New
#41
@lx07
Wait a minute. So basically if someone gets into your laptop, they have all your password? So basically if someone knew your windows 10 pin... you are screwed then? Make sure you use keepass. I don't how i would do passwords without it.
No you can't do that which is why I don't use a bitlocker PIN. If you have a bitlocker pin you must physically enter it at the actual machine to unlock your boot drive. You can't do it remotely. If you unlock with TPM by the time the boot process gets to the login screen then Remote Desktop is working and you can enter your Windows password from another PC (note not your Windows PIN - it doesn't work remotely).
Can you explain the 2nd part of this? Im confused what you mean by this. So you like to remotely access your laptop while somewhere else?
That is right. If you want a bitlocker PIN just run manage-bde -protectors -add c: -tpmandpin - you don't need to undo anything with your existing set-up first.
Similarly you can also change or remove the pin using manage-bde -changepin c: or manage-bde -protectors -delete c: -tpmandpin without decrypting or pausing bitlocker.
See here : manage-bde protectors | Microsoft Docs
Okay but don't i need to make changes to group settings first?
The person who was helped me set up bitlocker with tpm in the first place tells me this when i said how do i setup bitlocker pin now without going through the whole process again. He says
1. Enable strong PIN via group policy:
Enable or Disable Enhanced PINs for BitLocker Startup in Windows 10
2. Enable Bitlocker PIN by following this guide:
https://www.howtogeek.com/262720/how...in-on-windows/
I explained my security measures, my threat model, and arguments behind both. I explained pros and cons of other security measures, notably Bitlocker PIN that you are willing to implement, and what additional measures you need to take to make them work as intended and actually improve your security, particularly:
* disable sleep and never use lock so that your Bitlocker with PIN setup is actually more secure than Bitlocker TPM auto-unlock I use;
* protect BIOS from casual low-skilled attacker that can wreck havoc if you don't, and increase time and effort required from skilled hacker to perform the attack.
I also noted that you shouldn't blindly follow someone's threat model - including mine. My security measures may be imperfect from someone's point of view but they work for me, allowing to achieve reasonable compromise between security and usability. I couldn't care less what the other guy on the forum has to say about them, I never asked his opinion or advice.
In all honestly I believe the information and additional links in this thread are enough to decide what exactly you want to implement. Maybe re-read it from the beginning to refresh and systematize the information?
So I don't need to do the those 2 steps first and can i just do what you suggested? Because when i was initially setting bitlocker up, i know when you set up bitlocker with pin... you had to do that group policy setting change...
* disable sleep and never use lock so that your Bitlocker with PIN setup is actually more secure than Bitlocker TPM auto-unlock I use;
So this guy is telling me to never lock? Is he referring to something else? Because i mentioned to you i want to lock it so to speak when im out of the apartment for a short while and come back. You said what i said is correct... start and then lock. Then when i come back enter password and computer is unlock. But he says don't unlock it?
If you Windows PIN is locked you can sign on using your password instead (or fingerprint if you have a fingerprint reader). To allow PIN logon again you just need to reboot the PC.
So whether its a windows pin or bitlocker pin, after x attempts it gets locked? Do you know how many there are? But if your bitlocker pin gets locked... how do you access it? I assume the bitlocker recovery code?
That wouldn't work at all. If you have your recovery key stored on your PC (whether in keypass or a text document) and you need it to unlock your PC you are out of luck. You can't unlock your PC because you don't know your recovery key and your recovery key is stored on the PC you need the recovery key to unlock.Definitely don't do that!
You could keep it on another PC and put it in keypass, or write it on a piece of paper and keep that in a safe. I keep mine on OneDrive and also on a USB key kept separate from PC.
Hi there. I think I might have confused you with this. I meant the only way for someone to get into your computer is your windows 10 pin right? And let say you added a bitlocker pin as well... they need both bitlocker win and windows 10 pin right? I have keepass on my computer. I also have a backup copy of it on a usb flash drive. I also put a copy of it on google drive.
Now i know ppl say that is bad... but in order for them to open my keepass...
1. They need to first get into my gmail password
2. They need to know the master passwod
So isn't that hard enough? Now if your computer is compromised with malware/keylogger i know you are screwed.
So you could access your keepass file in another computer or phone if anything happens to your computer as long as you have access to your google drive account. The thing is i have a backup of keepass on a usb drive but i always felt you need an online backup... in case something physically happens to your computer or hard drive. Do you agree/disagree on this? Lot of ppl disagree on it and i think if you don't have an online backup, you are screwed. Now if you put it say in a bank deposit box a usb drive, sure that would work.