|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
ON SECURITY By Susan Bradley Our audience consists of several different segments. As a result, there are many different risk levels. My risk tolerance
[See the full post at: Taming BitLocker and other encryption methods]
Susan Bradley Patch Lady/Prudent patcher
I learned some time ago to never trust MS. From Windows XP, I’ve always segregated sensitive user data to a separate partition on a separate hard drive. This takes a little doing with Windows 8.1, 10 and 11 but manageable.
Then, these partitions are all encrypted with VeraCrypt using strong passwords and a YubiKey — no need to encrypt the C: partition at all. This encryption solution keeps MS entirely out of the mix. Master VeraCrypt password is a memorable passphrase and other ‘tricks’ are used for access to all encrypted partitions — each very difficult to ‘lose’ access to.
This has worked well for me for years! Any stolen hard drive shows the encrypted partitions as ‘unknown’.
However, I understand that some of you are concerned about Microsoft making a change that enables encryption even if you have turned off BitLocker in Settings. I do have one somewhat obscure trick. Keep in mind that this is just for consumers in non-business environments, and it is just to prevent Microsoft from overriding your desired BitLocker settings without notice.
There is a very old method of providing authentication to Windows using smart cards. This is controlled by local group policy, as shown in Figure 5.
Group Policy Editor
Figure 5. Enabling smart card authentication blocks changes to encryption.The policy can be found at Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption | Fixed Data Drives. The rule circled in red, Require use of smart cards on fixed data drives, will be set to Not Configured by default. Change it to Enabled.
Enabled is the same as Not Configured:
If you enable this policy setting smart cards can be used to authenticate user access to the drive. [You can require a smart card authentication by selecting the “Require use of smart cards on fixed data drives” check box.]
…
If you do not configure this policy setting, smart cards can be used to authenticate user access to a BitLocker-protected drive.
As the policy is for fixed data drives, can it have any effect on OS drives?
As the policy is for fixed data drives, can it have any effect on OS drives?
The OS is also comprised of data, is it not? Disk Management seems to think so:
As the policy is for fixed data drives, can it have any effect on OS drives?
The OS is also comprised of data, is it not? Disk Management seems to think so:
Bitlocker policies treat them differently:
In a word: Yes
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.VolumeEncryption::FDVConfigureSmartCard#:~:text=If%20you%20enable%20this%20policy%20setting%20smart%20cards,smart%20cards%20on%20fixed%20data%20drives%22%20check%20box.
Personally I think the gui is good enough but for those people that REALLY want to ensure encryption never happens, this will force Bitlocker/Encryption to ask for a smart card before encrypting the drive. Given that you won’t have one handy, ergo it will fail.
Susan Bradley Patch Lady/Prudent patcher
Besides risk tolerance, threat assessment is also critically important to inform risk assessment. Essentially you have to ask the question of “what are you trying to protect and from whom are you protecting it?” Or — “who is your opponent and what are the opponent’s capabilities and intentions?” This really applies to any security setup, and it’s important to account for a potential opponent’s cost/benefit analysis to be different than yours — what costs they’re willing to accept in exchange for perceived benefit.
With BitLocker and other approaches to full-disk encryption, it’s important to recognize that somebody who can establish physical access to a machine can establish access to the contents of drives. That may not necessarily be done by simple bootup and login. Often, the approach may be something like booting from external media, or by removing a drive and mounting in another machine. For both of those cases, access is done by bypassing the installed operating system, and its access control methodologies.
What Bitlocker does is to protect the contents of an encrypted drive, without relying on an installed operating system, in the event that the computer has been lost, stolen or confiscated. This is particularly important if you have sensitive data, and the computer travels (or has the ability to travel).
If you’re working from a desktop computer from home in North America, and your data isn’t especially sensitive, something like BitLocker may be overkill. But a lot depends on how sensitive your data is, and from whom you’re trying to protect it. The equation changes with higher sensitivity of data, where you’re located, and where you may take the computer (or where it could go unexpectedly).
Also, a reason to do full-disk encryption (especially with Windows) rather than encrypting a partition or a container is the possibility of fragments of data being located in unencrypted locations, where recovery is possible. This includes system swap space, temporary files (including printer queues) and even the Windows registry.
For the registry, Microsoft (and applications writers) tend to write things like saved passwords to the registry, where they may be encoded (and not easily deciphered by reading directly) but not encrypted. And there are tools easily available (not just from the dark web) that can be used to extract that information. One notable set of tools is Nirsoft’s collection, which is good for extracting a lot of saved passwords, including things like Windows shares, wi-fi access keys, and passwords saved in Edge or Google Chrome.
If the drive(s) haven’t been encrypted yet, why does it take a substantial amount of time to process the system’s drive
The drive was encrypted, but not “protected”. Protection occurs when the recovery keys are moved to an MS account.
what would have happened had I needed to use a backup drive-image stored on the system’s “staged” secondary drive
As long as the recovery boot environment contained BitLocker the disk would have been read as usual, because the decryption keys are stored on the disk in plain text.
If you used a Linux boot you would not have been able to read the disk.
cheers, Paul
Nope, it’s not available for non-enterprise and given the simplicity of BitLocker in an enterprise, who would go there?
For us mere mortals on older / non-Windows systems, Veracrypt is easy and free.
cheers, Paul
Nope, the disk will be decrypted because the keys are local – assuming a Windows RE with BitLocker boot for your backup software.
This is the reason we have a “BitLocker Status” script.
cheers, Paul
Regular windows updates. Sources were various reddit posts, answers posts, twitter posts, and my own personal experience on a Surface device. I have popped a bitlocker recovery key request on Surface devices more than any other computer I have. Whenever Microsoft pushes out a patch that hits secure device code there is generally speaking someone somewhere that hits this. I’m sure you’ve never seen it yourself, and that’s fine. I’m just reporting what I see in keeping an eye on many venues and when it’s especially painful is when someone is helping someone else and they had no idea encryption was set in the first place.
Bitlocker is not a bad thing. But when it’s on, manage it, or turn it off. And know exactly when and where you have it enabled.
Susan Bradley Patch Lady/Prudent patcher
Are you aware of any examples of BitLocker recovery prompts after Windows updates in the last few weeks?
Hi b:
If you are asking if I personally know of anyone who was prompted to enter their BitLocker recovery key after installing KB5034441 (Windows Recovery Environment update for Win 10 Versions 21H2 / 22H2, released January 9, 2024) then my answer is “No”.
However, it would still be prudent for users to follow Susan’s advice and check to see if their BitLocker drive encryption (Windows Pro) or device encryption (Windows Home) has been turned on or partially “staged” without their knowledge.
————
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Firefox v122.0.1 * Microsoft Defender v4.18.23110.3-1.1.23110.2 * Malwarebytes Premium v4.6.8.311-1.0.2259 * Macrium Reflect Free v8.0.7783
Not just that update and not just on Windows 10. On Monday, Susan said, “In the last few weeks, you may have seen reports from people experiencing a prompt for a recovery key after updates have been applied.”…
Hi b:
I’m not aware of any current widespread issues with BitLocker recovery keys since the January 2024 Patch Tuesday updates were released, but I’m also not sure why you’re so focused on that one sentence in Susan’s article in the Plus edition of the 05-Feb-2024 AskWoody Newsletter (Issue 21.06).
It’s not that hard to find recent posts about unexpected prompts at boot-up for a BitLocker recovery key. For example, I did a quick Google search for “bitlocker recovery key” Dell and filtered results for the past month and I found multiple topics started by Dell customers, including dangitzin’s Turned on my 2022 G14 to find this in the reddit forum about a possible corruption of their fTPM record.
______________________
Just FYI, I originally enabled BitLocker drive encryption when I purchased my Dell Inspiron 5584 in 2019, and when my computer refused to boot-up just a few months after purchase (and my Dell SupportAssist OS Recovery software would not enter the recovery environment) I was forced to perform a reset to factory condition. However, the reset would not proceed until I entered my BitLocker recovery key, which I had fortunately printed out on a sheet of paper and stored in a safe location.
I had also backed up my BitLocker recovery key in my Microsoft Account and saved it in a .txt file on a removable USB stick, but that isn’t much help if you have an unbootable computer and no immediate access to a working computer. After that experience I decided it was better to leave BitLocker encryption turned off and replaced Dell SupportAssist OS Recovery with Macrium Reflect Free system imaging software.
————–
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Firefox v122.0.1 * Microsoft Defender v4.18.23110.3-1.1.23110.2 * Malwarebytes Premium v4.6.8.311-1.0.2259 * Macrium Reflect Free v8.0.7783
Not after Windows Updates and more than four weeks ago. Any others?
Hi b:
I don’t see how any of this is even relevant to the main premise of Susan’s article i.e., that you should check the encryption status of your system and ensure that encryption is either turned off or that you have backed up the BitLocker recovery key in a safe place in case you ever need it.
If that’s your interpretation of “last few weeks” and “after updates have been applied” (the exact words that Susan used) then you’ve made your point. I’m not going to quibble about Susan’s choice of words in that one sentence because it would just detract from the important message that she was trying to convey in her article.
————
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.3930 * Firefox v122.0.1 * Microsoft Defender v4.18.23110.3-1.1.23110.2 * Malwarebytes Premium v4.6.8.311-1.0.2259 * Macrium Reflect Free v8.0.7783
After days or weeks of research and preparation (including the design and manufacture of a custom printed circuit board), on a 10-year-old computer which did not have a recommended BitLocker pre-boot PIN.
After days or weeks of research and preparation (including the design and manufacture of a custom printed circuit board), on a 10-year-old computer which did not have a recommended BitLocker pre-boot PIN.
Wih and ‘old’ 9 years laptop that has all the specifications for Windows11 but not the right CPU age (‘just 6th’, not 8th generation or higher) the/my Bitlocker-project succeeded okay including All tested recovery options; such as BitlockerRecoveryPin and MacriumReflect options. Just than I was sure to hand it over to a ‘trusted’ hardware repair shop for a day. All went well anough, but still saving for the present quality of the 13th generation Cpu; One way or the other, stuck with Windows everyone will be forced to the latest hardware for security reasons, private persons too in a year or two. 
The only mitigation for this attack is to enable BitLocker with a PIN OR security key which adds “Preboot Authentication”. The sniffable key isn’t released until after the correct pin is entered.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Notifications
