How useful is Bitlocker without a TPM?How do I set the BitLocker PIN?Moving BitLocker startup key from flash...
ip vs ifconfig commands pros and cons
What to do when being responsible for data protection in your lab, yet advice is ignored?
Is the theory of the category of topological spaces computable?
Do my Windows system binaries contain sensitive information?
Why is this code uniquely decodable?
Finding ratio of the area of triangles
What is Crew Dragon approaching in this picture?
Connecting top and bottom of adjacent circles
Word to be used for "standing with your toes pointing out"
What's the rationale behind the objections to these measures against human trafficking?
Why is my solution for the partial pressures of two different gases incorrect?
Why is working on the same position for more than 15 years not a red flag?
Inject Signed Operation Fails With Unrevealed_Key Error
What is the purpose of easy combat scenarios that don't need resource expenditure?
Can a hotel cancel a confirmed reservation?
Table enclosed in curly brackets
Is it a fallacy if someone claims they need an explanation for every word of your argument to the point where they don't understand common terms?
Meth dealer reference in Family Guy
Why didn't Eru and/or the Valar intervene when Sauron corrupted Númenor?
How do we edit a novel that's written by several people?
LTSpice: When running a linear AC simulation, how to view the voltage ratio between two voltages?
Is there a way to help users from having to clicking emails twice before logging into a new sandbox
What can I substitute for soda pop in a sweet pork recipe?
4 Spheres all touching each other??
How useful is Bitlocker without a TPM?
How do I set the BitLocker PIN?Moving BitLocker startup key from flash memory to USB key?How do I deal with a compromised server?BitLocker with TPM but no startup PIN concerns my users - what should I tell them?Our security auditor is an idiot. How do I give him the information he wants?Security of BitLocker with no PIN from WinPE?BitLocker with Windows DPAPI Encryption Key ManagementWindows Active Directory Bitlocker deploymentBitLocker - No TPM & No Flash DriveBitlocker without TPM on Hyper-V 2012 r2 from the command line?
When you install Bitlocker on a system without a TPM you need to put the startup key on a flash drive.
Since you can hardly expect the user to store his notebook and flash drive separately, would Bitlocker offer any advantage over an unencrypted system if both are lost/stolen?
security windows-7 bitlocker
asked Dec 29 '09 at 7:55
laktaklaktak
372716
add a comment |
When you install Bitlocker on a system without a TPM you need to put the startup key on a flash drive.
Since you can hardly expect the user to store his notebook and flash drive separately, would Bitlocker offer any advantage over an unencrypted system if both are lost/stolen?
security windows-7 bitlocker
asked Dec 29 '09 at 7:55
laktaklaktak
372716
add a comment |
When you install Bitlocker on a system without a TPM you need to put the startup key on a flash drive.
Since you can hardly expect the user to store his notebook and flash drive separately, would Bitlocker offer any advantage over an unencrypted system if both are lost/stolen?
security windows-7 bitlocker
asked Dec 29 '09 at 7:55
laktaklaktak
372716
When you install Bitlocker on a system without a TPM you need to put the startup key on a flash drive.
Since you can hardly expect the user to store his notebook and flash drive separately, would Bitlocker offer any advantage over an unencrypted system if both are lost/stolen?
security windows-7 bitlocker
security windows-7 bitlocker
asked Dec 29 '09 at 7:55
laktaklaktak
372716
asked Dec 29 '09 at 7:55
laktaklaktak
372716
asked Dec 29 '09 at 7:55
laktaklaktak
372716
asked Dec 29 '09 at 7:55
laktaklaktak
372716
asked Dec 29 '09 at 7:55
laktaklaktak
372716
372716
add a comment |
add a comment |
4 Answers
4
active
oldest
votes
If both of them were stolen by the same thief, which happens to have some knowledge of how Bitlocker works, you can pretty much assume your file system has been broken into.
You may want to consider using TPM if your data is extremely important, or even TPM + PIN. It's better to have to rely on stuff that's in your head rather than a USB key which anyone can get their hands on if they really want to.
answered Dec 29 '09 at 8:39
gekkzgekkz
4,10421518
TPM is almost always used still with a password
– LapTop006
Dec 29 '09 at 13:18
add a comment |
I know this question is old but I tripped across it in related questions while looking for an answer of my own for this.
You can use manage-bde to require both the USB and a password in order to unlock a device. That effectively turns unlocking the machine into a 2FA ordeal. Unlike the Bitlocker UI which doesn't give you the option to apply multiple protectors, the manage-bde tool allows you to specify multiple protectors if you have 'Require additional authentication on start-up', which you likely already have figured out. My guess is the commands would run as follows:
manage-bde –protectors -add C: -startupkey [USB DRIVE]
manage-bde -on C:
[After it's encrypted]
manage-bde -protectors -add C: pw
You might be able to do this in one command, I just don't have a good means to test it on a fresh endpoint, but am curious enough I'm about to run it on my old laptop and let you know if you can do this in one command and will edit accordingly based on what I see.
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker
answered 12 hours ago
NuviousNuvious
1354
add a comment |
Bitlocker can be compromised even with a TPM. Sure it's unlikely but it all depends on how much your data is worth to you and who's interested in it.
For the average Joe it's not worth it.
For CEO level security I think I'd be looking at adding an extra layer of encryption at the very least.
See:
http://www.schneier.com/blog/archives/2009/12/defeating_micro.html
answered Dec 29 '09 at 17:18
Ausmith1Ausmith1
1,129712
add a comment |
The two existing attacks against bitlocker are quite a stretch. Gaining access to the victims computer TWO TIMES is a very unlikely event. What will happen in most cases? The Laptop/Workstation gets stolen alltogether or just the harddrive. BitLocker will keep your data "safe" (of course there is NEVER a 100% security).
Only CEO data is important? Really? I think I can do a whole lot of damage with some random employees files.
"Since you can hardly expect the user to store his notebook and flash drive separately [...]"
If you are unable to teach the employees basic security bahaviour, most of your precautions will fail.
Don't get me wrong here, but security isn't done the simple way :)
answered Jan 6 '10 at 15:30
Christoph SchmidtChristoph Schmidt
564
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f97917%2fhow-useful-is-bitlocker-without-a-tpm%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
If both of them were stolen by the same thief, which happens to have some knowledge of how Bitlocker works, you can pretty much assume your file system has been broken into.
You may want to consider using TPM if your data is extremely important, or even TPM + PIN. It's better to have to rely on stuff that's in your head rather than a USB key which anyone can get their hands on if they really want to.
answered Dec 29 '09 at 8:39
gekkzgekkz
4,10421518
TPM is almost always used still with a password
– LapTop006
Dec 29 '09 at 13:18
add a comment |
If both of them were stolen by the same thief, which happens to have some knowledge of how Bitlocker works, you can pretty much assume your file system has been broken into.
You may want to consider using TPM if your data is extremely important, or even TPM + PIN. It's better to have to rely on stuff that's in your head rather than a USB key which anyone can get their hands on if they really want to.
answered Dec 29 '09 at 8:39
gekkzgekkz
4,10421518
TPM is almost always used still with a password
– LapTop006
Dec 29 '09 at 13:18
add a comment |
If both of them were stolen by the same thief, which happens to have some knowledge of how Bitlocker works, you can pretty much assume your file system has been broken into.
You may want to consider using TPM if your data is extremely important, or even TPM + PIN. It's better to have to rely on stuff that's in your head rather than a USB key which anyone can get their hands on if they really want to.
answered Dec 29 '09 at 8:39
gekkzgekkz
4,10421518
If both of them were stolen by the same thief, which happens to have some knowledge of how Bitlocker works, you can pretty much assume your file system has been broken into.
You may want to consider using TPM if your data is extremely important, or even TPM + PIN. It's better to have to rely on stuff that's in your head rather than a USB key which anyone can get their hands on if they really want to.
answered Dec 29 '09 at 8:39
gekkzgekkz
4,10421518
answered Dec 29 '09 at 8:39
gekkzgekkz
4,10421518
answered Dec 29 '09 at 8:39
gekkzgekkz
4,10421518
answered Dec 29 '09 at 8:39
gekkzgekkz
4,10421518
4,10421518
TPM is almost always used still with a password
– LapTop006
Dec 29 '09 at 13:18
add a comment |
TPM is almost always used still with a password
– LapTop006
Dec 29 '09 at 13:18
TPM is almost always used still with a password
– LapTop006
Dec 29 '09 at 13:18
TPM is almost always used still with a password
– LapTop006
Dec 29 '09 at 13:18
add a comment |
I know this question is old but I tripped across it in related questions while looking for an answer of my own for this.
You can use manage-bde to require both the USB and a password in order to unlock a device. That effectively turns unlocking the machine into a 2FA ordeal. Unlike the Bitlocker UI which doesn't give you the option to apply multiple protectors, the manage-bde tool allows you to specify multiple protectors if you have 'Require additional authentication on start-up', which you likely already have figured out. My guess is the commands would run as follows:
manage-bde –protectors -add C: -startupkey [USB DRIVE]
manage-bde -on C:
[After it's encrypted]
manage-bde -protectors -add C: pw
You might be able to do this in one command, I just don't have a good means to test it on a fresh endpoint, but am curious enough I'm about to run it on my old laptop and let you know if you can do this in one command and will edit accordingly based on what I see.
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker
answered 12 hours ago
NuviousNuvious
1354
add a comment |
I know this question is old but I tripped across it in related questions while looking for an answer of my own for this.
You can use manage-bde to require both the USB and a password in order to unlock a device. That effectively turns unlocking the machine into a 2FA ordeal. Unlike the Bitlocker UI which doesn't give you the option to apply multiple protectors, the manage-bde tool allows you to specify multiple protectors if you have 'Require additional authentication on start-up', which you likely already have figured out. My guess is the commands would run as follows:
manage-bde –protectors -add C: -startupkey [USB DRIVE]
manage-bde -on C:
[After it's encrypted]
manage-bde -protectors -add C: pw
You might be able to do this in one command, I just don't have a good means to test it on a fresh endpoint, but am curious enough I'm about to run it on my old laptop and let you know if you can do this in one command and will edit accordingly based on what I see.
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker
answered 12 hours ago
NuviousNuvious
1354
add a comment |
I know this question is old but I tripped across it in related questions while looking for an answer of my own for this.
You can use manage-bde to require both the USB and a password in order to unlock a device. That effectively turns unlocking the machine into a 2FA ordeal. Unlike the Bitlocker UI which doesn't give you the option to apply multiple protectors, the manage-bde tool allows you to specify multiple protectors if you have 'Require additional authentication on start-up', which you likely already have figured out. My guess is the commands would run as follows:
manage-bde –protectors -add C: -startupkey [USB DRIVE]
manage-bde -on C:
[After it's encrypted]
manage-bde -protectors -add C: pw
You might be able to do this in one command, I just don't have a good means to test it on a fresh endpoint, but am curious enough I'm about to run it on my old laptop and let you know if you can do this in one command and will edit accordingly based on what I see.
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker
answered 12 hours ago
NuviousNuvious
1354
I know this question is old but I tripped across it in related questions while looking for an answer of my own for this.
You can use manage-bde to require both the USB and a password in order to unlock a device. That effectively turns unlocking the machine into a 2FA ordeal. Unlike the Bitlocker UI which doesn't give you the option to apply multiple protectors, the manage-bde tool allows you to specify multiple protectors if you have 'Require additional authentication on start-up', which you likely already have figured out. My guess is the commands would run as follows:
manage-bde –protectors -add C: -startupkey [USB DRIVE]
manage-bde -on C:
[After it's encrypted]
manage-bde -protectors -add C: pw
You might be able to do this in one command, I just don't have a good means to test it on a fresh endpoint, but am curious enough I'm about to run it on my old laptop and let you know if you can do this in one command and will edit accordingly based on what I see.
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker
answered 12 hours ago
NuviousNuvious
1354
answered 12 hours ago
NuviousNuvious
1354
answered 12 hours ago
NuviousNuvious
1354
answered 12 hours ago
NuviousNuvious
1354
1354
add a comment |
add a comment |
Bitlocker can be compromised even with a TPM. Sure it's unlikely but it all depends on how much your data is worth to you and who's interested in it.
For the average Joe it's not worth it.
For CEO level security I think I'd be looking at adding an extra layer of encryption at the very least.
See:
http://www.schneier.com/blog/archives/2009/12/defeating_micro.html
answered Dec 29 '09 at 17:18
Ausmith1Ausmith1
1,129712
add a comment |
Bitlocker can be compromised even with a TPM. Sure it's unlikely but it all depends on how much your data is worth to you and who's interested in it.
For the average Joe it's not worth it.
For CEO level security I think I'd be looking at adding an extra layer of encryption at the very least.
See:
http://www.schneier.com/blog/archives/2009/12/defeating_micro.html
answered Dec 29 '09 at 17:18
Ausmith1Ausmith1
1,129712
add a comment |
Bitlocker can be compromised even with a TPM. Sure it's unlikely but it all depends on how much your data is worth to you and who's interested in it.
For the average Joe it's not worth it.
For CEO level security I think I'd be looking at adding an extra layer of encryption at the very least.
See:
http://www.schneier.com/blog/archives/2009/12/defeating_micro.html
answered Dec 29 '09 at 17:18
Ausmith1Ausmith1
1,129712
Bitlocker can be compromised even with a TPM. Sure it's unlikely but it all depends on how much your data is worth to you and who's interested in it.
For the average Joe it's not worth it.
For CEO level security I think I'd be looking at adding an extra layer of encryption at the very least.
See:
http://www.schneier.com/blog/archives/2009/12/defeating_micro.html
answered Dec 29 '09 at 17:18
Ausmith1Ausmith1
1,129712
answered Dec 29 '09 at 17:18
Ausmith1Ausmith1
1,129712
answered Dec 29 '09 at 17:18
Ausmith1Ausmith1
1,129712
answered Dec 29 '09 at 17:18
Ausmith1Ausmith1
1,129712
1,129712
add a comment |
add a comment |
The two existing attacks against bitlocker are quite a stretch. Gaining access to the victims computer TWO TIMES is a very unlikely event. What will happen in most cases? The Laptop/Workstation gets stolen alltogether or just the harddrive. BitLocker will keep your data "safe" (of course there is NEVER a 100% security).
Only CEO data is important? Really? I think I can do a whole lot of damage with some random employees files.
"Since you can hardly expect the user to store his notebook and flash drive separately [...]"
If you are unable to teach the employees basic security bahaviour, most of your precautions will fail.
Don't get me wrong here, but security isn't done the simple way :)
answered Jan 6 '10 at 15:30
Christoph SchmidtChristoph Schmidt
564
add a comment |
The two existing attacks against bitlocker are quite a stretch. Gaining access to the victims computer TWO TIMES is a very unlikely event. What will happen in most cases? The Laptop/Workstation gets stolen alltogether or just the harddrive. BitLocker will keep your data "safe" (of course there is NEVER a 100% security).
Only CEO data is important? Really? I think I can do a whole lot of damage with some random employees files.
"Since you can hardly expect the user to store his notebook and flash drive separately [...]"
If you are unable to teach the employees basic security bahaviour, most of your precautions will fail.
Don't get me wrong here, but security isn't done the simple way :)
answered Jan 6 '10 at 15:30
Christoph SchmidtChristoph Schmidt
564
add a comment |
The two existing attacks against bitlocker are quite a stretch. Gaining access to the victims computer TWO TIMES is a very unlikely event. What will happen in most cases? The Laptop/Workstation gets stolen alltogether or just the harddrive. BitLocker will keep your data "safe" (of course there is NEVER a 100% security).
Only CEO data is important? Really? I think I can do a whole lot of damage with some random employees files.
"Since you can hardly expect the user to store his notebook and flash drive separately [...]"
If you are unable to teach the employees basic security bahaviour, most of your precautions will fail.
Don't get me wrong here, but security isn't done the simple way :)
answered Jan 6 '10 at 15:30
Christoph SchmidtChristoph Schmidt
564
The two existing attacks against bitlocker are quite a stretch. Gaining access to the victims computer TWO TIMES is a very unlikely event. What will happen in most cases? The Laptop/Workstation gets stolen alltogether or just the harddrive. BitLocker will keep your data "safe" (of course there is NEVER a 100% security).
Only CEO data is important? Really? I think I can do a whole lot of damage with some random employees files.
"Since you can hardly expect the user to store his notebook and flash drive separately [...]"
If you are unable to teach the employees basic security bahaviour, most of your precautions will fail.
Don't get me wrong here, but security isn't done the simple way :)
answered Jan 6 '10 at 15:30
Christoph SchmidtChristoph Schmidt
564
answered Jan 6 '10 at 15:30
Christoph SchmidtChristoph Schmidt
564
answered Jan 6 '10 at 15:30
Christoph SchmidtChristoph Schmidt
564
answered Jan 6 '10 at 15:30
Christoph SchmidtChristoph Schmidt
564
564
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f97917%2fhow-useful-is-bitlocker-without-a-tpm%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
