Powered by Blogger.
Showing posts with label bitlocker. Show all posts
Showing posts with label bitlocker. Show all posts

What is a TPM, and Why Does Windows Need One For Disk Encryption? | Dramel Notes

By Unknown Posted On 9:00 AM // Leave a Comment

BitLocker disk encryption normally requires a TPM on Windows. Microsoft’s EFS encryption can never use a TPM. The new “device encryption” feature on Windows 10 and 8.1 also requires a modern TPM, which is why it’s only enabled on new hardware. But what is a TPM?

TPM stands for “Trusted Platform Module”. It’s a chip on your computer’s motherboard that helps enable tamper-resistant full-disk encryption without requiring extremely long passphrases.

What Is It, Exactly?

The TPM is a chip that’s part of your computer’s motherboard — if you bought an off-the-shelf PC, it’s soldered onto the motherboard. If you built your own computer, you can buy one as an add-on module if your motherboard supports it. The TPM generates encryption keys, keeping part of the key to itself. So, if you’re using BitLocker encryption or device encryption on a computer with the TPM, part of the key is stored in the TPM itself, rather than just on the disk. This means an attacker can’t just remove the drive from the computer and attempt to access its files elsewhere.

This chip provides hardware-based authentication and tamper detection, so an attacker can’t attempt to remove the chip and place it on another motherboard, or tamper with the motherboard itself to attempt to bypass the encryption — at least in theory.

Encryption, Encryption, Encryption

For most people, the most relevant use case here will be encryption. Modern versions of Windows use the TPM transparently. Just sign in with a Microsoft account on a modern PC that ships with “device encryption” enabled and it’ll use encryption. Enable BitLocker disk encryption and Windows will use a TPM to store the encryption key.

You normally just gain access to an encrypted drive by typing your Windows login password, but it’s protected with a longer encryption key than that. That encryption key is partially stored in the TPM, so you actually need your Windows login password and the same computer the drive is from to get access. That’s why the “recovery key” for BitLocker is quite a bit longer — you need that longer recovery key to access your data if you move the drive to another computer.

This is one reason why the older Windows EFS encryption technology isn’t as good. It has no way to store encryption keys in a TPM. That means it has to store its encryption keys on the hard drive, and makes it much less secure. BitLocker can function on drives without TPMs, but Microsoft went out of its way to hide this option to emphasize how important a TPM is for security.

Why TrueCrypt Shunned TPMs

Of course, a TPM isn’t the only workable option for disk encryption. TrueCrypt’s FAQ — now taken down — used to stress why TrueCrypt didn’t use and would never use a TPM. It slammed TPM-based solutions as providing a false sense of security. Of course, TrueCrypt’s website now states that TrueCrypt itself is vulnerable and recommends you use BitLocker — which uses TPMs — instead. So it’s a bit of a confusing mess in TrueCrypt land.

This argument  is still available on VeraCrypt’s website, however. VeraCrypt is an active fork of TrueCrypt. VeraCrypt’s FAQ insists BitLocker and other utilities that rely on TPM use it to prevent against attacks that require an attacker to have administrator access, or have physical access to a computer. “The only thing that TPM is almost guaranteed to provide is a false sense of security,” says the FAQ. It says that a TPM is, at best, “redundant”.

There’s a bit of truth to this. No security is completely absolute. A TPM is arguably more of a convenience feature. Storing the encryption keys in hardware allows a computer to automatically decrypt the drive, or decrypt it with a simple password. It’s more secure than simply storing that key on the disk, as an attacker can’t simply remove the disk and insert it into another computer. It’s tied to that specific hardware.

Ultimately, a TPM isn’t something you have to think about much. Your computer either has a TPM or it doesn’t — and modern computers generally will. Encryption tools like Microsoft’s BitLocker and “device encryption” automatically use a TPM to transparently encrypt your files. That’s better than not using any encryption at all, and it’s better than simply storing the encryption keys on the disk, as Microsoft’s EFS (Encrypting File System) does.

As far as TPM vs. non-TPM-based solutions, or BitLocker vs. TrueCrypt and similar solutions — well, that’s a complicated topic we aren’t really qualified to address here.

Image Credit: Paolo Attivissimo on Flickr

[Read more]

What’s the Difference Between BitLocker and EFS (Encrypting File System) on Windows? | Dramel Notes

By Unknown Posted On 9:00 AM // Leave a Comment

Windows 10, 8.1, 8, and 7 all include BitLocker drive encryption, but that’s not the only encryption solution they offer. Windows also includes an encryption method named the “encrypting file system”, or EFS. Here’s how it differs from BitLocker.

This is only available on Professional and Enterprise editions of Windows. Home editions can only use the more restricted “device encryption” feature, and only if it’s a modern PC that shipped with device encryption enabled.

BitLocker is Full Disk Encryption

BitLocker is a full-disk encryption solution that encrypts an entire volume. When you set up BitLocker, you’ll be encrypting an entire partition — such as your Windows system partition, another partition on an internal drive, or even a partition on a USB flash drive or other external media.

It is possible to encrypt only a few files with BitLocker by creating an encrypted container file. However, this container file is essentially a virtual disk image, and BitLocker works by treating it as a drive and encrypting the entire thing.

If you’re going to encrypt your hard drive to protect sensitive data from falling into the wrong hands, especially if your laptop is stolen, BitLocker is the way to go. It’ll encrypt the entire drive and you won’t have to think about which files are encrypted and which aren’t. The entire system will be encrypted.

This doesn’t depend on user accounts. When an administrator enables BitLocker, every single user account on the PC will have its files encrypted. BitLocker uses the computer’s trusted platform module — or TPM — hardware.

While “drive encryption” is more limited on Windows 10 and 8.1, it works similarly on PCs where it’s available. It encrypts the entire drive rather than individual files on it.

EFS Encrypts Individual Files

EFS — the “encrypting file system” — works differently. Rather than encrypting your entire drive, you use EFS to encrypt individual files and directories, one by one. Where BitLocker is a “set it and forget it” system, EFS requires you manually select the files you want to encrypt and change this setting.

You do this from the File Explorer window. Select a folder or individual files, open the Properties window, click the “Advanced” button under Attributes, and activate the “Encrypt contents to secure data” option.

This encryption is on a per-user basis. Encrypted files can only be accessed by the particular user account that encrypted them. The encryption is transparent. If the user account that encrypted the files is logged in, they’ll be able to access the files without any additional authentication. If another user account is logged in, the files won’t be accessible.

The encryption key is stored in the operating system itself rather than using a computer’s TPM hardware, and it’s possible an attacker could extract it. There’s no full-drive encryption protecting those particular system files unless you also enable BitLocker.

It’s also possible that the encrypted files could “leak” out into unencrypted areas. For example, if a program creates a temporary cache file after opening an EFS-encrypted document with sensitive financial information, that cache file and its sensitive data will be stored unencrypted in a different folder.

Where BitLocker is essentially a Windows feature that can encrypt an entire drive, EFS takes advantage of features in the NTFS file system itself.

Why You Should Use BitLocker, and Not EFS

It’s actually possible to use both BitLocker and EFS at once, as they’re different layers of encryption. You could encrypt your entire drive, and, even after doing so, Windows users will be able to activate the “Encrypt” attribute for files and folders. However, there’s not actually much reason to do so.

If you want encryption, it’s best to go for full-disk encryption in the form of BitLocker. Not only is this a “set it and forget it” solution you can enable once and forget about, it’s also more secure.

We’ve tended to gloss over EFS when writing about encryption on Windows and often only mention BitLocker as Microsoft’s solution for encryption on Windows. There’s a reason for this. BitLocker’s full-disk encryption is just superior to EFS, and you should be using BitLocker if you need encryption.

So why does EFS even exist? One reason is that it’s an older feature of Windows. BitLocker was introduced along with Windows Vista. EFS was introduced back in Windows 2000.

At one point, BitLocker might have slowed down overall operating system performance, while EFS would have been a bit more lightweight. But, with reasonably modern hardware, this shouldn’t be the case at all.

Just use BitLocker and forget Windows even offers EFS. It’s less of a hassle to actually use and is more secure.

 

[Read more]