• Taming BitLocker and other encryption methods

    Home » Forums » Newsletter and Homepage topics » Taming BitLocker and other encryption methods

    Author
    Topic
    #2634411

    ON SECURITY By Susan Bradley Our audience consists of several different segments. As a result, there are many different risk levels. My risk tolerance
    [See the full post at: Taming BitLocker and other encryption methods]

    Susan Bradley Patch Lady/Prudent patcher

    7 users thanked author for this post.
    Viewing 12 reply threads
    Author
    Replies
    • #2634426

      “Breaking Bitlocker – Bypassing the Windows Disk Encryption”

      “In this video we will use a hardware attack to bypass TPM-based Bitlocker encryption as used on most Microsoft Windows devices.

      Errata:
      – PIN can also be enabled using manage-bde, not just using group policies

      Questions:
      – Does this work on TPM2.0? Yes!
      – Does this work on Windows 11? Yes!”

      • #2634475

        Mitigation:

        Preboot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN [enhanced pin] to help the TPM anti-hammering mitigation).

        For some systems, bypassing TPM-only might require opening the case and require soldering, but can be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. To learn more about the policy setting, see Allow enhanced PINs for startup.

        BitLocker countermeasures

    • #2634430

      I learned some time ago to never trust MS.  From Windows XP, I’ve always segregated sensitive user data to a separate partition on a separate hard drive.  This takes a little doing with Windows 8.1, 10 and 11 but manageable.

      Then, these partitions are all encrypted with VeraCrypt using strong passwords and a YubiKey  — no need to encrypt the C: partition at all.  This encryption solution keeps MS entirely out of the mix.  Master VeraCrypt password is a memorable passphrase and other ‘tricks’ are used for access to all encrypted partitions — each very difficult to ‘lose’ access to.

      This has worked well for me for years!  Any stolen hard drive shows the encrypted partitions as ‘unknown’.

      2 users thanked author for this post.
    • #2634519

      However, I understand that some of you are concerned about Microsoft making a change that enables encryption even if you have turned off BitLocker in Settings. I do have one somewhat obscure trick. Keep in mind that this is just for consumers in non-business environments, and it is just to prevent Microsoft from overriding your desired BitLocker settings without notice.

      There is a very old method of providing authentication to Windows using smart cards. This is controlled by local group policy, as shown in Figure 5.

      Group Policy Editor
      Figure 5. Enabling smart card authentication blocks changes to encryption.

      The policy can be found at Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption | Fixed Data Drives. The rule circled in red, Require use of smart cards on fixed data drives, will be set to Not Configured by default. Change it to Enabled.

      Enabled is the same as Not Configured:

      If you enable this policy setting smart cards can be used to authenticate user access to the drive. [You can require a smart card authentication by selecting the “Require use of smart cards on fixed data drives” check box.]

      If you do not configure this policy setting, smart cards can be used to authenticate user access to a BitLocker-protected drive.

      As the policy is for fixed data drives, can it have any effect on OS drives?

      1 user thanked author for this post.
    • #2634583

      Susan,

      Re your note on Bitlocker – specificaly requiring the use of a non existant smart card to block auto – encryption. Why do you apply the trick in GPE to “Fixed Data Drives” only – why not OS drives and removable drives?

    • #2634681

      Besides risk tolerance, threat assessment is also critically important to inform risk assessment.  Essentially you have to ask the question of “what are you trying to protect and from whom are you protecting it?” Or — “who is your opponent and what are the opponent’s capabilities and intentions?” This really applies to any security setup, and it’s important to account for a potential opponent’s cost/benefit analysis to be different than yours — what costs they’re willing to accept in exchange for perceived benefit.

      With BitLocker and other approaches to full-disk encryption, it’s important to recognize that somebody who can establish physical access to a machine can establish access to the contents of drives. That may not necessarily be done by simple bootup and login.  Often, the approach may be something like booting from external media, or by removing a drive and mounting in another machine.  For both of those cases, access is done by bypassing the installed operating system, and its access control methodologies.

      What Bitlocker does is to protect the contents of an encrypted drive, without relying on an installed operating system, in the event that the computer has been lost, stolen or confiscated. This is particularly important if you have sensitive data, and the computer travels (or has the ability to travel).

      If you’re working from a desktop computer from home in North America, and your data isn’t especially sensitive, something like BitLocker may be overkill.  But a lot depends on how sensitive your data is, and from whom you’re trying to protect it.  The equation changes with higher sensitivity of data, where you’re located, and where you may take the computer (or where it could go unexpectedly).

      Also, a reason to do full-disk encryption (especially with Windows) rather than encrypting a partition or a container is the possibility of fragments of data being located in unencrypted locations, where recovery is possible.  This includes system swap space, temporary files (including printer queues) and even the Windows registry.

      For the registry, Microsoft (and applications writers) tend to write things like saved passwords to the registry, where they may be encoded (and not easily deciphered by reading directly) but not encrypted.  And there are tools easily available (not just from the dark web) that can be used to extract that information.  One notable set of tools is Nirsoft’s collection, which is good for extracting a lot of saved passwords, including things like Windows shares, wi-fi access keys, and passwords saved in Edge or Google Chrome.

      2 users thanked author for this post.
    • #2634774

      I have a question about the “staged” status when “Device encryption” is On, but not “finished” until signing into a Microsoft account.  If the drive(s) haven’t been encrypted yet, why does it take a substantial amount of time to process the system’s drive(s) after toggling this setting to “Off”?  (I seem to recall the OS indicating that the drives were being decrypted, but am not sure about that.)

      It seems to me that the “staged” drives are encrypted but protection not enforced (maybe “Suspended” in BitLocker type terms – which allows a system to be serviced without requiring a key, but leaves the data encryption intact.)

      In addition to the “manage-bde -protectors C: -get” command, there’s also an elevated PowerShell command “manage-bde -status” that will tell you “Conversion Status”, “Encryption Method”, “Protection Status”, “Lock Status”, etc., although I didn’t know about this command before toggling “Device encryption” Off, so am not sure what it would have indicated on a “staged” device.

      I wonder what would have happened had I needed to use a backup drive-image stored on the system’s “staged” secondary drive to recover my operating system?  (Eg if while configuring my machine, a configuration mistake prevented it from booting.)  When I first came across the “Device encryption” setting (in the “On” state from the factory) it was an unwelcome surprise.  And if I had previously known this status as well as the time consuming “processing” that would occur when I toggled “Device encryption” Off, I would never have stored the huge image files on the system’s secondary drive before toggling the setting off.

       

    • #2634786

      If the drive(s) haven’t been encrypted yet, why does it take a substantial amount of time to process the system’s drive

      The drive was encrypted, but not “protected”. Protection occurs when the recovery keys are moved to an MS account.

      what would have happened had I needed to use a backup drive-image stored on the system’s “staged” secondary drive

      As long as the recovery boot environment contained BitLocker the disk would have been read as usual, because the decryption keys are stored on the disk in plain text.
      If you used a Linux boot you would not have been able to read the disk.

      cheers, Paul

      2 users thanked author for this post.
    • #2634818

      What about Symantec Drive Encryption, the good and ‘old’ PGP drive encryption
      Is nobody using this?

      * _ being 20 in the 70's was fun _ *
      • #2634823

        Nope, it’s not available for non-enterprise and given the simplicity of BitLocker in an enterprise, who would go there?

        For us mere mortals on older / non-Windows systems, Veracrypt is easy and free.

        cheers, Paul

        1 user thanked author for this post.
    • #2634938

      As long as the recovery boot environment contained BitLocker the disk would have been read as usual, because the decryption keys are stored on the disk in plain text. If you used a Linux boot you would not have been able to read the disk.

      So if the system drive failed, taking the recovery partition with it, my system backup images on the unknowingly “staged” secondary drive would have been useless.  Troubling…

       

    • #2635434

      Patching and encryption

      In the last few weeks, you may have seen reports from people experiencing a prompt for a recovery key after updates have been applied.

      Regular Windows updates or manufacturer firmware updates?

      Any example links please (as I haven’t noticed any recently)?

      • #2635503

        Regular windows updates.  Sources were various reddit posts, answers posts, twitter posts, and my own personal experience on a Surface device.  I have popped a bitlocker recovery key request on Surface devices more than any other computer I have.  Whenever Microsoft pushes out a patch that hits secure device code there is generally speaking someone somewhere that hits this.  I’m sure you’ve never seen it yourself, and that’s fine.  I’m just reporting what I see in keeping an eye on many venues and when it’s especially painful is when someone is helping someone else and they had no idea encryption was set in the first place.

        Bitlocker is not a bad thing. But when it’s on, manage it, or turn it off.  And know exactly when and where you have it enabled.

        Susan Bradley Patch Lady/Prudent patcher

        1 user thanked author for this post.
        • #2635582

          Regular windows updates. Sources were various reddit posts, answers posts, twitter posts, and my own personal experience on a Surface device.

          In the last few weeks?

          Whenever Microsoft pushes out a patch that hits secure device code there is generally speaking someone somewhere that hits this. I’m sure you’ve never seen it yourself, and that’s fine.

          Only for BIOS/firmware updates not via Windows Update:

          No user action is required for BitLocker in order to apply updates from Microsoft, including Windows quality updates and feature updates.

          Users need to suspend BitLocker for Non-Microsoft software updates, such as:

            Some TPM firmware updates …

            Non-Microsoft application updates that modify the UEFI\BIOS …

            Manual or third-party updates to secure boot databases …
            Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism …

          Do I have to suspend BitLocker protection to download and install system updates and upgrades? [BitLocker FAQ]

          • #2635599

            Only for BIOS/firmware updates not via Windows Update…

            Hi b:

            The KB5012170 update (Security Update for Secure Boot DBX) described in the 16-Aug-2022 BleepingComputer article Windows KB5012170 update causing BitLocker recovery screens, boot issues was not a BIOS/firmware update.  I know of dozens of Dell users with a Win 11 OS who were prompted to enter their BitLocker recovery key after installing this Aug 2022 Patch Tuesday update and had no idea their hard drive was encrypted and that a recovery key had been generated – see Eric Koch’s 28-Aug-2022 Windows PIN Unavailable / Bitlocker Asking for Recovery Key in the Dell Inspiron board for one example.
            ———–
            Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Firefox v122.0.1 * Microsoft Defender v4.18.23110.3-1.1.23110.2 * Malwarebytes Premium v4.6.8.311-1.0.2249 * Macrium Reflect Free v8.0.7783

            • #2636165

              Hi b:

              The KB5012170 update (Security Update for Secure Boot DBX) described in the 16-Aug-2022 BleepingComputer article Windows KB5012170 update causing BitLocker recovery screens, boot issues was not a BIOS/firmware update.

              “BIOS/firmware updates” was my summary heading for the quoted list at the link, but it includes “Manual [or third-party] updates to secure boot databases”.

              (Elsewhere, Microsoft uses BIOS or firmware updates as examples:
              “Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade”
              BitLocker recovery scenarios)

              I know of dozens of Dell users with a Win 11 OS who were prompted to enter their BitLocker recovery key after installing this Aug 2022 Patch Tuesday update and had no idea their hard drive was encrypted and that a recovery key had been generated – see Eric Koch’s 28-Aug-2022 Windows PIN Unavailable / Bitlocker Asking for Recovery Key in the Dell Inspiron board for one example.

              Eric thought he may have installed Bitlocker, and was able to sign in to Windows after a reboot (before you advised him to restart 2 or 3 times). But as you also noted there, the necessity for some people to restart several times to avoid the recovery key prompt was resolved years ago.

              Are you aware of any examples of BitLocker recovery prompts after Windows updates in the last few weeks?

            • #2636329

              Are you aware of any examples of BitLocker recovery prompts after Windows updates in the last few weeks?

              Hi b:

              If you are asking if I personally know of anyone who was prompted to enter their BitLocker recovery key after installing KB5034441 (Windows Recovery Environment update for Win 10 Versions 21H2 / 22H2, released January 9, 2024) then my answer is “No”.

              However, it would still be prudent for users to follow Susan’s advice and check to see if their BitLocker drive encryption (Windows Pro) or device encryption (Windows Home) has been turned on or partially “staged” without their knowledge.
              ————
              Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Firefox v122.0.1 * Microsoft Defender v4.18.23110.3-1.1.23110.2 * Malwarebytes Premium v4.6.8.311-1.0.2259 * Macrium Reflect Free v8.0.7783

              2 users thanked author for this post.
            • #2636483

              Hi b:

              If you are asking if I personally know of anyone who was prompted to enter their BitLocker recovery key after installing KB5034441 (Windows Recovery Environment update for Win 10 Versions 21H2 / 22H2, released January 9, 2024) then my answer is “No”.

              Not just that update and not just on Windows 10. On Monday, Susan said, “In the last few weeks, you may have seen reports from people experiencing a prompt for a recovery key after updates have been applied.” I haven’t, but as you knew of dozens a couple of years ago I wondered if you’d seen any recently.

            • #2636527

              Not just that update and not just on Windows 10. On Monday, Susan said, “In the last few weeks, you may have seen reports from people experiencing a prompt for a recovery key after updates have been applied.”…

              Hi b:

              I’m not aware of any current widespread issues with BitLocker recovery keys since the January 2024 Patch Tuesday updates were released, but I’m also not sure why you’re so focused on that one sentence in Susan’s article in the Plus edition of the 05-Feb-2024 AskWoody Newsletter (Issue 21.06).

              It’s not that hard to find recent posts about unexpected prompts at boot-up for a BitLocker recovery key. For example, I did a quick Google search for “bitlocker recovery key” Dell and filtered results for the past month and I found multiple topics started by Dell customers, including dangitzin’s Turned on my 2022 G14 to find this in the reddit forum about a possible corruption of their fTPM record.
              ______________________

              Just FYI, I originally enabled BitLocker drive encryption when I purchased my Dell Inspiron 5584 in 2019, and when my computer refused to boot-up just a few months after purchase (and my Dell SupportAssist OS Recovery software would not enter the recovery environment) I was forced to perform a reset to factory condition. However, the reset would not proceed until I entered my BitLocker recovery key, which I had fortunately printed out on a sheet of paper and stored in a safe location.

              I had also backed up my BitLocker recovery key in my Microsoft Account and saved it in a .txt file on a removable USB stick, but that isn’t much help if you have an unbootable computer and no immediate access to a working computer. After that experience I decided it was better to leave BitLocker encryption turned off and replaced Dell SupportAssist OS Recovery with Macrium Reflect Free system imaging software.
              ————–
              Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Firefox v122.0.1 * Microsoft Defender v4.18.23110.3-1.1.23110.2 * Malwarebytes Premium v4.6.8.311-1.0.2259 * Macrium Reflect Free v8.0.7783

              1 user thanked author for this post.
            • #2636564

              I’m not aware of any current widespread issues with BitLocker recovery keys since the January 2024 Patch Tuesday updates were released,

              OK, thanks.

              but I’m also not sure why you’re so focused on that one sentence in Susan’s article in the Plus edition of the 05-Feb-2024 AskWoody Newsletter (Issue 21.06).

              Because no one else has seen any.

              It’s not that hard to find recent posts about unexpected prompts at boot-up for a BitLocker recovery key. For example, I did a quick Google search for “bitlocker recovery key” Dell and filtered results for the past month and I found multiple topics started by Dell customers, including dangitzin’s Turned on my 2022 G14 to find this in the reddit forum about a possible corruption of their fTPM record.

              Not after Windows Updates and more than four weeks ago.

              Any others?

            • #2636638

              Not after Windows Updates and more than four weeks ago. Any others?

              Hi b:

              I don’t see how any of this is even relevant to the main premise of Susan’s article i.e., that you should check the encryption status of your system and ensure that encryption is either turned off or that you have backed up the BitLocker recovery key in a safe place in case you ever need it.

              If that’s your interpretation of “last few weeks” and “after updates have been applied” (the exact words that Susan used) then you’ve made your point.  I’m not going to quibble about Susan’s choice of words in that one sentence because it would just detract from the important message that she was trying to convey in her article.
              ————
              Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Firefox v122.0.1 * Microsoft Defender v4.18.23110.3-1.1.23110.2 * Malwarebytes Premium v4.6.8.311-1.0.2259 * Macrium Reflect Free v8.0.7783

              1 user thanked author for this post.
    • #2635471

      Microsoft is based on trust, they say

      https://youtu.be/wTl4vEednkQ

      Breaking Bitlocker in minutes

      * _ being 20 in the 70's was fun _ *
    • #2635635

      After days or weeks of research and preparation (including the design and manufacture of a custom printed circuit board), on a 10-year-old computer which did not have a recommended BitLocker pre-boot PIN.

      Wih and ‘old’ 9 years laptop that has all the specifications for Windows11 but not the right CPU age (‘just 6th’, not 8th generation or higher) the/my Bitlocker-project succeeded okay including All tested recovery options; such as BitlockerRecoveryPin and MacriumReflect options. Just than I was sure to hand it over to a ‘trusted’ hardware repair shop for a day. All went well anough, but still saving for the present quality of the 13th generation Cpu; One way or the other, stuck with Windows everyone will be forced to the latest hardware for security reasons, private persons too in a year or two. 😪

      * _ being 20 in the 70's was fun _ *
      • This reply was modified 2 weeks, 5 days ago by Fred.
      • This reply was modified 2 weeks, 5 days ago by Fred.
    • #2637133

      BitLocker Key retrieval on a Windows 11, Lenovo X1 Carbon Gen 11 via SPI Sniffing.

      “The TPM on the backside of the Motherboard, there are various test pads.”

    Viewing 12 reply threads
    Reply To: Taming BitLocker and other encryption methods

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: