2

Can anyone comment on how the auto-unlock feature of bitlocker works. Specifically what I would like to know is how the the unlock key is encrypted and stored and when the unlock process takes place.

If somehow the machine itself is compromised and they have access to the root drive (which is not encrypted). How easy would it be for them to obtain the keys? Would this be nearly impossible to do without the user password?

Edit: Machine is on EC2

alx9r
  • 1,643
  • 3
  • 17
  • 38
davewolfs
  • 235
  • 3
  • 7

3 Answers3

7

Bitlocker is solid technology. It's FIPS 140-2 compliant and there have not been any sort of backdoors discovered in it (to the consternation of certain law-enforcement agencies, who want backdoors into your data.) I highly recommend it.

But is it hack-proof? Nah, of course not. Nothing is hack proof.

In the "transparent operation mode" like you're talking about, the computer will be using a TPM (trusted platform module) chip. This chip is soldered to the motherboard and cannot be removed. This chip stores the key used for encryption using AES with a 128-bit or 256-bit key. (If you do not have physical possession of the machine, you will not be using transparent operation or "auto-unlock" mode. Anything stored on an unencrypted drive such as encryption keys will be recoverable by an attacker, and they can then use that key to unlock anything you previously protected with those keys.)

After the user initializes the TPM chip through the operating system, the TPM chip analyzes certain pre-boot environment conditions. For instance, it will analyze the BIOS, the MBR, etc., and make a record of that state. When the operating system (say Windows 7 or 8) begins to load, it asks the TPM to release the key so that it may decrypt the contents of the drive. (This is one of the functions of that unencrypted 100MB partition on your OS drive that started showing up around the Windows Vista era.) If the TPM detects that any of the pre-boot conditions have been altered or modified, it will not release the key.

What this means is that someone cannot take a Bitlocker-protected drive out of a laptop or PC, transplant it into another computer, and read it. Because it's encrypted, and it can only be decrypted if it is connected to the original TPM which is soldered to the original motherboard, and the TPM detects that none of the pre-boot state has been altered since the last snapshot.

If you are using Bitlocker on your laptop, I will not be able to take your laptop, enter the BIOS, change the boot up order, boot up off of a USB key or Ubuntu DVD or somesuch, and use that to read your disk. Because the TPM chip will not release the encryption key in that scenario.

Possible attacks on Bitlocker are pretty exotic, such as the so-called "cold boot attack," involving spraying the memory chips with compressed air to cool them so that the volatile contents of RAM are readable for a longer period of time, then performing a "cold reboot" on the operating system into an environment that allows a malicious user to read the contents of RAM that were left over from when the OS was running. The persistence of such data would be milliseconds, to seconds, to maybe even a few minutes.

Edit: You can still use Bitlocker-To-Go for removable drives, even though you have no physical access to the machine. Your Microsoft Live account or an Active Directory can escrow the key for you.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • Persistence of data in RAM is on the order of minutes, especially after cooling with canned air. Granted, that is an exotic attack, because in most every case, it's easier to get at the data (or keys, or password) with malware, so a cold boot attack is not needed. – HopelessN00b Apr 18 '14 at 01:27
  • 1
    This is why the Bitlocker deployment guide from Microsoft recommends disabling S3 sleep and causing the lid close action to default to hibernate. Memory is not active in hibernate mode. – MDMarra Apr 18 '14 at 01:29
  • @Ryan There is NO TPM Chip on this Machine. It is an EC2 machine on Amazon Cloud. I want to encrypt my Non System Drives. Just want to know if it is safe or not to leverage the Auto Key feature in this type of environment. Just an FYI, it appears that any drive the system consider to be dis-connectable e.g. a hotswap drive can have this feature enabled. – davewolfs Apr 18 '14 at 01:46
  • @davewolfs How do you know there's no TPM chip in the server your VM is running on? Only you know whether or not it's "safe" to leverage the Auto Key feature... but if your data's *that* sensitive, it shouldn't be in the cloud in the first place. It should be on a server you can physically secure and control. Again, physical access is total access. – HopelessN00b Apr 18 '14 at 01:50
  • @HopelessN00b There is no TPM on EC2 machines. If there was I would be able to enable encryption on the system drive. Rather than tell me all hope is lost here, give me an idea of what my options are. If I disable the auto-unlock feature they would need my key to access the drive. If I keep it enabled, wouldn't they have to determine my password (I believe the key is stored in the profile but am not sure). – davewolfs Apr 18 '14 at 01:56
  • @davewolfs Who is "they?" There are some very basic security fundamentals you seem to have left out or not considered, in particular the value of *what* you're protecting and *who* you're protecting it from. But, again, if the data is *that* sensitive (that you're worried about it), you should keep it under your physical control, not pass it off to someone in the cloud, and then worry about fighting the losing battle to prevent someone with physical access to your machine from accessing your data. – HopelessN00b Apr 18 '14 at 02:04
  • 1
    @davewolfs There's little point to encrypting data on EC2 with Bitlocker, as the only people who might be able to access it are Amazon, and they can pretty trivially recover the encryption key if they want to. What is the problem you are trying to solve? – Michael Hampton Apr 18 '14 at 02:23
  • 1
    Well see now I'm a little bit annoyed OP, that you never mentioned anything about EC2, or the fact that you have no physical access to your machine, in your original question. There is no support for using Bitlocker whatsoever in situations where you do not have physical possession and ownership of the machine. With a cloud service, you have possession of an operating system, nothing more, and that is not sufficient to support the operation of a technology such as Bitlocker. – Ryan Ries Apr 18 '14 at 02:34
  • @RyanRies Would true crypt offer any advantage? Is there any solution for this scenario? – davewolfs Apr 18 '14 at 03:28
3

Physical access is total access. Assume that if someone can get physical access to your machine, they can get access to everything and anything on it. Because, in reality, they can - at the very least they can drop a rootkit on your machine, record your password (or dump the key from memory) the next time you log in, and send it to themselves over 'net or come back later to collect it, if that fails.

If your machine has been compromised, the only safe approach is to nuke from orbit. Wipe all data, and hope you have proper backups from before it was compromised.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
0

If your machine is started and the auto-unlock feature is enabled then as long as you have a login to the machine then you can access the data on the bitlocker drive. Furthermore, there are utilities which erase the password allowing you to login without a password and access the data on the bitlocker drive. Basically Auto-Unlock defeats the purpose of Bitlocker and replaces it with standard windows security.

William Egge
  • 101