1

I want to protect myself from data theft in the event that a malicious person steals my PC. I have a PC running Windows 11 with a TPM chip. Bitlocker is activated and for the moment there is no password to access windows.

Correct me if I'm wrong, but a standard password with local administrator account is not enough to protect me in case of theft? Because if a thief takes the whole PC, he will be able to run "live OS" to remove the password of the windows session? I know that there are very simple tools for that. In this scenario, will bitlocker wake up at the next boot?

For the moment, I think the only solution is to add a PIN(*) in addition to the bitlocker encryption ? Correct ?

(*)Bitlocker - no password option available

EDIT: The question is: is a session password enough? (the boot order will not be changed since for the moment the number 1 in the loading order is USB then OS)

gambit11550
  • 75
  • What exactly is your question? A thief will be unable to change the boot order of your device, since once they do that, the BitLocker recovery key will be required. So of course a password is enough to secure your device if BitLocker protection is enabled. – Ramhound Dec 27 '21 at 22:48
  • The question is: is a session password enough? (the boot order will not be changed since for the moment the number 1 in the loading order is USB then OS) – gambit11550 Dec 28 '21 at 09:35
  • BitLocker won’t allow you to change the boot order, and in order to boot to a live environment to reset the password of one of your users, you would need to have the BitLocker recovery key. That is a fact. – Ramhound Dec 28 '21 at 15:52

1 Answers1

2

Because if a thief takes the whole PC, he will be able to run "live OS" to remove the password of the windows session?

Your hard drive is encrypted with Bitlocker, so its contents can't be accessed or modified from a live OS without unlocking the Bitlocker volume first.

To unlock it you need a secret which is stored inside TPM and can't be extracted from it. TPM can provide it, but only if the boot sequence that was executed matches the normal boot path that TPM expects. For a live OS it won't match, so TPM won't provide the secret, so attacker won't be able to predictably modify disk contents. (They can damage the filesystem though.)

gronostaj
  • 57,004
  • On a bitlocker TPM protected system without TPM password there are some known attacks to extract the Bitlocker master encryption key from RAM using DMA (e.g. inserting a Firewire extension card and then access RAM using a second PC). Intel, AMD and Microsoft have implemented some mitigations for such attacks but I am not sure how to check a system if it is vulnerable for such attacks. – Robert Dec 28 '21 at 14:07
  • @Robert That could indeed work, but it's a relatively sophisticated attack for a very particular hardware configuration, while OP is concerned with basic security of any Bitlocker+TPM setup. – gronostaj Dec 28 '21 at 15:32