Posts Tagged BitLocker

How to enable BitLocker TPM+PIN after encrypting hard drive

BitLocker by itself is great drive encryption, but unfortunately it has some shortcomings in its default configuration. Namely, there’s no safeguard at boot time preventing the drive from being accessed. If your computer is stolen or physically compromised, the drive is ready and willing to give access to your data.

Fortunately BitLocker supports a PIN code which would can be required to be entered at boot time to unlock the drive. To enable the BitLocker PIN, simply open an administrator-level command prompt and run the following:

manage-bde -protectors -add c: -TPMAndPIN

You should receive output similiar to the following, during which you’re prompted for your PIN (no confirmation of keystrokes will appear on the screen during PIN entry):

BitLocker Drive Encryption: Configuration Tool version 6.1.7601
 Copyright (C) Microsoft Corporation. All rights reserved.
Type the PIN to use to protect the volume:
 Confirm the PIN by typing it again:
 Key Protectors Added:

If you get the following error…

ERROR: An error occurred (code 0x80310060):
Group Policy settings do not permit the use of a PIN at startup. Please choose a
different BitLocker startup option.

… then you will need to edit the local computer policy to allow a PIN to be set by performing the following steps:

  1. Click Start > Run and type mmc
  2. If Local Computer Policy is not visible, or Group Policy Object is not already added, add it by going to File > Add/Remove Snap-In > Group Policy Object
  3. Browse to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives
  4. Open the key Require additional authentication at startup
  5. Enable that Key and set Configure TPM startup Pin to Require startup PIN with TPM

Now you can set the PIN by running the manage-bde command once more.

, , ,

Leave a comment

Keep your data and identify safe. Learn how to protect the data you store on your drives.

Just bought a shiny new laptop? Don’t let a would-be data- or identity-thief cause you major heartburn if your laptop is lost or stolen. Read the following to learn about various ways to protect the data you store on your laptop, desktop, or other removable drive.

Data security should be one of the top concerns for laptop users. If your laptop is stolen, often the impact of confidential or proprietary data being lost or compromised can be much higher than the cost of replacing the physical machine. But it doesn’t have to be.

There are many easy-to-use ways of keeping your hard drive’s data out of the hands of laptop thieves. I’ll explain and compare some of the pros and cons of different methods, and I’ll try to do it in an OS-agnostic way as possible.

Login Password

A login password (or account password) is the most basic security credential. It does very little other than keeping your kids, house guest, the-guy-one-cube-over, or anyone else log in as you. It barely does that — On Windows XP for example, someone could simply log in as the administrator account (which by default has no password) and reset your password. Access granted.

A login password doesn’t protect the data on your hard drive at all. Someone can still pull the hard drive out of your computer and hook it up via a USB cable and read everything off your drive.

Pros: Easy to set up; available on any modern operating system

Cons: Has to be set up on each account; Easy to defeat; doesn’t protect the actual data on the hard drive

BIOS System Password

A BIOS system password prevents the system from booting ANY device without the correct password. It protects the physical system from being used, and goes a step beyond the login password above, by preventing the system from booting any attached drive (including removable ones). However, it’s still easy to defeat on desktop systems — a motherboard jumper can clear the password. Again, a BIOS password doesn’t protect the physical data on the hard drive — the drive can be put in a different machine and accessed.

Pros: Protects the physical system from use; Easy to set up; Available on most (if not all) modern BIOSes

Cons: Easy to defeat on desktop systems; Does not protect the hard drive data; Forgotten laptop password can render the system unusable.

Hard Drive Password

A hard drive password or “hard drive lock” will cause the drive to not work until the correct password is entered. This follows the drive even if it’s removed from the system, and provides a level of security against a good number of would-be data thieves. Until the correct drive password is entered, the drive can’t be used or reformatted. However, forget your password and you’ll most likely have to replace your hard drive. However, its not encryption — it’s read/write protection, and tools exist to remove it.

Pros: Easy to set up; Supported by most (if not all) motherboard BIOSes; Protects the drive even when removed from the system; Provides a good level of security

Cons: Drive can’t be accessed using USB with a password set; Can be removed using specialized tools; can be cracked; doesn’t encrypt the actual data

Software Encryption

Encrypting the underlying data itself is one of the best ways to protect your data against compromise. With modern algorythms, it really doesn’t matter if a would-be data thief gets his hands on your drive — cracking the underlying encryption isn’t as easy as the movies make it out to be. AES encryption is practically unbreakable. (Emphasis on practically, follow the previous link for why.) However, it comes at a hit to system performance. TrueCrypt and Windows BitLocker are both great implementations of full-disk software encryption.

Further Reading: Whole-disk Encryption.

Pros: Requires software and the knowledge to use it; Excellent protection to the underlying data

Cons: Significant hit to system performance; Takes time to encrypt/decrypt hard drive

Self-Encrypting Hard Drives

These relatively-new-to-the-market drives, such as Seagate’s Secure, actually encrypt your data before it’s actually written to the drive, and you have to authenticate to the drive using a key. However, if the drive is placed in a different computer, or tried to access over USB, a would-be data thief retrieving the underlying data is just as difficult as a software-encrypted drive. These drives also have the added benefit that the drives encryption key can be wiped by an administrator or anti-theft software and render the entire drive unrecoverable.

Pros: Easy to use; quick set-up; lower hit to system performance than software; OS agnostic; Data is stored in an encrypted form

Cons: Relatively few drives on the market to choose from; may be a poor choice for an external enclosed drive; Expensive

As you can see, there are quite a few ways to secure your system and data to varying degrees. Do you have any preference on these methods? Do you have any experience or stories to share about how one or more of these have helped you? Do you have any advice or recommendations, including anything I may not have mentioned above? Please feel free to share in the comments below!

, , ,

Leave a comment