Questions about Bitlocker with Windows 8.1

[Pardus]

It's my understanding that once someone completes encrypting partition(s) or hard drive with Windows 8.1 Bitlocker, if someone stole that pc, the contents would be safe from theft.

Could the thief re-format the hard drive if he/she wanted to.

Would Bitlocker slow down the performance of a pc in any way and does it cause problems when doing restorations from a drive/file image, updates, etc.

Would Bitlocker protect the contents from being viewed if someone took that hard drive to another pc and set it up as a slave to view the contents.

Finally, how long does Bitlocker take to encrypt a drive with data on it already, is there a chart somewhere?

If not Bitlocker, then what app do you recommend for hard drive encryption?


Thanks.

 

[smakme7757]

1. It's my understanding that once someone completes encrypting partition(s) or hard drive with Windows 8.1 Bitlocker, if someone stole that pc, the contents would be safe from theft.

2. Could the thief re-format the hard drive if he/she wanted to.

3. Would Bitlocker slow down the performance of a pc in any way and does it cause problems when doing restorations from a drive/file image, updates, etc.

4. Would Bitlocker protect the contents from being viewed if someone took that hard drive to another pc and set it up as a slave to view the contents.

5. Finally, how long does Bitlocker take to encrypt a drive with data on it already, is there a chart somewhere?

If not Bitlocker, then what app do you recommend for hard drive encryption?


Thanks.

1. The entire drive is encrypted. Any theif who wants to access your data has to either: Break the encryption (Not currently feasible as far as we know) or guess the password which is what most people/organizations will try. To be as secure as possible your password should as long as possible. Personally i have a 14 character minimum for all my encrypted drives.

2. Yes, the theif could reformat the drive and use it for their own purposes. A way to combat this is to use a self encrypting drive with an ATA password (No, this particular ATA password is not easily bypassed as many would presume). The Intel 520 SSD is what i currently use in my laptops with an ATA password and it's onboard 128Bit encryption. If the ata password is set the drive will not be able to be used if the password is forgotten or stolen.

3. Bitlocker will slow down drive performance however on most modern machines and drives it's not a significant performance hit. Writes will takes the largest hit while reads will suffer a slight performance loss. The percentage of performance lost depends on the drive. An example the Crucial M500 is eDrive compatible so Bitlocker can leverage the onboard encryption without any performance loss.

4. Yes, the contents will be protected as long as they can't guess the password.

5. Encryption time depends on disk size and speed. If you have a new disk which is empty you can use the "Encrypt used space only" option and it's almost instant. However if the disk is in use then you should encrypt the entire drive to make sure everything is encrypted - this takes much more time.

So encryption time is anywhere from 2 minutes to 2 hours.

If you are only using Windows then Bitlocker is a good choice. The other major player is Truecrypt which gives you a bit more freedom with being able to unlock the drives on Mac and Linux as well.

 

[Pardus]

Thanks smakme7757 for that info, very helpful.

Not sure if i trust Microsoft with encryption? Who knows if they haven't implemented any backdoors in it!

Unfortunately, programs like true-crypt don't work with windows 8.0/8.1 and hasn't been updated in a year.

Using encryption on your os drive is a terrible idea, The vast majority of the files will be the operating system and programs. Best practice is to encrypt your data/external drives only.

Interesting reading:

This $299 tool is reportedly capable of decrypting BitLocker, PGP, and TrueCrypt disks in real-time.
http://thenextweb.com/insider/2012/...tlocker-pgp-and-truecrypt-disks-in-real-time/

How the feds asked Microsoft to backdoor BitLocker, their full-disk encryption tool
http://boingboing.net/2013/09/11/how-the-feds-asked-microsoft-t.html

 

[smakme7757]

Thanks smakme7757 for that info, very helpful.
Not sure if i trust Microsoft with encryption? Who knows if they haven't implemented any backdoors in it!
Unfortunately, programs like true-crypt don't work with windows 8.0/8.1 and hasn't been updated in a year.
Using encryption on your os drive is a terrible idea, The vast majority of the files will be the operating system and programs. Best practice is to encrypt your data/external drives only.

Interesting reading:
This $299 tool is reportedly capable of decrypting BitLocker, PGP, and TrueCrypt disks in real-time.
http://thenextweb.com/insider/2012/...tlocker-pgp-and-truecrypt-disks-in-real-time/

How the feds asked Microsoft to backdoor BitLocker, their full-disk encryption tool
http://boingboing.net/2013/09/11/how-the-feds-asked-microsoft-t.html

Not encrypting the OS volume will leave temporary files open to exploitation, as an example. Its an avenue of attack.
Without reading about the tool my guess is it requires a FireWire port and a ram dump. Encryption keys need to be loaded into ram so you can read encrypted data without putting in your password for every file you want to access on the disk. Its a known attack vector and it won't work against a computer that's turned off or doesn't have a FireWire port. Encryption is primarily to secure data at rest.

The Microsoft backdoor stuff might or might not be true. At the end of the day bitlocker will protect your data from almost anyone. If your data needs to be NSA secure I'd look at LUKS on Linux, but even then you can't be 100% sure there is no backdoor.

 

[John Connor]

I have a tool to decrypt a Truecrypt drive. It will take hours and hours depending on the complexity of the key and if you use a key file your SOL.

 

[Pardus]

1. A way to combat this is to use a self encrypting drive with an ATA password (No, this particular ATA password is not easily bypassed as many would presume). The Intel 520 SSD is what i currently use in my laptops with an ATA password and it's onboard 128Bit encryption. If the ata password is set the drive will not be able to be used if the password is forgotten or stolen..

How do I know if my hard drive can be or has the ability to be self-encrypting with an ATA password?? Not even sure I know what you mean there or how to set this up.

Was able to encrypt my hard drives which took hours on end. Bitlocker seems to work great, don't see a slow down. Saved the recovery keys to a flash drive. Copying files off the hd to a non-encrypted drive for example takes forever as it has to decrypt each file.

Too bad there is no way suspend protection to a non-boot partition when you need to copy a few files to a non-encrypted device.

If i were to encrypt the flash drive with the keys on it, would that be a problem??

Thanks again for educating me. Bitlocker may not be perfect, but some encryption is better than none.

 

[smakme7757]

How do I know if my hard drive can be or has the ability to be self-encrypting with an ATA password?? Not even sure I know what you mean there or how to set this up.

Was able to encrypt my hard drives which took hours on end. Bitlocker seems to work great, don't see a slow down. Saved the recovery keys to a flash drive. Copying files off the hd to a non-encrypted drive for example takes forever as it has to decrypt each file.

Too bad there is no way suspend protection to a non-boot partition when you need to copy a few files to a non-encrypted device.

If i were to encrypt the flash drive with the keys on it, would that be a problem??

Thanks again for educating me. Bitlocker may not be perfect, but some encryption is better than none.

I've written a blog post about self encrypting SSDs in 2011 which is still valid today. So have a read of it, it should give you a quick rundown. If you don't understand anything just ask here or send a PM.
http://jack-brennan.com/intel-320-ssd-hardware-encryption-and-how-to-utilize-it/

The most important thing to remember with encrypted drives is that they are best protected when turned off. Most attacks which circumvent the encryption need the drive to be powered on.