How To Setup BitLocker with a Startup PIN


Summary:  

How to configure Bit-Locker and enable PIN for pre-authentication prompt.

Problem:  

Bit-locker encryption protects data-at-rest (i.e., offline data).  It protects data with an encryption key that is stored in the TPM.  This private key cannot be exported so its encrypted data should be secure from physical theft.  Why then, do we need a pin?

Recall, BitLocker only protects data-at-rest.  The hard dive is only encrypted before the operating system starts -not after.  This caveat makes data vulnerable to authentication bypass attacks. 

The BitLocker PIN is an optional security feature.  The computer will not load Windows without PIN authentication.  You data remains secure.

Solution:  

Enable and enforce the Bit-Locker startup PIN.

Instructions:

Start by enabling BitLocker from Control Panel.  If this step is skipped you may receive the following error:

     "The group policy settings for bitlocker are in conflict and cannot be applied."

Next, open the Group Policy Management or Local Group Policy Editor:

     



BitLocker Drive Policy:

Computer Config; 
         Administrative Templates;
            BitLocker Drive Encryption;

Drive encryption and cipher strength:
       -Enabled:  
         --OS:      XTS-AES 256-bit
         --Fixed:  XTS-AES 256-bit 
         --USB:   AES-CBC 256-bit


Disable new DMA devices when computer is locked:

-Enabled:  This prevents rouge devices from pawning your locked PC. 

Prevent memory overwrite on restart

  -Enabled:  Protect your device from cold boot attacks. 
                        Wipe those BitLocker secrets from memory during a restart.  
                         E.g., https://citp.princeton.edu/research/memory

BitLocker OS Settings:

Computer Config; 
         Administrative Templates;
            BitLocker Drive Encryption;
               Operating System Drives:

  Allow enhanced PINs for startup:

       --Enabled

  Require additional authentication at startup:

       --Configure TPM startup:  Allow TPM
       --Configure TPM startup PIN:  Require Allow PIN with TPM
       --Configure TPM startup key:  Allow startup key with TPM
       --Configure TPM startup key and PIN:  Allow startup key and PIN with TPM

Note, the enhanced PINs provide support for alphabetical and special character use.  This can make the PIN strength stronger and easier to remember.


Also note, additional authentication requirements are all set to allow, rather than require.  This helps avoid BitLocker errors, on new devices, after this group policy has been applied.  Keep in mind, the UAC protects BitLocker from undesired changes.  Therefore, avoid Administrator interactive logons.



Configure Client:

Run the following command with Administrative privileges:
   manage-bde -protectors -add c: -TPMAndPIN

Note:  Windows 10 version 1903 no longer requires command line configuration.  Instead, Windows provides an option to enable BitLocker PIN from the initialization wizard -cool beans!

That's it!

References:

http://ctogonewild.com/2009/08/28/10-things-you-dont-want-to-know-about-bitlocker/
http://www.pcworld.com/article/3005182/encryption/bitlocker-encryption-can-be-defeated-with-trivial-windows-authentication-bypass.html
https://technet.microsoft.com/en-us/library/jj649837(v=wps.630).aspx
https://technet.microsoft.com/en-us/library/cc766295(v=ws.10).aspx#BKMK_S5




6 Comments

  1. Are pre-authentication pins overkill for Bit-Locker? What difference does it make if the data is already encrypted?

    ReplyDelete
    Replies
    1. Bit-Locker only protects offline data. Encrypted data (at rest) provides a small attack surface. However, data becomes much more vulnerable to compromise after the operating system starts.

      An interactive logon indicates that Window's services are running -including its network services. Running services change the attack surface from small to wide. The OS becomes vulnerable to any number of network threats. Consider, does the firewall use network location services? Is the default location set to private, public, or domain? Can the domain network be spoofed? Does the domain use NTLM authentication? Does the domain use Kerberos Armoring? Is multi-factor authentication enabled? Are SMB ports blocked? Does the computer use SMB signing? Does the computer have the latest security updates?

      Not everyone agrees with this process. For example, Kyle Beckman with 4Sysops believes that Bit-Locker PINs "...aren't necessary (if at all) due to enhancements in the OS". I respectfully disagree with his opinion. Consider, Bit-Locker PINs prevent the OS from starting. Simply put, an attacker can't exploit systems if they can't interact with them.

      Reference: https://4sysops.com/archives/do-i-need-a-bitlocker-pin/

      Delete
  2. What concerns me, is the PIN protection seems to be under the control of the OS, and not the TPM.

    If the following example, I document how the OS was able to bypass the TPM PIN to apply updates...

    https://cybermatters.info/2016/08/08/windows-10-anniversary-update-bitlocker-bypass-warning/

    ReplyDelete
    Replies
    1. Interesting point Colin. Your blog suggests that "an attacker could disable boot protection just before stealing a machine."

      I suggest that the system works as intended. Ask yourself, why do we use full disk encryption? We implement it because it protects data from physical theft. If a burglar walks off with a company laptop we can be reasonable confident that our data remains confidential.

      Therefore, you are 100% correct. Bit-Locker is indeed vulnerable after an attacker controls your system. At the moment of compromise, I suggest you’ve got bigger problems than disk encryption!

      Cheers!

      Delete
    2. Late to the party...

      Steve, I agree with your point: The fact that an attacker must have "control" (likely via malware) of your system before the OS is shutdown in order turn off PIN protection means that you were already compromised and they could get to your data anyway.

      However, it does seem that TPMs could provide a higher level of protection if they required the PIN to be entered in order to turn off PIN verification. If TPMs are already doing that (which I didn't see in Colin's post above), that's great. If they're not, it seems they should be. If they aren't requiring that for recovery purposes (oops, I forgot my PIN), it seems the Recovery Key is supposed to help with that use case.

      I'm just in the process of implementing BitLocker and leveraging the TPM on my new laptop and will be doing some testing. If I learn anything new, I'll post again. Just thought I'd give my two cents.

      Paul Turner

      Delete
  3. This architecture eliminates how to access iphone with broken screen the need to backup multiple copies of the same file that are duplicated in other locations throughout the enterprise.

    ReplyDelete

My Instagram