BitLocker questions

@Starlight5


Also when i type in powershell, there are many powershells


powershell
powershell_ise
windows powershell
windows powershell (x86)
windows powershell ISE
windows powershell ISE (x86)



So its the the one you posted right?

 

Choose windows powershell.

 

@Starlight5


Run as admin on windows powershell? Sorry just want to confirm.

 

@Drew1 yes. Then type manage-bde -status there and press enter.

 

@Starlight5


manage-bde -status


so skip one space after the e?

 

@Drew1 yes.

 

@Starlight5

That what it shows on my laptop.

 

@Drew1 manage-bde -status
Don't forget about - before status.

 

@Starlight5

I typed it exactly like this

I put in all the letters till the e

then spaceboard

-status

manage-bde -status

But why is there a space between the e and the -

But not between the e and the b

Are you sure there is a space between bde and status? If so why is there no space between manage and bde?

@Starlight5

So i close the picture that i posted and do this again with powershell and right click and run as admin and type those words again?

Are you sure its spelled the way she spelled it with they -? That is strange you leave one space for the last word but not for the 1st 2 words?

 

@Drew1 because 42

 

@Starlight5 are you posting an image? If so i cannot see it?


So right now its encrypting but its just i dont know what percentage it is at?

 

@Drew1 it says click here. Click there and all will be revealed. Or you can type manage-bde -? in powershell like it offers for help and to learn syntax of it. chances are it will be more productive than questioning what I wrote 3x times in a row after typing something different.

 

starlight5

i see it says go to duckduckgo...

so you want me to type in

manage-bde

or

manage-bde -status

Or you want me to go to www.duckduckgo.com?

Im confused here...

starlight5

so you want me to type

manage-bde [-status]

With those { } ?

 

@Drew1 type:
manage-bde -status
and post its output here.

That illustrative duckduckgo link was supposed to show that you could have easily checked if the command I offer you to type is right or not by a single simple search query, instead of asking 3x times and wasting my and your time. You'll need to learn to use search engines sooner or latter.

 

@Starlight5

Understood. Here is the picture.

 

@Drew1 all is great, Bitlocker is doing its thing, thankfully you've got software encryption going on. Check on it from time to time. Don't turn off or restart the laptop until it's over.

@Drew1 type the command right now, did the percentage increase? (you can press UP key on the keyboard and previous PowerShell command will appear, so you don't have to actually type it, just press ENTER to execute it again)

 

@Starlight5

Okay so after a while when its done, the bottom tray will say encryption finished right? And when i enter the manage-bde -status
again when its 100 percent done, it will show 100% done right?

Thanks a lot man. I will post right back when its 100 percent finished.

I just have to see if everything finishes smoothly.

@Starlight5

Its 47 percent now. So it looks good? I will reply back to this thread immediately when it hits 100 percent.

But before i restart it, i have to make sure the command thing has the words

go from

Protection Status: Off
Lock Status: Unlocked

To

Protection Status: On
Lock Status : Locked?

 

@Drew1 you're welcome. It looks good. Before you restart, make sure it has status Encrypted instead of Encrypting, in Bitlocker control panel you access by typing "manage bitlocker". Actually it should work even if you restart, and continue enrcypting after - but for a system drive I would definitely recommend to let it complete encryption before restarting, to avoid any potential problems - which are unlikely, but still possible in that event.

Hope this thread will be helpful not only for you, but for every person who finds the Bitlocker setup process confusing. It is very sad there is no thorough Bitlocker guide that covers the whole process in simple and straightforward manner, and a lot of guides (and most videos) are outdated and/or have a lot of missing stuff causing further confusion and frustration in first-time Bitlocker users.

 

I meant those two options to go from off to on and unlocked to locked?

 

@Drew1 protection status: On, Locked status: Unlocked. You won't be able to access the drive if it's locked. When you log in, it unlocks; when you log out, it locks.

 

@Starlight5


I will check the status encrypted before encrypting. I will wait till its fully done first. But those 2 things i mentioned, should it go from off to on and unlocked to locked? Or dont need to bother looking at that?


Yes i appreciate the help. Yes this process is very confusing and it frustrate me there is no thorough bitlocker guide that covers the process in simple way. I mean the other forum that shows the steps, there is mention to check here on the 2nd option which is windows 7 or 8 as oppose to the 1st option which is windows 10. I thought... why is that checked? Also the step 5 that i was doing, i followed it exactly as it was... then it tells me to put a pin number when the guide said that should ask you the password. I thought... this is not even correct...

 

@Drew1 when the process is over, they will go to:

 

@Starlight5

Okay thanks with the protection status and lock status. I was thinking both should switch but yes that makes sense its only the protection status should be changed.

@Starlight5

This is good?

Why does it say TPM and Numerical Password?

Also my recovery key is still very important right and must be kept even though I do not have a pin or password on it?

Thus make sure i make more than 1 copy of it? Also the recovery key which i have on a usb flash drive now, can't i just write that key on a piece of paper instead of printing it out? Im viewing it from the flash drive by highlighting it and not clicking on it and i can view the entire key? So this key is if important if what happens? Also if i were to forget my windows 10 password login, am i screwed or not? Thanks and i so appreciate all this help man!

 

@Drew1 Numerical password = recovery key. Your recovery key is extremely important and should be kept especially because you don't have a pin/password on your bitlocker. If you do some stuff like updating BIOS without suspending Bitlocker first, or need to access the data on some other machine for any reason, you won't be able to do it without recovery key. Make sure you have a lot of copies, but don't keep it as plain text that some malware on your computer may access, put it 7z AES256 encrypted archive with password , you can also write it on a piece of paper and put it in a very safe place. If you forget Windows password you're screwed for OS but not for data, you'll be able to get it with the recovery key; if you lost recovery key, immediately make a copy of via Manage Bitlocker and put somewhere not on your laptop, because if something happens with TPM or BIOS or OS and you don't have your recovery key - your data is effectively lost.

You can make a Microsoft account and store it there as well but that also means you might be effectively giving the encryption keys to law enforcement agencies of more developed countries, which you may or may not be comfortable with.

 

@Starlight5

Hi there. Okay i didnt know that. But can my computer ever update bios by itself? Access data on other machine, you mean take ssd out of my dell lapotop and put it in other computer right?

I use axcrypt for securing docs and files. That is good right?

I took a look at the recovery key and i encrypted it with the program. But the title of it shows bitlocker recovery key and then the identifier. Is that dangerous or not? When i click on the file it shows

the same identifier key and then the recovery key.

So does having the identifier key exposed really bad?

Wait so if someone has my recovery key, they could get on any computer and then access my laptop? Or they cant because they still need my windows password? Or would they need both the identifier and recovery key?

Okay so would you suggest i do enter a pin number to my laptop if this is the case? For example if i install a program or do a windows update, there might be issue similar to like bios update thing?

Also when i open the bitlocker recovery key it says verify that this is the correct recovery key... how do i do this?

Okay i changed the name of the recovery key to like bitlocker key. That is fine right? Don't have it called bitlocker recovery key and then that identifier with the entire word and letter showing?

 

It definitely shouldn't.

Yes.

I am not familiar with this software so can't tell for sure if it's good or not.

It is not dangerous, it's actually helpful if you have many encrypted volumes.

If you have a properly setup BIOS that doesn't allow booting from USB devices, they will need to physically remove the drive and insert it into another computer or USB enclosure, to access it with recovery key.

As far as I know only BIOS update can screw up encryption keys stored in TPM. Or you manually resetting the TPM, of course. So you just suspend Bitlocker before updating BIOS. BIOS updates end with restart, and next time you boot, you will boot OK and Bitlocker will reactivate itself. If you update BIOS without suspending Bitlocker, first boot after update Bitlocker will ask for recovery key, but after you type it once, there won't be any problem.

When Bitlocker asks for recovery key, it shows part of the recovery key filename (which is also included in recovery key text) so that you can identify it. E.g. now you have only one Bitlocker drive encrypted, but when you have more, it's easier to tell them apart if they have default filenames.

You can just put all your Bitlocker recovery keys into password-protected 7z archive encrypted with AES-256 and check encrypt filenames flag if it bothers you. Just make sure you don't forget the password - Bitlocker recovery keys are definitely not something you usually need to access often, and it's quite easy to forget passwords you don't type often.

 

@Starlight5

Well for example i recently got a power bank charger for my laptop. The instruction said before you do this, do a bios update so the charger would be compatible up to date with my laptop. I did not bother doing this as i tried it without it and because worried doing anything bios might cause an issue with my laptop. But that is the type of thing that is concern? So if i updated bios, it won't mess up the computer right? It will just ask for the recovery key before it updates bios or its lot more complicated?

Axcrypt i use to encrypt documents. Example i might have some account that i call bank account statement but you can't view it unless you are signed into axcrypt. Thus you need to sign into axcrypt on computer before you can open any document that is encrypted by axcrypt.

It is not dangerous, it's actually helpful if you have many encrypted volumes.

I'm confused what you mean by many encrypted volumes? Because can't i just change it to bitlocker windows key instead>

If you have a properly setup BIOS that doesn't allow booting from USB devices, they will need to physically remove the drive and insert it into another computer or USB enclosure, to access it with recovery key.

I never done anything with bios myself. So is there a way to know if my bios is set up properly? I have had my laptop opened before when having a battery installed and once there was an issue where the laptop would not turn on. The repair guy then tried to make sure my hard drive, ram and everything was in place. It did not turn on. He then took my ssd and put it into like those hard drives where you put it in but its still visible and said it does recognize my ssd so it isn't a hard drive issue. Eventually after a bit he put my hard drive back in, eventually my laptop turned on again. So he might have done something with bios when checking something like this when figuring out why my laptop won't turn on after replacing the battery? This was a year ago i believe when i needed to replace dell battery and bought one online and went there for replacement. So if i have to ever have my laptop opened up for ram replacemente or battery or anything like this, bios could be affected if they were to check my computer system?

Okay so when i open the recovery key file, that should be 100 percent correct? Its a very very long code/word and even longer than the identifier? What is the purpose of the identifier? So someone having that is not a big deal? That identifier is similar to like who is the owner of the computer? But the recovery code is very important because anyone that has my recovery code, could access my data from any computer?

@Starlight5

2 Other things i want to ask in addition

1. Do you suggest i add a pin to the laptop pretty soon so i wont have any bios issues or whatnot? I think a pin would be pretty simple compared to the password right? Or should it be fine just using it like it is now.

2. I assume anything like your external hard drive or usb flash drives with files on it, you use bitlocker on it? Because even though i have files there and encrypted many files with axcrypt, well someone could take your usb flash drive or external hard drive and plug it into a computer, put a virus/malware/keylogger on it and then put it back to where it was... then when you connect it to your already encrypted laptop with bitlocker 7... well now you have a virus right assuming your computer is now on and you plug the usb flash drive or external hard drive? So to protect you from that, you use bitlocker for every single external hard drive or flash drive you have? And if you do this, you are using a pin number or password right? Since well you have to use one since you cant put a windows password on it similar to like your laptop right?

Thanks and i will reply back tomorrow morning! I am so tired now and appreciate all your help throughout the day!

I got one other thing I want to ask. I entered my password incorrectly on windows 10 but logged in now. But after the 1st incorrect log in, there was an option below that says set reset password. Im confused but why does it have that option? Because that seems like its pretty easy to reset it? It did shot my hint after the 1st incorrect windows 10 password log in.

 

You're supposed to suspend Bitlocker before running a BIOS update, then it won't ask for recovery key on next boot. If you don't suspend before updating bios, it will ask for recovery key first boot, after you enter recovery key all will work like before.

BIOS updates are very important - they fix hardware problems and vulnerabilities. You should have latest BIOS applied to your machine if you want it to work well and remain secure. BIOS can only be affected if repairman touch cmos battery, which will reset some settings including time and date (but not bios supervisor password). If you didn't touch BIOS settings, your BIOS settings are definitely not setup in a secure way.

Each Bitlocker recovery key is tied to particular drive. Bitlocker drive identifiers exist so that you can distinguish between different Bitlocker-encrypted when you have many of them, and enter correct recovery key. Recovery keys are indeed very important, and allow to access your encrypted volume.

Bitlocker PIN won't help with the fact that your BIOS is not secured. Hacker with malicious software can insert a USB drive to your machine, boot from that drive instead of your SSD, make a memory dump of your RAM and analyze it and steal your Bitlocker encryption key from there. It is called Cold boot attack, you can read about it in detail if you want. Bottom line, you need to secure your BIOS. That is:
1. Set BIOS supervisor password so only you can change BIOS settings
2. In boot order settings, allow boot only from your internal SSD, disable boot from all other devices.
3. Lock boot order in BIOS, disable Boot menu - if these settings are present in your BIOS
Read about accessing BIOS and adjusting BIOS settings in your laptop's user manual

I use Bitlocker on external USB HDDs. I don't really use USB flash drives for anything but installing OS or running a Live usb distribution. I am using a very long password, but also tick the box to auto-unlock the drive - so I only have to type password when I plug the drive first time after it's encrypted.

Password reset won't work since you don't have Microsoft account. It is irrelevant.

 

@Starlight5


Well is there a reason none of this is mentioned in that guide for installing bitlocker? I mean for most people who are not computer tech savy, most wouldn't even do anything with bios settings right?

I do not believe i have ever went to any bios settings ever on my computer. The person who installed my laptop battery and replaced it might have done so when my computer couldn't turn on but this was over a year ago at least. Are you suppose to manually check for bios update periodically and manually yourself? So did what he did over a year ago have any affect on this? I have no idea if he check bios or not but he did check on his other computer when my hard drive won't start up that there was no issue with my ssd and it read it.


Okay so even if i had a pin or password on bitlocker, i still need to suspend bitlocker before running a bios update?


Those 3 directions you just gave me, is that the entire process? So this process is as simple as that? About a week ago i got that power bank charger for my laptop to get more battery out of it. First thing i noticed was it had a paper that said i should update my bios so everything would be updated. I did not do this because i did not want to go to bios and then have no clue what to do. A while back on another computer i went on bios and i didnt i might have messed up pressing somethingn i believe so thats why im hesitant to do any chances like that.


My laptop is about 2.5 years old. I don't think i ever checked my user manual for anything that is a computer.


So you are telling me as of now, its 100% my laptop is not secure because i never updated bios? Or it might be safe? Again, most ppl not tech savy if they installed bitlocker would figure... okay i did this entire process. My computer is locked. But now you need to secure bios? Then why does no guide online mention this?

 

@Drew1 computer security is a complex issue. It's not as easy as install software A, activate feature B, change setting C and you're good to go.

Yes. Absolutely. Last year a lot of security vulnerabilities were uncovered that require firmware patches to address them - unless you're OK with them being potentially exploited. For a laptop, BIOS is the firmware. Note that exploiting these vulnerabilities is harder than accessing your files or putting malware on unattended unencrypted laptop without password, but it is still possible.

Yes. Otherwise skilled hacker can perform Cold Boot attack with a USB flash drive, by booting from it and dumping your RAM, then getting your encryption key from RAM dump. Or some malicious idiot can format your drive while the laptop is unattended, just for lulz. Or set BIOS user password (which is requested every boot) and HDD password (which is stored in HDD firmware) to make it impossible to use your laptop and access your data. BIOS is a powerful thing, you know.

Thus, you don't want anyone except you to be able to boot from USB devices, and you don't want anyone else to change your BIOS settings. To prevent that, you need to adjust BIOS settings I described earlier.

I don't know. Seems like most online guides address one particular problem, and ignore anything beyond that. There are very few good complex guides on securing a machine - and those that exist are for advanced users who understand what they're doing and implications of that, or could thoroughly research and analyze things beyond their level of knowledge.

 

@Starlight5

Thanks for all that information.


I will do this tomorrow as i have to do a few things on this laptop first.

Just to confirm those 3 steps you listed and what you want me to do, this will take about how long?

Well any normal person who is not tech savy and did that bitlocker thing would still think their computer is safe huh?

So basically had i not mention the bios things or updates, you assumed i updated it similar to like how you thought i had a windows 10 password already right?

Also is there anything else besides BIOs that i might not have done but need to have done as well?

And just to confirm. If i set a password for bios to boot and the rest of the things you mentioned, my startup after i press power on with my laptop is still the same? Or would i need to enter that password, then the windows 10 password?

So basically doing what you described, if someone wants to do the take hard drive out or cold boot attack or set the bios password themselves, they can do that even without entering my windows 10 password to access my computer because to access bios, you have to press some F button the moment your computer loads right? I remember when you get to bios you had to press something repeatedly?

Also, then wouldn't that mean lot of people who installed bitlocker probably didn't do this with bios? Or you think most already did it with bios already. Because if its someone not tech savy and did the bitlocker, i cant imagine even 25% of ppl securing their bios. Would you say thats a good guess?

@Starlight5

Had i done a pin or password to boot bitlocker, im still at risk to all of this with bios correct?

If that is the case, i have to assume tons of people think their computer is secure... when it isn't...

 

Couple minutes. Just read the manual for your laptop beforehand to make yourself familiar with BIOS menu structure, so you know in which tab these settings are located. The easiest way to enter BIOS on any Windows 10 machine, by the way, is to select Restart in power menu while holding the Shift key, select Troubleshoot, select UEFI firmware settings - and computer restarts into BIOS.

It will be the same as now as long as you set Supervisor password without setting User password.

Yes. You need to both change settings to secure the BIOS to protect your computer from physically present malicious actor, and update BIOS to latest version to protect your computer from vulnerabilities which may be exploited e.g. by malicious program or website.

You need to use latest BIOS for your particular laptop model. You can get it on manufacturer website. Double check that the laptop is correct; flashing wrong BIOS (e.g. from different generation of XPS15) will make your laptop inoperable, and it will be unpleasant to fix.

Yes.

To elaborate, with unsecured BIOS in your current setup, data can be accessed only by a skilled hacker. However, even for an unskilled person it would be very easy to destroy your data, prevent you from accessing your data and/or from using your laptop by setting a password they know and you don't. Hell, a guy I know had a cat lying on the keyboard enter BIOS once. Thankfully, furry hacker didn't change any critical settings.

I think that a lot of encrypted computers are used by businesses which have system administrators to take care of computer security.

I believe it is logical for people who actually ever entered BIOS (for average user it is usually to change boot order and install/run OS from USB drive, backup OS image, similar things along the line) and seen what BIOS is capable of, set their own Supervisor password on it. But that's just my speculation.

I am under impression most people don't use encryption on their computers. Some use OS passwords alone, and think they're secure thanks to that (of course they aren't); many still get away without using OS password at all.

 

@Starlight5

I always thought getting into bios was something like computer starts up and you press some f button. So that is not it right?

Yes. You need to both change settings to secure the BIOS to protect your computer from physically present malicious actor, and update BIOS to latest version to protect your computer from vulnerabilities which may be exploited e.g. by malicious program or website.

You need to use latest BIOS for your particular laptop model. You can get it on manufacturer website. Double check that the laptop is correct; flashing wrong BIOS (e.g. from different generation of XPS15) will make your laptop inoperable, and it will be unpleasant to fix.

When you are updating bios, it does it for you automatically right? Im confused what you mean update bios to your particular laptop model. So when it updates bios, it doesn't know what is your computer model and you need to specify it in the options?

I agree most ppl dont even bother with encryption. I didnt either back then. But then i decided i should do it.

Is it possible for you to give me instructions on this for my dell xps 15 9550 since its only a few steps? Or is it going to require you to look at the dell xps 15 9550 manual? By that i assume you mean look it online right? Because i definitely do not have the manual booklet if that is what you mean.

You say flashing wrong bios can make your computer inoperable. Yes i think i read something like this a while back which is one of the reason i didn't want to even go to bios settings anymore...

Thank you.

 

@Drew1 you download BIOS update executable file for your particular laptop from laptop manufacturer website. Here's the link for your XPS 15 9550. Suspend Bitlocker. Run the file and follow instructions that are shown by it. Generally you need to make sure the laptop is well charged and that power supply is attached before starting flashing. It is critical that you do not interrupt the process in any way until the system is restarted into Windows. Most likely it will write BIOS image to RAM, then restart to DOS-style flashing utility, do its business, and finally restart as usual when done. Do not interrupt it, leave it alone during the process. It usually takes less than 5 minutes.

I checked and didn't find any manual on using Dell BIOS. Here'a a helpful video, however.

 

@Starlight5


Okay so i download the link you posted. Suspend Bitlocker. Then follow instructions. Yes i know to make sure my laptop is full charged and there is power charger attached to it. Those instructions that they ask should be very simple so i should not go... okay which one should i press? Like when i was going through the bitlocker process earlier, there were a few questoins where i was not sure what to press b/c common sense said this, but that tenforums guide said the other which made no sense.


I took a look at that video you posted. That is for dell xps 15 9560. Mine is xps 9550. Its similar computer but that is newer model. So that is who i get into bios right with that computer? I saw in video, person kept pressing f2 after booting it and that is what i remmebered last time when i a few times went to bios with an older laptop.. not this one. I remember it was press some function button and keep pressing it.


This process is much simpler than the bitlocker one or its same/tougher. Would you mind if i post this in the dell xps 15 9550 thread and ask others first this just to confirm? I already asked a bios question there and want to confirm with others this on asking them... hey how do you all secure password bios and do you press f2 repeated on boot?


Because you say if process goes wrong, it will be a pain to fix but i could? That is why i didnt bother doing anything with bios after i got my laptop power bank not long ago because i didnt to risk doing anything wrong to my computer so i used it as is.

 

There should be choice between "OK" and "Cancel", that's it.

You can do that, but because of how fast modern laptops boot to Windows, it's easier to

That's a good idea. Write to them the list of BIOS settings I advised you to adjust, so they could tell under which section in BIOS are those settings, - then you'll change them fast and be done with it, instead of wasting time searching for them.

It goes wrong very rarely - as long you let the computer do it on its own, without interrupting it (do not press power button or ctrl+alt+del until it's finished updating BIOS, that kind of stuff). Especially on laptops it usually goes well, because they have batteries in case of sudden power outage.

Updating and using BIOS is a crucial part of maintaining your computer. Unless you have a system administrator / some friend or relative who will be doing it for you every time, you'll have to learn how to do it yourself. Otherwise one day you might face the consequences of avoiding setting it up correctly and/or updating, which can range from merely unpleasant to outright disastrous. As with everything else in life, the choice is yours.

 

well @Starlight5


The thing was when you asked me to press windows and a and then i said something showed up in notification, and not what it should showed up, you said it should be windows plus another key etc.

So when you say instead of doing it in that video, you say to hold shift so i got hesistant doing it right there because i dont recall ever having to do that to get to bios. I always remembered it was pressing some function key.

Well you say as long as there is no power issue and there is no issue if you are using the laptop on battery full or if you have the charger connected, well that should be fine since you say this process takes about 5 minutes only.

Okay I will confirm with others on that thread first ... those with the same dell xps 15 9550 laptop with me before i do this.

So i have to remember this bios password and write it down or put it on usb stick right? But if i do put it on usb stick, make sures its encrypted with say a program like axcrypt which i use to encrypt files and documents?

Well im actually more nervous now with this than the bitlocker process. Because i always heard of things like bios failing and computer doesn't turn on.. thats why i never intentionally went to bios settings unless i had to.

 

Did a thought of using a search engine to confirm what I write instead of questioning the accuracy of it again and again ever cross your mind?

 

To be brutally frank, a search engine could have answered at least half the questions asked in this thread.

 

@Starlight5

Well a search engine could generate wrong information or some misinformation. Such as the tenforums guide, one of the options was do you want to basically decrypt new drive or old drive... and circled to do new drive which made no sense if its an old hard drive.

So before i do the bios things i just want to confirm a few things about the encryption you helped me with

1. My hard drive is encrypted correct? If so, why does it not have a pin or password? I was checking this out on the forums and from what i read, if you do not have a password set when you first boot up windows... meaning the boot screen to enter a pin or password, it is not secure. So this statement is incorrect?

You said that most people who install bitlocker have it installed the way you told me to... which is nothing on the boot screen and it goes straight to the windows 10 screen asking for password? I know you said that is the simplest method but why not pin or password? Yes you have to remember another password but thats not an issue. Because i read that if you go could go straight to the windows 10 screen, its still encrypted but the hacker wouldnt know at first? Example hacker turns on laptop... they see a boot screen asking for password or pin. They know its encrypted. But if it goes straight to win10 screen asking for pw, then aren't they going to assume this person did not encrypt their hard drive and this is going to be easy? Or they are going to find out when trying to get rid of this win10 password in 2 minutes... oh wait this guy did encrypt it? Its just he did it unlock screen for bitlocker?

2. I have no bios secured now. So someone right now who has physical access of my laptop can plug in a malicious usb and install virus/malware/keylogger and i wont know right? Or they can only view everything but cannot do anything malicious to it. It takes about 1 minute? Then i turn on laptop, type in my win10 password, go to my password manager and type it and open it up, now this hacker has my win 10 password and thus access to my laptop from his computer screen? And also have my keepass or lastpass password and can access those files from his screen? Let say right now hes at his apartment or so. So he can access my keepass or lastpass on his screen or only if he comes to use my computer again? Would i know he is currently accessing it when my laptop is on such as hey... my mouse is moving? Or i cannot see any of this while im on the computer and im using it as is? What if my computer is turned off?

3. Had i put a pin or password at boot as oppose to just the windows 10 password, is that more safe, about the same or less safe than my current setting now which is windows start up, no boot... go straight to win 10 screen. But adding a pin or password at startup does not increase my security at all? I dont know why but that doesnt sound right to me? Because thats another screen they need to bypass and i feel its more important than the win10 password screen?

To those who use bitlocker here, do most of you did it this way or you set a password up at startup? Im not tech savy but i just thought... having it automatically goes to window 10 password doesnt seem that secure compared to needing to type the pin or password at startup...

 

Jar, yes i definitely agree on what you said.

 

I think I already told you this ages ago, but Bitlocker (when configured the way you describe) prevents an attacker from being able to pull out the drive and reading the contents using their own computer. And at any rate, if an attacker has **physical access** to your machine, you’re screwed no matter what encryption or security measures you use. You’ve been compromised, period; it’s best just to throw the computer out completely (including the data, you can’t trust it anymore) if you think someone gained physical access to it.

Also mentioned this to you ages ago, but you seem overly paranoid to be frank. If you have a legitimate threat model where you’re expecting people to break into your home, attack your computer by any means necessary, and steal your “valuable information” or otherwise compromise your computers like some super-sly fantasy, you’re better off talking to actual security experts than random blokes on some forum on the internet.

 

@Jarhead


No i do not have a legitimate threat model. But where im located there are many cases of theft happening so i want to protect myself against anything like this. From what i hear, usually they just take the computer, laptop etc. That sucks but what i describe with the put virus is beyond the scope of what would happen here most likely


The way i described its configured, okay i get what you mean what they cannot pull drive out and read it on own computer. But if a hacker has physical access to your computer, you are screwed no matter what if they want to do something to it? Well starlight5 says if you do bitlocker encryption and bios secure, you are safe from the malware usb very high percentage. So that is still correct? Thus nothing is 100 percent but you are saying if an attack has physical access to your machine, you are screwed no matter what... then what would be even the point of encryption then? Unless you mean a smart hacker could so something but a not so great one cannot? Example if a hacker went to your apartment or hotel and gained access to your laptop for even 15 minutes, if you have bitlocker encrypted, pin or password enabled at boot... and encrypt bios, you are still not secure?

 

These scenarios you describe are so unlikely to happen as to be statistically insignificant.

And I am going to keep pointing this out to you acknowledge that it has sunk into your skull: Staying away from shady websites and downloading illicit material (which I will remind everyone that you have admitted to) reduces your odds of having your computer compromised by orders of magnitude. Quite frankly, if you keep insisting on doing this kind of stuff, you deserve whatever happens.

 

Basically it has a password, but Windows enters it every time somebody signs in. Read here for details.

When you sign in to Windows, Bitlocker-encryped system drive unlocks automatically. If you do not have any Windows authentication (password, pin, etc) set, whoever boots the laptop, signs in immediately thus unlocking the drive. If you do have some sort of Windows authentication enabled, attacker will need to bypass that to unlock the drive.

It is the default option, and many people choose to go with default.

I guess it's also time to explain you the difference between password & PIN. Passwords are machine-agnostic, they will work on any machine. PINs are machine-specific, they only work on particular machine, and don't work on other machines.

Windows authentication protects you at all times, you can lock Windows and it will lock Bitlocker when you see threat approaching preventing attackers from access. Bitlocker PIN/password works pre-boot, meaning the drive will remain unlocked when computer is on or asleep unless Windows forces it to lock. So you need Windows password anyway. But if you type your Bitlocker PIN every time pre-boot, somebody may see it. Then the attacker doesn't even need to unlock your Windows, that Bitlocker PIN is enough to access the data. If you have BIOS and Windows set up properly and secured, attacker will have quite hard time using Bitlocker PIN alone to steal the data, but it is still quite possible.

They can run a cold boot attack. They can flash their own modified BIOS (a lot of work but doable). They can set their own supervisor password preventing you from changing BIOS settings. They can set their own user password preventing you from using the laptop. They can set their own HDD password locking you out of your data.

If they install a malicious device (and with physical access they can physically open the laptop and install something inside), they'll be able to do what you described, and you won't likely notice it.

If your laptop has a tamper detection switch you'll likely be able to tell that somebody physically opened it, and BIOS supervisor password will be requested to boot the machine. But to enable all that, you'll need to enter BIOS, set Supervisor password, and enable tamper detection.

If you add BIOS user password, it increases your security. If you use BIOS user password and/or Bitlocker PIN without Windows authentication, you will have to forget about lock and sleep Windows functions or they'll compromise your security, and be very fast and vigilant about turning off your laptop. Windows locks itself almost immediately, you can activate it by pressing Win + L keys, there are also other methods. Shutting down Windows takes time - especially if you have Fast start up enabled. Even if you're using Hibernation, which will require pre-boot authentication, laptop doesn't hybernate immediately. If somebody grabs the laptop while you're trying to shut it down or send it to hibernation, the attacker may manage to cancel that and all your security measures go down the drain. I believe the right way in this situation is lock immediately, and try to shut it down.

On the other hand, sleep or lock is much less secure than completely turned off machine. And hibernation is much more secure with pre-boot authentication. Maybe try checking how fast can you turn off your machine, if you believe it's reasonably fast - then adding some pre-boot authentication combined with never using sleep or lock functions may actually increase your security.

This is definitely the best practice. In real world, however, it depends. If you know who the attacker was and their capabilities, it may go either way. But generally, yes, even if they didn't get your data, they may have rigged your machine, so throw it away.

It depends on a hacker. Most people are not so great at what they do, are they? The same goes for hackers. Your generic laptop thief will most likely just format the drive seeing the measures I recommend applied, your generic screwy neighbour or co-worker will be way in over their heads, while deep state might still get through to your data. If deep state is legitimate threat in your model, you'd better be using Veracrypt encryption instead, and running something like QubesOS, with a lot more and harder security measures. Probably using different hardware, too. Then again, physical torture might force to rethink life decisions and give up all the passwords.

 

I'm not visiting shady websites on my windows 10 laptop. Im visiting it on my chromebook... which i do not have any important information. I also use chromebook to visit sites where im not sure if its safe or not such as it could be a forum for example.

@Starlight5, i will give a response to this soon.

Thank you again for your long detailed responses.

starlight5

Im going to secure bios and do that soon once i get a reply back from someone who has done the bios thing with the same laptop as me. I have a few other questions i want to ask really quick.

1. If i want to put a password or pin instead of it having to go unlock, will i have to do the entire process again? I spoke to a guy on a forum that is an IT guy and he tells me the method that you mention me to do which is unlock... does not offer much security at all. He said if you don't have a password or pin but mostly password, even if your bios is secure, it is not secure. Do you have any opinion on this?

I mentioned to him that you said most ppl you know just bitlocker unlock itself as oppose to password or pin.

2. Im still using bitlocker as is... no bios secure. It just has that windows 10 password. What i notice was my battery on my laptop is very bad now. I believe you or someone else said bitlocker drains your battery more is that correct? But veracrypt does not? Because i only get about 45 minutes of battery it seems on my xps 15 9550. Before i did the bitlocker enable, i would get 1 to 1 hour 15 minutes of battery.

@Starlight5

1. So first i have to disable bitlocker first before doing the bios thing. When i disable it, how long does that take? I assume its very quick?

2. If i want to decrypt my bitlocker hard drive, that would take around the same time it took for me to encrypt it which is around 2 hours?

 

You can add PIN to unlock your Bitlocker any time you want. You won't have to do the entire process again.

Everyone is entitled to their own opinion.

Your final implementation depends on your threat model.

In my threat model being seen or recorded on camera while typing Bitlocker PIN to authenticate the device pre-boot is orders of magnitude higher risk than someone successfully attacking RAM or hacking my laptop's TPM that stores Bitlocker auto-unlock key, so for me Bitlocker PIN actually makes the machine less secure. In someone else's threat model, malicious actor successfully attacking RAM or hacking the TPM to extract encryption key from it and gain access to data is much higher risk than Bitlocker PIN entry being caught on camera with good enough quality to determine what exactly was typed or overseen by malicious actors, so for them Bitlocker PIN is obligatory while Bitlocker auto-unlock is insecure nonsence.

You shouldn't blindly follow someone else's threat model. You should understand what YOUR threat model is and act accordingly. I strongly suggest to watch this helpful video on the subject and try to understand it.

That's somewhat hardcore difference. Any sort of software encryption will negatively affect battery life, be it Bitlocker or Veracrypt or something else. I'd suggest checking battery health.

 

...op has been at it for years and seemingly still stuck with zero security.
------

My setup if anyone is interested, takes no time at all to set it up.

Of course 1: bios security set, both bios\admin access and drive(s). That alone will make laptop (and hd contents) useless for 99,99999999999999% of any thieves or unauthorised users (basically, that alone is enough for anyone who does not store nuclear launch codes).

Anything important is on bitlocked D (partition on os drive C) which is unlocked when needed (password) then immediately locked again. Practical locking > https://www.tenforums.com/tutorials...ntext-menu-bitlocker-drives-windows-10-a.html

Never experienced any unusual battery drain.

Also using axcrypt here and there on some individual files, incl. some on bitlocked D, which means that even if D is unlocked, many important files will still need the axcrypt pw to gain access (if one think\believes\imagine :O) some internet hacker may gain access to D while unlocked).

Of course 2: regular backup\image of everything, kept in a secure place (am bitlocking that storage as well). This is the only real security against theft, ransomware, hardware failure, fire etc. Btw, bitlock recovery keys axcrypt'ed and stored separately.

 

@Starlight5

The pin I can enter anytime I want, so this has to be a number right? Thus between 6-20 numbers? You cannot put in letters? My issue with pin as i mentioned is if its numbers... someone could type in 80000005, 80000006 etc... and keep repeating it. But they have to do it manually though correct? But someone could still do that by typing numbers the entire time right if they have access to your laptop? But if they do this, well you would know and then secure your other information by using another computer?

Threat model. Okay i understand this as you mentioned this previously. But is there a reason you are concerned with security camera catching you typing your pin? That to me... seems really strange as i dont hear ppl talk about this. Now if you use atm machine, you should cover where you are typing which makes sense. But im curious why would you be concerned with that by the way? Are there people snooping you using your computer? The other issue is this. If you don't want to enter a pin for this reason, then what about when you enter your windows 10 password then? What is the difference there since a camera can record you typing in your password? Im confused how that is different?

Wait, you say any encryption would affect battery life. But that person says it does not at all and should not. The person below you then say it has no affect on battery drain. Does anyone here who use bitlocker can comment on this? Did it affect your battery life at all?

6730b, so you set bios and put a password correct? Or you do not have a password when you first turn on computer? So if someone wants to access your bios, they need the password right?

Im a bit confused with your setup. So you have bios set which takes very short time. So you use bitlocker for win10 but which method do you use? TPM unlock? Thus the same one i did that starlight5 suggested?

Well maybe my battery is getting worst now which is why the battery drains quickly. But i notice that my battery for this laptop even when bought new never lasted more than say over 2 hours at the max when im using it because im doing things where it uses lot of energy etc.

Also one more thing i like to comment on the threat model thing. Do you say your threat model is where most ppl do not relate to? Example my threat would be if someone gets access to my laptop and check what is there and then install malware or trojan or keylogger. Then i use my laptop and anything i type in... its keylogged and any password or anything i type would be seen by the hacker. The other threat model is someone access my laptop and check the files and try to hack say my password program etc. But that is not as bad as the first one because if i use my laptop when its hacked, that is bad.

Because don't most ppl who install bitlocker or veracrypt and their threat model relate to what i want so to speak? I dont know how many ppl would worry about typing their pin and camera recording them. I never heard of anything like this.