passwords.docx and rely on bitlocker to keep it safe.

    paulyjustin said:
    Well that what i thought if you could reset the windows 10 password with bitlocker encrypted... how in the world is bitlocker any use then?
    If you could then it would be but you can't so it isn't

    paulyjustin said:
    Wait you do remote reboots. Can you tell me what you mean by this? You mean you like to access your laptop computer in different locations? So you are telling me this... if i leave my laptop in my apartment... then i use another computer... enter the bitlocker recovery key on that computer... you telling me i could view exactly the same thing on that computer as my main computer that i left in my apartment?
    No you can't do that which is why I don't use a bitlocker PIN. If you have a bitlocker pin you must physically enter it at the actual machine to unlock your boot drive. You can't do it remotely. If you unlock with TPM by the time the boot process gets to the login screen then Remote Desktop is working and you can enter your Windows password from another PC (note not your Windows PIN - it doesn't work remotely).

    paulyjustin said:
    But you have put in a bitlocker pin before on your computer right? But you did not like it so didn't bother with it right?
    Correct - I don't use a bitlocker PIN for the reason above.

    paulyjustin said:
    Thus you don't have to go through that entire process of removing tpm unlock and then switching to bitlocker pin right? So you mean if you enter a pin... its still tpm but now its tpm with bitlocker pin as oppose to tpm unlock?
    That is right. If you want a bitlocker PIN just run manage-bde -protectors -add c: -tpmandpin - you don't need to undo anything with your existing set-up first.

    Similarly you can also change or remove the pin using manage-bde -changepin c: or manage-bde -protectors -delete c: -tpmandpin without decrypting or pausing bitlocker.

    See here : manage-bde protectors | Microsoft Docs

    paulyjustin said:
    You get to choose how many attempts your windows pin you put before it gets locked? So if that does happen, how do you fix the issue? I assume you never intentionally put in the wrong pin a few times right? If you did, was it easy to fix this issue or it would be a huge hassle?
    If you Windows PIN is locked you can sign on using your password instead (or fingerprint if you have a fingerprint reader). To allow PIN logon again you just need to reboot the PC.

    paulyjustin said:
    Well the way i want my computer to be locked so to speak is whenever im going outside somewhere and want my computer on... i want to have it locked. Then when i come back... i have to enter the windows 10 password or pin. So the way i want to do this would be... click start menu... click lock right? Then it goes to the windows password screen? Or does it go there and say locked? Then later on i come back and then enter my windows 10 password or pin and im good right?
    That is right - that is how it works.

    You can lock it with start menu option or by pressing the and L keys together. There are some other ways detailed here - they all do the same so pick what you find easiest. Lock Computer in Windows 10 | Tutorials

    paulyjustin said:
    Okay I will give an example here. Let say you were to put your bitlocker recovery key in keepass. I assume you obviously do not do that right? I know almost all ppl put their passwords for email and bank accounts there. So do you recommend someone put their bitlocker password phrase in keepass assuming they encrypt it with axcrypt? But let say you had bitlocker recovery key in keepass, would you say you 100% would put a bitlocker pin then? Because the way you have things set up now, which is tpm unlock and windows pin only... someone CAN or CANNOT get into your keepass program assuming your computer is turned off or locked?
    That wouldn't work at all. If you have your recovery key stored on your PC (whether in keypass or a text document) and you need it to unlock your PC you are out of luck. You can't unlock your PC because you don't know your recovery key and your recovery key is stored on the PC you need the recovery key to unlock. Definitely don't do that!

    You could keep it on another PC and put it in keypass, or write it on a piece of paper and keep that in a safe. I keep mine on OneDrive and also on a USB key kept separate from PC.
      My Computer
    Quote Quote

 

  Related Discussions
Laptop Account Security When Going to Repair Shop
in User Accounts and Family Safety

I have an HP laptop that needs a new powerport (receptacle where power cord plugs into laptop). Bringing it to a local shop. Although there doesn't seem to be any need for it, they asked for the password. I created a new local user account with a...
A laptop with a 512GB SSD, partitioned into (about) C: 125GB (for Windows) and D: 375GB Windows 10 x64 Pro. Data files, such as those of Office 365, will be stored on the D-partition. I would like to have that partition encrypted/password...
Partial Encryption of Laptop
in AntiVirus, Firewalls and System Security

Hi all. I use to use TrueCrypt so that I could have only part of my laptop encrypted, and now TrueCrypt is no more :(. Can somebody suggest a replacement for TrueCrypt: I want to have an encrypted volume/part of my laptop on my laptop. I want...
BitLocker - Used Space Encryption on used Laptop?
in AntiVirus, Firewalls and System Security

I tried several times to encrypt the entire disk after reinstalling Windows 10 but it always took for ever (usually 10 hours) to fully encrypt my internal 320GB drive. I managed to run bitlocker successfully by encrypting only used space. My...
Windows Encryption/Security PROBLEM!!!
in AntiVirus, Firewalls and System Security

Long story short, I was trying to figure out a way to encrypt the contents of a folder with a password. Yesterday, I clicked the "Encrypt contents to secure data" under Advanced Attributes in the files properties of my folder, and ever since it has...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 19:52.
Find Us




Windows 10 Forums