BitLocker questions

@Starlight5

If you set password for Bitlocker but don't set Windows account password, you will be typing the password when computer boots, but not when you log in. You have a laptop. Whenever the laptop sleeps, it will be unprotected. It is stupid and dangerous unless you never use sleep on your laptop.

Well isn't the password for bitlocker is for it to boot right? That is the correct term? Because you say password to boot and password to login. Buf you put password to boot and no windows 10 password, after typing the bitlocker password, it goes directly to the regular screen right?

Okay so if you put a windows 10 password as well, computer sleeps, then you use it, it ask you for your password. However, what if someone has access to your laptop when it hibernates? Sure they dont know the password to get in... but cant they still put a usb stick or malware into it while its sleeping or they cannot?

@Starlight5

You say

I couldn't find any pictures of that. As far as I remember if you have TPM, unless you changed group policy Bitlocker won't ask you how you want to unlock it, it will just use auto-unlock without asking. I may be mistaken, though; didn't setup Bitlocker on system drives in a while.

This is what had me concerned the most. Because the way i was doing it before i cancelled it.. i thought okay it wont ask me for a password to create. Then how will i get into my computer when i power it on then? Because wouldnt it need the usb flash drive that i save it into? Then if you say no...then i thought... then theres no password? So the entire time you thought i always had a windows 10 password on my computer?

So you say you may be mistaken... so if you remembered this incorrectly, could it affect how the process would have went then? Because i thought... if i dont put a password, then how can i even log into my computer then. I mean i thought so im going to have to use the usb flash drive or make sure i have printed out version of the recovery key? Does it make sense in why i got confused the entire time then asking these questions? Okay so you havent set up bitlocker on system drives in a while. So maybe something could have changed then?

Thus i should just follow the put password instead to be on the safe side as in the tutorial?

 

Yes.

Yes. It goes to desktop.

I thought you'd set it up either before encrypting the drive, or after it - to protect your laptop. And I thought you were using sleep, - most laptop users do, it is very convenient if you leave laptop for some time and want to continue your work when you return; modern laptops can last days when sleeping, so many people don't usually turn their laptops off.

Locking the computer without sleeping is also used quite often. If you lock the computer without having set up your password, anyone can use it, obviously.

There are security implications to sleep (or just keeping the computer on when you're not around, even when it's locked). Hackers with proper equipment can (physically) open your laptop to steal your encryption key from RAM if they open your computer when you're asleep. So if you're carrying your laptop from one place to another, sleep is a bad idea, better turn it off. But if your laptop is in your office and you decide to go for a smoke (or any other short activity), it's easier to put it asleep (or just lock it, without sleeping), instead of turning it off, and then on when you're back.

 

@Starlight5


Okay thanks for clarifying that up. Well i never had a windows 10 password set up ever so thats why i was so confused with what you were mentioning earlier. Thus it made no sense to me. And yea i never use the sleep or hibernate ever. I basically have it plugged all always. If i dont have it plugged it, its turned off almost always.


Okay so if you put 2 passwords, one for bitlocker and one for windows that is safe and good but just one more password. I will most likely do this. But its fine if it do this afterwards of doing only the bitlocker password first?


Okay so if i only use bitlocker password, no windows 10 password. Let say i leave it on a desk. It does not go to sleep and its plugged in. Obviously anyone that uses it can do something to it since its active right? But if it goes to sleep, isn't that the same thing? Its basically turning it back on and thus anyone can do something to it?


So if you put bitlocker and windows 10 password... let say you are using laptop now web browsing. You now do something else or it goes to sleep. When you click on it, it will ask for your windows 10 password in order to use it correct and thus they cant access it because they need the password? However, even if they cannot log into your account because of windows 10 password, they could still stick usb malware into it right because its past the bitlocker encryption? Or not?

 

Yes.

Exactly.

Yes.

The answer to that is not as simple as that. Some things (like keyboard emulation) can be executed, others (like executing a program on your machine) - not. So it would allow the malicious actor to run bruteforce attack to guess your password, and if your password is weak (or the hacker saw you typing it and knows part of it, greatly reducing the number of possible combinations, and prepared a script based on that), you're screwed. But it won't upload malware unless the malicious actor leaves the device plugged in and you don't notice it, and log in with the device present.

Another harmful thing that can be done when computer is locked - plugging in a malicious device posing as network card to modify system DNS settings. If something of value is transmitted unencrypted, things are bad.

These things can be countered, though.

These are my settings, blocking installation of unknown network adapters.

 

@Starlight5

Okay thanks for that clarification on the last part.

Im attempting step 5 at the moment but for some reason it ask me for a pin as oppose to password.

@Starlight5

"Well that picture there is way too advanced for me.

Im now stuck.

I went with step 5 on that guide and did everything as followed. For some reason it ask me to choose a pin that is 6-20 digits long as oppose to a password. Do you know why this happened? There is an instruction to do step 4 or 5... 4 would be with TPM and 5 without it and use password or usb so i went with 5. But following the 2-3 steps, it ask me to enter a pin number...

 

@Drew1 read and implement this. Then you can create a strong PIN using letters, numbers and symbols, and of adequate length, i.e. it turns pin into a password.

 

@Starlight5

If i put in the pin, i still will have to put in a password right?

Im looking at that tutorial and it does seem to show up a bit after i enter a pin?

Im in step 10
https://www.tenforums.com/tutorials...ting-system-drive-windows-10-a.html#option1s3

Okay i followed the steps exactly on step 5. Why does it ask to enter a pin? Or it ask for a pin but later it ask for a password?

 

@Drew1 no, it won't ask you to enter a password later. If you have TPM, you will be offered to type PIN. If you don't have TPM, you will be offered to type password. When you enable enhanced PINs, it makes PIN behave as a password instead of insecure junk. So enable enhanced PIN, and type the PIN as if you're typing a password. (For 99.9% users) it doesn't matter if it's called a PIN or a password, if it does the same thing.

That guide, while very thorough, is written in very confusing manner. It is not good for people who are using Bitlocker for the first time like you. If you followed common sense instead of that guide, you'd be done days ago.

 

@Starlight5


Well could i turn off tpm even if i have it? That is what i did in step 5.


Okay so if i do it your way now, first thing to do would be just set up a windows 10 password. Then restart it. Then setup bitlocker as how i did it earlier right? I notice step 3... which is the one i was doing is called 3. To Automatically Unlock Operating System Drive at Startup with TPM.


Thus that is the simplest way to do it right? But if i do this, i have to have a windows 10 password otherwise its completely pointless?


So basically whenever i turn on my computer, there is no boot thing where it ask me for my bitlocker password right? It goes straight to windows 10 and ask me for my password right? Then i log in using my windows 10 password and im good?


The one thing that has me concerned is what if your computer already has malware and you dont know about it. Im pretty certain my computer does not. But if it does, arent you compromised already? Example you type in your new windows 10 password and it gets compromised already? But if you have a pin or password for bitlocker, that cannot get compromised because that is done where even if its compromised, they cant know this? Or they would already.

 

Skip the restart, you don't need it. Otherwise - yes.

Yes and yes.

Yes.

If you have keylogger or some malware that includes keylogger among other functions, it will log everything you type, be it windows password, or bitlocker pin or password. You setup bitlocker encryption in OS, so if malware is already there, that Bitlocker pin or password is compromised.

 

@Starlight5


Okay thanks for clarifying all this.


So this is what i will do now



1. Setup a windows 10 password. I would shut it down and turn it on again just in case. Of course im writing down the password on a piece of paper. There is nothing wrong with this right? I just want to make sure it starts up with my passowrd? Because in case something goes wrong, well i could always fix this issue before i encrypt it with bitlocker right? Thus its like precaution?


2. Once i do that, i go back to the earlier step i was on? I dont have a printer connected to the laptop. I can save it to file right? And does it give me option to save to usb drive? Does it allow you to save it few times like i could do it twice to 2 different usb drive?

 

Yes, that makes sense. But instead of restarting, you can lock the computer by pressing WIN (key with windows logo on it) + L, then try if your password is working.

Yes.

Yes.

When you save it to file, it only allows you to save that file not on the disk you're encrypting, thus forcing you to use some other drive for storing that file, e.g. USB drive.

Yes.

 

@Starlight5


thank you. Will you be on this forum for the next hour or so or even few hours? I want to have it done my tonight.


I will be doing this very shortly, need to eat for about 30 minutes. Also if i do it your way which is the most simplest way, there is no option to add a pin or password later on right?


Also i just want to confirm this. But you have it set up this way? Thus turn on laptop, then enter your windows 10 password and you log in? If so, im surprised because since you seem to be very secure with your computer, is there a reason you just dont add a pin to it just a few numbers for extra security? Thus a thief or hacker will have to go through your windows 10 password and a pin?

 

@Drew1 I'll probably be around. You can add PIN later. I have it setup the way I described. Where I currently live, there are way too many cameras everywhere, so I'd rather use fingerprint instead of password and not type any passwords at all (if possible) in public places. My login passwords are very long, so it's easy to make some mistake while typing them fast - and even if I succeed at first attempt, typing passwords would take a lot of valuable time since my laptop goes to sleep and wakes up many times a day, and even if I don't put it to sleep I lock it before leaving it. Also, typing bloody long passwords may become a problem when you're drunk, which happens to me occasionally.

I still have to type password when fingerprint authentication fails 3 times in a row e.g. because of wet hands after washing them or the dishes, or not putting my finger against the reader in the correct way.

If malicious actor has physical access to device, more than likely he/she can remove the SSD and put it in another machine, so PIN is enough. Pin actually makes it easier, in my threat model with snooping cameras and people.

Adding a USB drive which you carry on you at all times (e.g. around your neck) as additional security measure to Windows password is, on the other hand, a viable tactic to improve security. If that drive is lost, however, it becomes a huge problem unless you have access to its copy.

 

@Starlight5

Im doing it right now, done eating.

Wait you just said if malicious actor has physical access to your device, they would put it in another computer but they can't do anything to it anyway if they don't have the windows 10 password right?

starlight5

so you want me to cancel the process that i was doing right? Im at that page earlier where it ask me to enter a pin. So cancel the entire bitlocker setup like i did previously and what i say to do?

Because i thought well adding a pin is just another security measure so isn't it fine?

But since you say i can always do it later, well i guess i wont do it now? Sorry for so many posts. Im just very careful in all this especially earlier when i froze and didnt knokw what to do for a few hours.

@Starlight5

Im going to do your simple method now. But i need to make sure i fix the edit group policy right and make it like the settings it was previously? Because it shows enabled when it was not configured earlier. So make sure undo any changes first right?

Im going to do the password now for windows 10.

 

If your device is stolen when it is turned on or asleep, not turned off, hackers with proper equipment can pull the bitlocker encryption key(s) from RAM regardless if you have bitlocker pin or not, and use it to decrypt the drive.

Some laptops, mine included, have tamper detection switch, which (when enabled) turns laptop off when the bottom cover is removed, and asks for supervisor password to boot next time, regardless if the bottom cover was removed when the laptop was on or off. Again some professionals know about it, and probably there are ways of circumventing it. But someone must be really knowledgeable, and very interested in your data, to go to lengths I describe here.

You should decide for yourself. I don't know about your threat model - you do. It's up to you, and you can change it later.

In that case you better undo them. You can always change them later.

Additionaly make sure to disable boot from any device except your main SSD in BIOS, lock boot order and disable boot menu. And put a supervisor password or BIOS (not too long, they are sadly limited in length so if you overdo it you'll have a hard time figuring where exactly did it cut off). Max BIOS password length depends on device, as far as I know it is 64 characters at best, could easily be less.

 

starlight5


I cancelled the process. I then put a windows 10 password now for login. I shut down and log back in with windows 10 password and im good now.


Well you say that method where it unlocks is the most popular one right? Im just surprised that is it and most ppl dont put like a pin or password in it.


So right now im going to do what you mention earlier then okay? Since you say i can always add a pin later on?


I undid those group policy things.



Thanks.

 

Yes.

 

@Starlight5

Ok im doing it right now

@Starlight5

Choose whch encryption mode to use

new encryption mode (best for devices on this device)

compatible modem (best for drives that can be moved from this device)

Im confused here. So it seems to be the first one but the tutorial says choose 2nd option?

 

@Drew1 choose New.

 

@Starlight5

In that other website tutorial description it says if you use it with windows 10 at least, choose 1st option. If you use windows 7 or 8, choose 2nd option. Yet the diagram shows me to select the 2nd one? They made a mistake here>?

On my laptop screen it say if this is a removable device that you're going to use an older windows, use compatible

If this is a fixed device or if this drive will only be used on devices running at least windows version 1511 or later, you choose the new encryption.

@Starlight5

I clicked new.

Now i check the box that says run bitlocker system check before clicking on start encrypting?

@Starlight5

Do i check or uncheck the box

Run bitlocker system check

 

@Drew1 run the check to be on the safe side. 99.99% your laptop will pass it successfully, but you'll probably feel better if you run it, using Bitlocker first time and all.

 

It says

Are you ready to encrypt this drive?

Encryption might take a while depending on size of drive

You can keep working while drive is being encrypted, although your pc might run more slowly

Box Run bitlocker system check

The system check ensures that bitlocker can read the recovery and encryption keys correctly before encrypting the drive

Bitlocker will start your computer before encrypting

Note: This check might take a while, but is recommended to ensure that your selected unlock method works without requiring the recovery key.

@Starlight5

Thanks. That article tells me to uncheck it. So its basically doing it incorrectly??

 

@Drew1 some things are opinion-based. I personally don't think this check is needed on your laptop, and I don't use it when encrypting system drives on my devices. But you're very cautious, so, as I wrote in my previous post, you'll probably feel better if you run it before encryption. Again, you can skip it. Worst case scenario you'll use the recovery key you saved to boot Windows, but 99.9% everything will be OK even if you uncheck that box.

You won't loose your data or access to it regardless. It only checks if auto-unlock works fine or not. There are no prerequisites for it not to work on your machine.

 

@Starlight5


Ok so this will restart my computer right? How long would this process take?

 

@Drew1 it will take as long as it takes. Some hours with your almost fully filled SSD probably. It would happen instantly if hardware encryption was used by the way.

 

@Starlight5


Do you suggest it or not? Yes im cautious of this but have you ever checked on it ever like your first time? But after that you never did it again?

 

@Drew1 I only checked it my very first time and never did it again, as far as I remember.

 

Okay so if it takes hours, i won't do this. Is that fine? Sorry for asking for reassurance each time. Im going to uncheck it and click start encrypting?

 

@Drew1 The check will take minutes. The encryption itself will probably take couple hours.

 

@Starlight5

but will checking it restart my computer or not?

So the check won't take hours right?

Yes i dont mind encryption taking few hours. But for the check, is it possible it takes like 1 hour or more?

@Starlight5, it does say it will restart it. But there is no harm checking it right? Thus its the more safer way? For some reason im thinking its more safe bypassing it since i dont have to do another step...

Is that foolish for me to think that?

 

Yes.

Yes.

No.

It's OK to be scared of new and unknown things, and to take extra caution when dealing with them.

 

starlight5

i checked the box. Then got message it will restart after its done.

starlight5

But it doesn't seem to be doing anything? There is nothing that seems to be running?

 

Give it some time. And check your tray icons, hidden tray icons in particular.

 

starlight5 nothing seems to be running after that? I don see anything that is doing anything at all....

Okay but dont click on anything right or do anything? I did click on this pc to see if anything was being done to the c drive but nothing.

 

@Drew1 there should be a tray icon with keys.

 

startlight5

i went to the icons on the bottom right it has this icon with yellow exclamation point

It says encryption of c drive by bitlocker will being after this computer has restarted.

So i have to manually restart it then right?

@Starlight5

I just restarted it

@Starlight5 , okay it shows the time screen. Then i click on it and then enter my windows 10 password. Then i had to wait a bit... now im in my computer.

Now screens dark and back to regular screen and repeats. So keep waiting until it stops?

How do i know its done testing? So do i wait or do i go to my computer and see if its encrypting the drive now?

 

@Drew1 press Windows key, start typing manage bitlocker and select it when it appears, check what's written there.

 

@Starlight5


So what do i do now? No more screen flicking between black and my desktop anymore. So its it encrypting now? Do i check the c drive?

 

@Drew1 attach a screeshot of your Bitlocker control panel. I wrote how to access it in previous post.

 

@Starlight5

I see it says

C: Bitlocker Encrypting

Doesn't seem like i can click on it... So its encrypting now? But shouldn't i see the percentages though like i see in pictures online?

 

@Drew1 open powershell, type manage-bde -status , post what's written there. Also check your tray.

 

@Starlight5


The tray on the bottom right says


Encryption of C: By Bitlocker Driver Encrypton in Progress



I typed in manage-bde and saw it there and clicked on it but it seems like that thing popped up very quickly and disappeared very quickly, like less than half a second...


Do i need to open that? I only typed in manage-bde and saw it and clicked on it and thats what happened. It popped up and then quickly disappeared. You want me to try it again?

 

@Drew1 press Win key + X, then A, agree to open it, type manage-bde -status

 

@Starlight5

Press windows key and A at the same time? I did that and nothing shows up.

Or you mean hold windows key and press A? If so, then it made my notifications turn on...

@Starlight5

win key... u mean the button between the Fn and Alt right? I did that holding it and pressing A... all it did was have all my notifications turned on... on the right side of my screen which is in all grey..

It shows notififcations like java update available, phones have finished importing x photos...

 

@Drew1 I meant Win + X, then A. Noticed only now. (=

Win + X opens Advanced menu. A opens Windows Powershell as Admin.

 

@Starlight5

when i do that it shows



apps and features
mobility center
power options
event viewerj
system
device manager
network connections
disk management
computer management
windows powershell
windows powershell (admin)
task manager
settings
file explorer
search
run
shut down or sigh out
desktop

 

@Drew1 press Windows key, start typing Powershell, press right mouse button on Windows Powershell, select Run as Administrator.

 

@Starlight5


So forget about the win + x and everything before that


And just do what you just posted above?

 

@Drew1 yes.