BitLocker: A little confused, EFS in BitLocker volume?

[InlineFive]

Hey all,

I've been reading up on BitLocker and I think it seems like a very useful tool. However I am a bit confused when it comes to BitLocker and EFS complimenting each other.

From my understanding there are two volume on the drive, a small unencrypted boot volume and a system volume which is completely encrypted by BitLocker.

If the system volume which contains the OS, programs and files is encrypted then why is EFS necessary? Doubling up on encryptions seems unnecessary to me.

Thanks for your time.

I5

 

[stash]

EFS is for protection against online attacks, and Bitlocker is for protection against offline attacks. Once a Bitlocker'ed volume is unlocked during boot, everything is decrypted on the volume, so EFS is still important to protect data at that point.

 

[zig3695]

are there any benifits to using bitlocker over say TrueCrypt?

 

[InlineFive]

Originally posted by: stash
EFS is for protection against online attacks, and Bitlocker is for protection against offline attacks. Once a Bitlocker'ed volume is unlocked during boot, everything is decrypted on the volume, so EFS is still important to protect data at that point.

That makes sense, thank you. Is using EFS on the users directory sufficient (only place information will be stored) or should I look at encrypting the whole volume?

 

[Mark R]

Originally posted by: InlineFive
That makes sense, thank you. Is using EFS on the users directory sufficient (only place information will be stored) or should I look at encrypting the whole volume?

It depends what you are trying to achieve.

If you are concerned about performance, stability, etc. then encryption is undesirable. Although small, there is a performance hit associated encryption - and there are theoretical stability issues (a minor data corruption can irrecovably destroy an encrypted file, whereas sometimes slightly corrupted data files can be recovered).

EFS provides you with the option to encrypt some files and leave other unsecured - e.g. files that multiple users might want to share could be left unencrypted, whereas confidential files could be secured. The potential security risk is that temp files, e-mails, etc. may not be secured. If the hard drive is examined forensically, there may be circumstantial evidence about what is in the secured files, or who else might have the files - it's possible that if you've zipped them up at some point, that a temporary zip file may be lurking somewhere.

Bitlocker provides 'whole drive encryption' this is a brute-force and ignorance approach and ensures that if the PC falls into the wrong hands, nothing useful can be extracted from it. No forensics, no data recovery, no internet history/e-mails/temp files, nothing. However, in order to do anything useful with the PC, you need the key. So any, and all users, will need to share the same access key.

A corporation who needs to ensure that confidential management documents don't get leaked to the press by a disillusioned IT dept employee might use EFS to ensure that these files can only be read by the specified user and the CTO.

A government agency who needs to ensure that nothing at all, even when examined by expert forensic analysts, can be recovered from a stolen laptop would be better off with bitlocker.

Maximum security is achieved by encrypting the whole volume, as without the key, the drive may as well be brand new (indeed for corporations who wish to dispose of computers at the end of their life, bitlocker is brilliant. Just quick format and remove the drive from the PC, and it's instantly 'securely wiped' - no need for time consuming degaussing or software 'shredders' or dangerous and environmentally unfriendly physical destruction). While this blocks outsiders, it does nothing about insider attack.

 

[InlineFive]

Thanks for the informative post Mark R. Very helpful.

One more question (for curiositys sake) is it still good practice to change the syskey to a password or USB thumbdrive with BitLocker?

 

[stash]

I don't think the Bitlocker keys are protected by Syskey. You can set key protectors for bitlocker, such as requiring a PIN with the TPM, or using a USB key for key info.

In Vista, you can also now store your EFS key on a smartcard, which will significantly reduce one of the biggest risks with EFS; that the key is stored on the drive.

 

[InlineFive]

Originally posted by: stash
I don't think the Bitlocker keys are protected by Syskey. You can set key protectors for bitlocker, such as requiring a PIN with the TPM, or using a USB key for key info.

In Vista, you can also now store your EFS key on a smartcard, which will significantly reduce one of the biggest risks with EFS; that the key is stored on the drive.

I phrased my question wrong, woopsie! (Thanks for the info however, didn't know some of that.) How about...

Since the SAM file will be contained on the BitLocked volume is it still necessary to set an alternate syskey? Is BitLocker + PIN sufficient or should the syskey still be changed?

 

[stash]

Since the SAM file will be contained on the BitLocked volume is it still necessary to set an alternate syskey? Is BitLocker + PIN sufficient or should the syskey still be changed?

I think I understand what you're asking (I'm a little slow tonight )...Bitlocker will protect syskey and therefore any keys protected by syskey when the volume is locked (so offline attacks). It won't offer any protection once the volume is unlocked, but that's moot because you have to unlock the syskey before you can use the system anyway.

Hopefully that makes sense.

 

[InlineFive]

Originally posted by: stash

Since the SAM file will be contained on the BitLocked volume is it still necessary to set an alternate syskey? Is BitLocker + PIN sufficient or should the syskey still be changed?

I think I understand what you're asking (I'm a little slow tonight )...Bitlocker will protect syskey and therefore any keys protected by syskey when the volume is locked (so offline attacks). It won't offer any protection once the volume is unlocked, but that's moot because you have to unlock the syskey before you can use the system anyway.

Hopefully that makes sense.

Fantastic, that answers my rephrased question! Thanks stash!