Security of BitLocker with no PIN from WinPE?

Posted by Scott Bussinger on Server Fault See other posts from Server Fault or by Scott Bussinger
Published on 2012-06-12T09:08:02Z Indexed on 2012/06/12 10:41 UTC
Read the original article Hit count: 248

Filed under:

encryption

|

disk-encryption

|

winpe

|

bitlocker

Say you have a computer with the system drive encrypted by BitLocker and you're not using a PIN so the computer will boot up unattended. What happens if an attacker boots the system up into the Windows Preinstallation Environment? Will they have access to the encrypted drive?

Does it change if you have a TPM vs. using only a USB startup key?

What I'm trying to determine is whether the TPM / USB startup key is usable without booting from the original operating system. In other words, if you're using a USB startup key and the machine is rebooted normally then the data would still be protected unless an attacker was able to log in. But what if the hacker just boots the server into a Windows Preinstallation Environment with the USB startup key plugged in? Would they then have access to the data? Or would that require the recovery key?

Ideally the recovery key would be required when booted like this, but I haven't seen this documented anywhere.

© Server Fault or respective owner

Related posts about encryption

SQL SERVER – History of SQL Server Database Encryption

as seen on SQL Authority - Search for 'SQL Authority'
I recently met Michael Coles and Rodeney Landrum the author of one of the kind book Expert SQL Server 2008 Encryption at SQLPASS in Seattle. During the conversation we ended up how Microsoft is evolving encryption technology. The same discussion lead to talking about history of encryption tools in… >>> More
Encryption is hard: AES encryption to Hex

as seen on Stack Overflow - Search for 'Stack Overflow'
So, I've got an app at work that encrypts a string using ColdFusion. ColdFusion's bulit-in encryption helpers make it pretty simple: encrypt('string_to_encrypt','key','AES','HEX') What I'm trying to do is use Ruby to create the same encrypted string as this ColdFusion script is creating. Unfortunately… >>> More
Confused about encryption with public and private keys (which to use for encryption)

as seen on Stack Overflow - Search for 'Stack Overflow'
I am making a licensing system when clients ask my server for a license and I send them a license if they are permitted to have one. On my current system I encrypt the license using a single private key and have the public key embedded into the client application that they use to decrypt the license… >>> More
Encryption Product Keys : Public and Private key encryption

as seen on Stack Overflow - Search for 'Stack Overflow'
I need to generate and validate product keys and have been thinking about using a public/private key system. I generate our product keys based on a client name (which could be a variable length string) a 6 digit serial number. It would be good if the product key would be of a manageable length… >>> More
Software tools to automatically decrypt a file, whose encryption algorithm (and/or encryption keys)

as seen on Stack Overflow - Search for 'Stack Overflow'
I have an idea for encryption that I could program fairly easily to encrypt some local text file. Given that my approach is novel, and does not use any of the industry standard encryption techniques, would I be able to test the strength of my encryption using 'cracker' apps or suchlike? Or do all… >>> More

Related posts about disk-encryption

Full Disk Encryption for Mac (Not PGP)

as seen on Super User - Search for 'Super User'
I purchased PGP Whole Disk Encryption for my Macbook Pro, and it's exactly what I need. After the Symantec acquisition, PGP no longer sells single licenses of the software so I can't purchase a second copy for my iMac. Since I can no longer buy PGP Whole Disk Encryption, can anyone suggest an alternative… >>> More
What options are available to perform whole disk encryption with Snow Leopard

as seen on Server Fault - Search for 'Server Fault'
We would like to encrypt the entire disk of a Snow Leopard workstation running some sensitive file, database and web services. PGP does not yet work for 10.6, and we cannot use FileVault as it is not compliant with FIPS and would require non-standard installation of services. What whole-disk options… >>> More
Free Mac whole disk encryption

as seen on Super User - Search for 'Super User'
Are there any free solutions for encrypting the entire boot disk on a Mac? I'm aware of PGP's Whole Disk Encryption, but it's a bit steep at $149. TrueCrypt's System Encryption seems to only work with Windows. >>> More
Speed of TrueCrypt whole disk encryption

as seen on Super User - Search for 'Super User'
I'm getting a new development laptop soon, and I'm thinking of using TrueCrypt to encrypt the whole disk. What kind of performance drop can I expect? 10%? 30%? more? Also, assuming the workload has an effect, would compiling/using Visual Studio be affected much? I cannot seem to find anything like… >>> More
Full disk encryption on dual boot system using TrueCrypt

as seen on Super User - Search for 'Super User'
I'm thinking about encrypting my whole harddrive for example using TrueCrypt, which I've used for encrypting file containers for a while. It is possible to encrypt the whole harddisk through the program and then add a password secured bootloader before the actual bootloader. Is it possible to do… >>> More