BitLocker, Windows' built-in encryption technology, has recently made some hits. In a recent exploit, a computer's TPM chip was removed to extract the encryption keys. Many hard drives damage BitLocker. Here's a guide to avoiding the pitfalls of BitLocker.
Note that all these attacks require physical access to your computer. That's the nuts and bolts of encryption ̵
Standard BitLocker is not available on Windows Home
While almost all modern operating systems of consumer systems are shipped with encryption by default, Windows 10 still does not provide encryption on all PCs. Macs, Chromebooks, iPads, iPhones, and even Linux distributions provide encryption for all users. However, Microsoft still does not offer BitLocker Windows 10 Home.
Some PCs may have a similar encryption technology that Microsoft originally called "Device Encryption" and now sometimes called "BitLocker Device Encryption" next section. However, this device encryption technology is more limited than the full BitLocker.
How An Attacker Can Exploit : There's no need for exploits! If your Windows Home PC is simply not encrypted, an attacker could remove the hard drive or launch another operating system on your PC to access your files.
The solution : $ 99 to upgrade to Windows 10 Professional and enable BitLocker. You might also consider using another encryption solution such as VeraCrypt, the successor to TrueCrypt, which is free.
CONNECTED: Why does Microsoft charge $ 100 for encryption if everyone gives it away?
BitLocker Sometimes Uploads Your Key to Microsoft
Many modern Windows 10 PCs have encryption called Device Encryption. If your PC supports this, it will automatically be encrypted after you log in to your PC using your Microsoft account (or a Microsoft account) on a corporate network). The recovery key is then automatically uploaded to the Microsoft servers (or your company's servers in a domain).
This protects you against losing your files – even if you forget your Microsoft account password and can not log in, you can restore the account and restore access to your encryption key.
How an Attacker Can Use This : This is better than no encryption. However, this means that Microsoft may be forced to reveal your encryption key with a government warrant. Worse, an attacker could theoretically misuse the recovery process of a Microsoft account to gain access to your account and access your encryption key. If the attacker had physical access to your PC or his hard drive, he could use this recovery key to decrypt your files without requiring your password.
The solution : $ 99 to upgrade to Windows 10 Professional, enable BitLocker through the Control Panel, and specify that you do not want to upload a recovery key to Microsoft's servers when prompted become.
RELATED: Enabling Full Disk Encryption on Windows 10
Many Solid State Drives Break BitLocker Encryption
Some solid state drives announce support for "hardware encryption". If you use such a drive in your system and you enable BitLocker, Windows trusts your drive to do the job and not the usual encryption techniques. If the drive can do the work with the hardware, that should be faster.
There is only one problem: Researchers have discovered that many SSDs do not implement this properly. For example, by default, the Crucial MX300 protects your encryption key with a blank password. Windows may say that BitLocker is enabled, but not much in the background. This is scary: BitLocker should not silently take over SSDs' work. This is a newer feature, so this problem only affects Windows 10 and not Windows 7.
How an attacker could exploit this : Windows may say that BitLocker is enabled, but BitLocker may be sitting idle and rented Your SSD can not encrypt your data securely. An attacker could possibly bypass the poorly implemented encryption in your solid-state drive to access your files.
The solution : Change the "Use hardware-based encryption for fixed data drives" option to "Disabled" in Windows Group Policy. You must then decrypt and re-encrypt the drive for this change to take effect. BitLocker stops trusting drives and does all the work with software instead of hardware.
RELATED: BitLocker can not trust that your SSD will be encrypted on Windows 10.
TPM chips can be removed.
A security researcher recently demonstrated another attack. BitLocker stores your encryption key in the Trusted Platform Module (TPM) of your computer, a special piece of hardware designed to be tamper-proof. Unfortunately, an attacker can use a $ 27 FPGA card and some open source code to extract them from the TPM. This would destroy the hardware, but would allow extracting the key and bypassing the encryption.
How An Attacker Can Exploit This : If an attacker has a PC, he can theoretically bypass all the fancy TPM safeguards manipulating the hardware and extracting the key, which should not be possible.
The Solution : Configure BitLocker to require a pre-boot PIN in Group Policy. The option "Startup PIN with TPM required" forces Windows to unlock the TPM with a PIN at startup. You must enter a PIN when your PC starts before Windows starts. However, this locks the TPM with additional protection, and an attacker can not extract the key from the TPM without knowing your PIN. The TPM protects against brute force attacks, preventing attackers from guessing each PIN individually.
RELATED: How to Enable a Pre-Boot BitLocker PIN on Windows
Sleeping PCs Are More Vulnerable
Microsoft recommends that you disable sleep mode when you use BitLocker for maximum security. Hibernation is OK – BitLocker may require a PIN if you wake your PC from hibernation or if you start it normally. In sleep mode, however, the PC stays on with its encryption key stored in RAM.
How an Attacker Can Exploit : If an attacker has your PC, he can wake him up and log on. On Windows 10, you may need to enter a numeric PIN. With physical access to your PC, an attacker can also use direct memory access (DMA) to capture the contents of your system's memory and retrieve the BitLocker key. An attacker can also perform a cold start attack. Restart the running PC and grab the keys from the RAM before disappearing. This may even involve the use of a freezer to lower the temperature and slow down the process.
The solution : Hibernate or shut down the PC instead of letting it sleep. Use a pre-boot PIN to make the boot process safer and block cold-start attacks. BitLocker also requires a PIN when resuming sleep if a PIN is required at boot time. With Windows, you can also "disable new DMA devices when this computer is locked", even with a Group Policy setting that provides some protection even if an attacker gets your PC on the fly.
RELATED: Should When You Shut Down, Sleep, or Hibernate Your Laptop
If you would like to read more on this topic, Microsoft offers detailed documentation about securing Bitlocker on its website ,