4

Say you have a computer with the system drive encrypted by BitLocker and you're not using a PIN so the computer will boot up unattended. What happens if an attacker boots the system up into the Windows Preinstallation Environment? Will they have access to the encrypted drive?

Does it change if you have a TPM vs. using only a USB startup key?

What I'm trying to determine is whether the TPM / USB startup key is usable without booting from the original operating system. In other words, if you're using a USB startup key and the machine is rebooted normally then the data would still be protected unless an attacker was able to log in. But what if the hacker just boots the server into a Windows Preinstallation Environment with the USB startup key plugged in? Would they then have access to the data? Or would that require the recovery key?

Ideally the recovery key would be required when booted like this, but I haven't seen this documented anywhere.

Scott Bussinger
  • 1,821

2 Answers2

4

TPM is secure because it's "watches" the boot process; when your normal Windows installation boots, it follows the "normal" boot path and TPM recognizes this and will only store/retrieve keys when this process has been followed. If you boot any other way, even just safe mode, you'll "change" that process and TPM will not "unlock".

Technically the key is stored in the TPM chip, and it's theoretically possibly to slice open this chip and get to the data. TPM is a vault like any other, it's always theoretically possible to break into a vault given enough time and resources. To publicly available knowledge, this has never happened. But this half the reason the PIN and USB Key options exist. Trying to brute-force the actual AES-256 encryption key would take a ridiculous amount of time.

If your drive only requires the USB Key, then it would be possible to use only that even from WinPE to unlock the drive.

We use BitLocker where I work. Each drive has to protectors, the TPM key and a Recovery Key that is automatically published to Active Directory. The computer starts like normal and users don't know it's encrypted except if they look. When I take the computer in to be serviced/wiped/etc I use the manage-bde command line tool in WinPE to unlock and access the drive, using the Recovery Key to unlock the drive.

Also keep in mind that the GUI doesn't present all of the available BitLocker options. The command line tool manage-bde does. For most people the GUI is good enough to get started, but the CLI tool will be necessary for advanced setups and may present you with a better understanding of the technology.

Chris S
  • 78,455
1
  1. Bitlocker encrypts the data with a key , so no matter if another user boots up the environment he will not have access to the data directly . The downside is that he can try to crack the encryption because he has physical access to the hard disk (which can be partlly prevented with an usb start-up key .
  2. As far as I know the TPM / USB key is unusable when booted from another OS without the PIN\PASSWORD .
  3. Someone who would like access would go to the following route : a) get laptop b)get key c) get pin d)get access .
  4. They would still need the recovery key or the PIN , unless they would try to brute force directly without the key .

I hope this helps .

Alex H
  • 1,824