Focus on Microsoft
Bitlocker without PIN Feb 17 2011 11:07AM
Shang Tsung (shangtsung71 gmail com) (2 replies)
RE: Bitlocker without PIN Feb 23 2011 09:45PM
Alexander Kurt Keller (alkeller sfsu edu)
RE: Bitlocker without PIN Feb 23 2011 09:35PM
Thor (Hammer of God) (thor hammerofgod com)
The PIN is for added security. Without a PIN, someone who knows the password to the user account can logon to the box. Any code will have "access" to the TMP, but it won't have access the other key information required to decrypt the drive.

I use a PIN, but the PIN makes it more complex for recovery agent decryption. It all depends on what problem you are trying to solve, and what the value of the data you are trying to protect is. Password-only access could be just fine if you want to provide general protection for medium risk data. If it is critical data, you should have a strong passphrase that one can't brute force. A PIN may not be necessary. If the password can be compromised in a different manner, then a PIN provides additional security.

Does that help?

t

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Shang Tsung
Sent: Thursday, February 17, 2011 3:07 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Bitlocker without PIN

Hello all,

We are on the process of setting up Bitlocker on our laptops for OS encryption and we are wandering if we should set up a PIN or not. If we do not, the attacker can get to Windows login screen, but this is where he will stop.

What happens if he boots with a linux live CD/USB? Can he decrypt the drive? The key is stored in the TPM. Does linux have access to the TPM?

We are just not sure if the extra security worths having the users to type 2 passwords to boot a laptop.

ST

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus