Enable BitLocker or not: what's the benefit and trade-off?

Hi all,

I am debating if I shall enable BitLocker on my Windows 7 Ultimate. I have two partitions - one system one data. I am thinking about using BitLocker on one or both.

Before I plunge ahead, may I know what is the benefit of using BitLocker on my drives? I have the windows 7 password itself and UAC is jacked up to maximum. So what is the good of using bitlocker? It's unlikely that someone will just steal my hardrive and boot from their computer; and if my whole laptop is lost, what good does BitLocker do to my data security? Is there any benefit regarding to hacking/malware attacks?

On the other hand, would I suffer performance loss, slow down etc.? I do not want to have to enter a password for boot and then another password to login to my windows either. I currently use the fingerprint reader to power-on the system which logon automatically as well.

I've searched around the internet but couldn't find specific information. I'd appreciate any help/advice. Thanks in advance.

Campion

 

Hmmm... sounds like you've done some research about this. Good! Let me correct a few items in what you've stated:
- You don't have to enter a password to boot because you've added bitlocker. This is only necessary if you add bitlocker plus a PIN. Adding a PIN is not as simple as turning on bitlocker, but it handles the "whole laptop is lost" scenario. It is a pain in the butt to enter the PIN on every boot/reboot/hibernate though. Bitlocker by itself is almost transparent to the end user. There seems to be a 2-3% hit on performance for most hardware.
- The "steal my harddrive and boot scenario" is more common than you think. Bitlocker would decrease the data security risk for that by ensuring that the theif had to have the 40 digit recovery key. Also, if they do steal your computer and boot with it, unless they have your Windows 7 user name and password, it is difficult for them to get your data. Without bitlocker, your data is significantly more exposed because they can pull your hard drive and get your data without your Windows 7 user name/password combo.

Bitlocker doesn't prevent malware or hacking while you are online. It is pretty decent encryption (using a computer's built in TPM chip) for hardware based attacks that has no noticeable performance impact and is easy to implement.

Many corporations are taking advantage of bitlocker in their deployment of Windows 7 and some are using Bitlocker plus the PIN. Bitlocker was significantly more difficult to implement in Vista; in Windows 7, you just have to right click on a drive to turn it on. Bitlocker to Go is pretty great for removable drives.

Let me know if you have any more questions on it. I recently implemented the Bitlocker + PIN approach for a large corporation so we've done some heavy research.

Again, nothing is foolproof. The TPM was recently hacked successfully by some guy in New Zealand... its the key chip that supports bitlocker encryption.

 

Good info.

Will Bitlocker have any impact on SSDs? Like the TRIM command? Or the Windows 7 optimizations for SSDs?

Has Bitlocker ever been hacked?

 

http://www.tomshardware.com/reviews/clarkdale-aes-ni-encryption,2538.html

Also does any current laptop have Intel AES hardware encryption? it looks like this really helps speed up encryption/decryption times. Do you have any firsthand info about this, utdeep?

 

Honestly, I have no idea about the Intel AES hardware encryption. I use an SSD but none of the corporate computers did. I don't think full drive encryption with bitlocker affects SSD optimizations.

 

I use Bitlocker here.

The Core i520m/540m/i7 620m platform on the T410 and T510 have the AES encryption commands. Bitlocker does use these and makes the performance impact truly negligible. On my Core 2 2.53 that I had before this, I'd say it was noticeable at times. Possibly 5-10% on heavy write actions (like saving 1GB Virtual Machine memory snapshots), and 1- 5% on regular use like web browsing. Now it is basically transparent.

If you have data you don't want anyone to have access to, enabling Bitlocker is definitely the simplest way.

Bitlocker does this:

- Ties your hard disk to your laptop
- Encrypts the data on the disk using software AES encryption on the fly.

If you have a TPM, this is used for key storage, however you can enable it without a TPM and use a USB flash drive to effectively 'unlock' the unit.

If the drive is removed and placed in a different PC, it will prompt for a large master key before anyone can boot windows. Accessing the data directly is impossible without booting or entering a master key. This prevents someone taking your HDD out of the laptop and placing it into another PC to read the data (which is what you can normally do with any drive to bypass the login password you set).

If the whole laptop is stolen, the user has to either:

- Know your password or
- Have your fingerprint (if you enable fingerprint login in Windows)

You can optionally enable a secondary authentication (a smartcard or PIN) that you have to enter at power-on, however this is not the default. That has to be enabled as a system Policy when enabling bitlocker. If what you have is quite sensitive, then you can enable that, otherwise simply having a good password is plenty good enough.

 

It will work perfectly with an SSD just as it does with an HDD. With a slower processor, you might impact the read/write performance, but not on the newer processors Core i5/i7.

It has only been 'hacked' by having physical access to the laptop when it is switched on and logged in - but of course you have access to the files then anyway!

 

@utdeep Thank you for the good information. I think it's pretty unlikely in my case to someone to just steal my hardrive but not the laptop; unless, if I understand correctly, someone would steal my laptop but, instead of booting windows from there, he pulls out the hardrive and see the content from a separate computer with a separate OS -- is this the case when BitLocker is most valuable?

I've read somewhere (may MS's own description) that BitLocker will render hackers/malware unable to read the information they mined/stole since those info will be encrypted when they pull it from my system. Is it still true? Or it won't work this way since my whole drive is already decrypted as soon as I logon and start workings in windows?

I tried enabling BitLocker on my system drive. I do see a noticeable drop in Benchmarking my SSD - sequential write from 24MB/s to ~18MB/s. It's pretty significant in number, but not too obvious in day-to-day computing.

Do you know about the scenario where system software maybe upgraded/replaced, such as BIOS update? How does it play with BitLocker? The most important concern is I would somehow lose access to my data when I need them, possibly indefinitely (and may not have the time to troubleshoot).

Thank you!!!

 

Yes. But if I stole your laptop and didn't know the password, I would for instance mount the drive with a linux CD and try and read the SAM from the drive to either reset or crack your password. With bitlocker enabled, I cannot do this. I have to know your password. That is the only way to gain access to the data.

So... I could wipe the drive and have a clean new laptop, but no access to your private data.

No. To a Windows program, including malware, there is no encryption visible. You still run an antivirus like Microsoft Security Essentials.

Exactly

Before you do a BIOS upgrade, you go into the Bitlocker control panel and "Suspend Protection". This allows you to update the BIOS without issue. Then, you resume it when Windows boots again.

If you don't do this, then on the next reboot it prompts for the master password.

NOTE: When you initially enable Bitlocker, you must and I cannot stress this enough, save that master password to another PC or print it out and keep it safe. I forgot to suspend on my first BIOS update. I had to enter the master key which fortunately I had access to.

 

Thank you. The primary benefit I had in mind and wanted to take advantage of was shutting hackers'/malwares' ability to read my private data even when they have the file - pity that it's not true. It's still a worthwhile option provided the performance impact is minimal.

Would you know any cases other than BIOS where user induced changes can trigger BitLocker to lockout my data? (e.g. driver upgrade like Lenovo system interface driver etc.) By master key, do you mean the file/password BitLocker offered me to save/print when I initiate the process? Is it always possible to recover my data as long as I have the master key - do you know of exceptions/scenarios I'd lose my data even when I have the key?

Thanks again!

 

Yes, the file it had you save/print is the important one.

Updating any Windows drivers will not trigger it as they are past the authentication stage. It is really only hardware level changes that trigger the request.

The only scenario that is potentially worse than a regular HDD is if somehow the drive was physically damaged in some particular sectors. On a regular drive you might be able to recover some files using recovery/repair tools to scan the drive, but here of course you would not, unless they were bitlocker-aware. That is a small risk I am willing to take for the large security gain.

 

I am waiting for a tech to come in to change the motherboard for me in a few days. I guess that is enough hardware change that I should wait to enable BitLocker afterwards?

I am interested in the case you mentioned. Why would I not able to scan and recover files from the SSD? And by 'unless they were bitlocker-aware', what do you mean and do you know which recovery/repair tool that is so?

Thanks!

 

A motherboard change is no different to a BIOS update... a suspend/resume would cover the change.

On the difference from regular HDD front... Well, say I destroyed the Partition table/MBR/MFT. There is no way windows is going to be able to boot and no record that the drive is a bitlocker protected volume. In fact there is no record of the volume.

There are two fixes here potentially possible on a regular drive:

- Recover/fix the MBR/MFT/Partition table (best option)
- Scan raw disk for files and recover them

The second option is clearly impossible when data is all encrypted.

For the first option, Microsoft provide a tool to assist with this situation. For all I know, it may do more, but thankfully I've never had to use it!

 

Thanks. This is really informative. Knowing the downside, if you don't mind, I wonder how valuable the upside of this technique is.

Since it's only protecting the case when people trying to pry into my data from a separate OS, how likely do you think it'd occur? I would imagine most people would simply sell the laptop asap once they steal it. How likely that someone who'd steal a laptop nowadays would both be tech savvy and willing to pop in a Linux OS and crack through my hardrive? I imagine that'd be some pretty experience high tech thief most people don't usually encounter?

 

Depends:

My laptop include both personal and work stuff.

For work I have things like company IPR and test data including SSNs etc. This is a big no-no in this day and age to have someone access.

Even at a personal level, there are tax returns, bank account numbers etc. Often the value of those is more than the laptop itself...

As you say, it's up to the individual. For me, it's not an option to not be protected.

 

Yup. It does depend on the individual - I really appreciate the help so I can make up my mind.

I have my quicken in my computer, which is of course password locked. Emails/Tasks/Appointments in Outlook, however, are freely available once someone logged in. I have a digital wallet that is also AES-encrypted and locked. I wonder how much I have at risk if I don't have BitLocker - can anyone really access those easily except the Outlook emails?

 

Quicken, yes:

http://www.elcomsoft.com/ainpr.html?r1=pr&r2=quicken_210607

An AES wallet, probably not.

Using TrueCrypt is a good way to protect some files. However the more files you add, the closer you are to full drive encryption...

 

Even quicken ... that's pretty alarming. It seems the so called 'password protected' programs are not that protected after all.

I may give BitLocker a try in a few days. ~ Still a little reluctant on the performance drop.

 

as an aside, if you use Fingerprint login for your computer, is this a vulnerable security method? In other words, if someone steals your laptop, and they know there's valuable information on it (think corporate espionage ), and you have fingerprint login, can they simply find a fingerprint on the laptop itself, and "fake" a fingerprint to the reader and gain access to your computer? I have a T61p so I probably don't have the latest reader either, so my guess is it could be faked easily enough.

 

If you've seen the experience of the Mythbusters team, then yes, it isn't that hard.

Note: Lenovo fingerprint software has a 'more secure' mode that makes the reader more fussy, but yes, a secondary PIN/smartcard is the best method of security.

 

Now that is intriguing. I haven't thought about having someone harvesting my fingerprints on the laptop and logon with it. That'd be a concern: what does it by Lenovo fingerprint software makes the reader more fussy and thus 'secure'?

Now on the BitLocker, I understand that function(at least the default transparent one without an extra PIN or smart card) involves a key that I set to boot into windows. BitLocker/TPM will not allow access in case of using a separate OS to mount the drive or significant hardware change. I don't realize there is any point where fingerprint is involved - or am I wrong and BitLocker can somehow involve fingerprint authentication?

 

For security I have used TrueCrypt.
http://www.truecrypt.org

This is a free program. I simply create a file which I can mount as a drive, and I just put all the sensitive data into the file. I can easily move the file from system to system which is useful for backup purposes. As long as you have an effective password (say 20 or more letters/numbers) I expect your data would be reasonably secure.

 

You can enable a more secure fingerprint scanning mode in the Lenovo Fingerprint Control Panel. I would hope it tightens the algorithm used to match the scanned fingerprint against those it learned.

If you have a fingerprint reader on your laptop, it is common to enable it as the authentication/sign-on method. I.e. rather than typing your password, you just swipe your finger.

 

Do you mean the secure vs convenient options? I haven't tried secure yet. I'll give it a few days run and see how much does it add to logon failure rates.

I use this function a lot for power-on security so I can boot up and/or logon windows with my fingerprint. I just don't know how it can be set to work with BitLocker as well. Does BitLocker ask for my fingerprint instead of the master recovery key in case of a lock-out? Is there specific setting I need to change to enable that?

 

Did you ever get this answered?

 

The fingerprint is not a replacement for the bitlocker key. A fingerprint can just be used to log into Windows/BIOS.

 

I ran some tests with BitLocker. While you can't benchmark it specifically, I installed diskcryptor 0.9. Curiously, the developer of this software implemented AES-NI extensions. If you have the 620m, you have that (I have the same CPU). I first ran a benchmark with hardware support turned off. It got about 350MB/s in AES--not bad. However the BIG surprise: When I turned it on, that same figure soared to 2400MB/s. I doubt you're gonna notice a performance drop with that. As far as I can tell, Bitlocker has the same acceleration. AES-NI is also supposed to be more secure as it mitigates side-channel attacks.

Also, Bitlocker itself for boot drives can't authenticate with biometric or smart cards. Just the TPM/PIN/USB (as these are the only ones with a standard). An alternative to protect against the TPM disassembly hacks I believe is to register a power-on password and tie a fingerprint to it. The HDD password might also be an acceptable alternative, too. Then you'd swipe once in the BIOS, and then TPM would unlock Bitlocker. The secure/convenience option of the fingerprint appears to differ mostly in the accuracy threshold. The secure mode seems to trigger more incorrect attempts.
I will tell you, the only more secure option is an FDE drive itself. Let me warn you: FDE in hardware is a headache, as my T410 seems to have issues with the proper security implemented (HDD passwords). Software available using OPAL/Seagate Secure instead of BIOS passwords is about $100-$120.

 

Does anyone have real world benchmarks on battery life while using BitLocker versus not? I'm interested in this, but wondering if the extra processing (by i5, by TPM, by other) has a negligible impact on battery times, or if I will lose an hour or so.

 

Bitlocker and other FDE schemes encrypt data by means of "data at rest". The main protection these provide is if you lose your laptop, or if someone steals your laptop and it is fully powered off.

Once your operating system is up and running, you are essentially subjected to the same security concerns as if your data wasn't encrypted and you are in possession of your machine, actively using it. You need multi-tier protection such as virus protection, secure Windows passwords, firewall, protection from phising sites, eavesdropping (ever hear of privacy screens), access restrictions such as UAC, protection with NX bit, frequent software updates to mitigate security vulnerability.

There is a reason why The Department of Defense created "LPS-Public 0.8.8", a LiveCD based OS for accessing their resources. It's to mitigate against risks I noted in the previous paragraph.

In fact... I suspect for agents in the field that need access to top secret info, my guess is the DoD provides them with a CAC card (a smart card) a LiveCD similar to that and a hardened laptop with no HDD. Then probably some classified secure network of some sort... You don't need that much security

The other issue with bitlocker is if you clear the TPM accidentally in the BIOS, or in the OS. This is not easy to do accidentally. What I would suggest is to zip the recovery key in AES and password protect with one you'll remember and keep it in a safe place, inaccessible to the computer with which it recovers.

If you accidentaly wipe your TPM chip and you still have access to the recovery key, you can input that, boot into Windows turn off bitlocker for the drive/partition. Then re-enable it. If you do though, remember the recovery key is new and different than the old one and the TPM will be re-initialized.

 

While I haven’t done any benchmarking, I’d say this is negligible. Under normal use CPU overhead due to BitLocker is tiny and largely unnoticeable. It’s quite possible playing music uses more CPU time.

 

Bitlocker is negligible supposedly on even the previous gen CPUs. Considering YOUR CPU can effective handle AES encryption/decryption as what seems to be 6-8 faster with the optimization, than without it, I doubt you'll notice a performance hit whatsoever.
Also to keep in mind, less CPU hit means less battery consumption. Everything I've read indicates Bitlocker uses the AES instructions in the 540/620 Arrandale CPUs (so you'd see a comparable speed bump to what I saw in the DC benchmarks).

Unless you were going to get a new larger HDD regardless, you probably don't need to opt for a FDE drive.
However, if you went so far as to get a laptop with the extra security features, with a very agreeable, CPU you might as well enable Bitlocker