What do I need to know about BitLocker?

Jumpem

[H]ard|Gawd
Joined
Dec 1, 2000
Messages
1,060
I just upgraded to Windows 10 Pro in order to have BitLocker. I have an OS drive and several data drives with the same files on them.

I do not have TPM and had to configure BitLocker to use a password. It also saved recovery key text files for each drive. I am not sure how to handle these. I either have to keep them on another computer, a cloud storage service (sounds bad), or simply print them out.

After unlocking the drives on boot, what has to be done to lock them again? Logging off doesn't seem to do it. Do they lock automatically when the system is powered off? Is there a way to keep it powered on with the drives locked?

I am trying to better secure my PC, but can absolutely not lose access to the files on the data drives. I do also use Backblaze as a just in case. If there is anything else I need to be aware of please let me know.
 
Last edited:
The drive should stay unlocked only while it's mounted, so a reboot will require that you re-enter the password used to encrypt the drive.

Are you certain you don't have a TPM? if it's a more recent system you may only need to enable an option in BIOS/UEFI.
 
The drive should stay unlocked only while it's mounted, so a reboot will require that you re-enter the password used to encrypt the drive.

Are you certain you don't have a TPM? if it's a more recent system you may only need to enable an option in BIOS/UEFI.
If it is unlocked when I shutdown, is it still in an unlocked state? I would not have done anything to lock it in this case, but when powered back on it is locked and I need to enter a password.

I am fairly certain my motherboard from 2015 does not have TPM. Entering a password doesn't bother me anyway. If I change hardware in the future, the data drives are not tied to it, and could just be unlocked with the password, correct?
 
If it is unlocked when I shutdown, is it still in an unlocked state? I would not have done anything to lock it in this case, but when powered back on it is locked and I need to enter a password.

I am fairly certain my motherboard from 2015 does not have TPM. Entering a password doesn't bother me anyway. If I change hardware in the future, the data drives are not tied to it, and could just be unlocked with the password, correct?
sounds like its locked to me.
probably not unless its an oem like a dell then it might have tpm 1. if you move the drive to a new system youll just need to unlock it again. if the new system has tpm you can disable BL and then reenable it and the will use the tpm.

BUT once you have BL enabled, do not lose that key, as there is no workaround, thats the point.
 
I'm looking at this thread and seeing terms like locked and unlocked and I think there may be some confusion. Bit locker encrypts files at rest, as they are stored on the disk. Once they are encrypted with bit locker, that's it.

I mentioned "at rest" because this concept is key. While your system is running and the drives are mounted, consider the files in transit. You can copy things to and from a bit locker protected drive to another that does and does not use it, all the work happens in the background. When the drives are unmounted or the system is off, is when bit locker really works. If someone has physical access to your drives, they cannot read what is on it. They have to have your bit locker secretes to do so.

A customer brought me a laptop and said it was being slow and odd. After looking at it, I determined the hard drive was dying. I did everything I could right away to save all the data. I decided to use the (newer) backup method in windows 10 to save the data. I had a hard time figuring out how to restore it from windows PE and then when I did, since I took them from a 1TB drive to a 256GB SSD (because they were using less than 100GB of space), the new imaging system didn't like that. So I decided to get the data offline - but I couldn't. The system used bit locker and I didn't even know until then and even though I was still using the same system, I wasn't using the same OS, the files were "at rest" so I would have to have his recovery key.

So Bit locker would protect you from:
Someone accessing your data directly from the drive.

Bit locker would not protect you from:
Crypto viruses
Remote access stealing of information
Faulty / Bad / Malicious software
 
I'm looking at this thread and seeing terms like locked and unlocked and I think there may be some confusion. Bit locker encrypts files at rest, as they are stored on the disk. Once they are encrypted with bit locker, that's it.

I mentioned "at rest" because this concept is key. While your system is running and the drives are mounted, consider the files in transit. You can copy things to and from a bit locker protected drive to another that does and does not use it, all the work happens in the background. When the drives are unmounted or the system is off, is when bit locker really works. If someone has physical access to your drives, they cannot read what is on it. They have to have your bit locker secretes to do so.

A customer brought me a laptop and said it was being slow and odd. After looking at it, I determined the hard drive was dying. I did everything I could right away to save all the data. I decided to use the (newer) backup method in windows 10 to save the data. I had a hard time figuring out how to restore it from windows PE and then when I did, since I took them from a 1TB drive to a 256GB SSD (because they were using less than 100GB of space), the new imaging system didn't like that. So I decided to get the data offline - but I couldn't. The system used bit locker and I didn't even know until then and even though I was still using the same system, I wasn't using the same OS, the files were "at rest" so I would have to have his recovery key.

So Bit locker would protect you from:
Someone accessing your data directly from the drive.

Bit locker would not protect you from:
Crypto viruses
Remote access stealing of information
Faulty / Bad / Malicious software
I used "locked" and "unlocked" simply because there is a padlock icon in File Explorer that changes.

Are the files encrypted while I log in using a password? It logs in instantly, so it is not as if it is unencrypting the disk. When I look at File Explorer, the disks all have an unlocked padlock icon in this case. Is it okay to keep the machine powered up with the screen locked for days on end? I am mostly just concerned about the computer being accessed if it were physically stolen, and it would end up powered off if someone were to take it.
 
Your question makes me thing you aren't understand what bitlocker does and that's why I tried to explain it.



Wait! I wrote out all the stuff so I'm going to leave it but I think you're asking what do the different icon mean? Here is a blog with a table and links with more info. https://devblogs.microsoft.com/oldnewthing/20170523-00/?p=96206

Unmounted means the system knows it's there but isn't allowing read and writes to it. Having bit locker on it means that additional steps will be needed to mount it so technically without user intervention nothing can touch it.




The files, once bitlocker is turned on and fully active, are always encrypted. No matter what. The system will decrypt the files on the fly and give the info to itself or to other programs and will encrypt that data as it's written to disk.

If someone takes your computer and wants to get the data, they'll find it difficult.
They can't read the data just by putting it in another computer.
They can't read the data just by running a different OS on the same computer.


If your computer is running, and somehow you get some Ransom ware.
It will still get your bit locker encrypted files, that's not what it's for.
In this case, as a program running on your system that has been authenticated through bit locker, the Ransom ware will encrypt the file, then that encrypted data will be encrypted again as it's written to disk (think of about the encryption like a Russian nesting doll, each layer of encrypting surrounds the other. Neither negating or changing the other)
If the Ransom ware wrecks your installation of windows instead of just putting your drive in another computer and using the Ransom release too, you'd have to first import the bitlocker secrete, then use the tool.
 
Here is what you need to know about bitlocker first - If you are concerned that someone may steal your drive and read data from it, bitlocker will protect you against that. If your concern is anything else, bitlocker will not protect you from that. Until you determine that bitlocker is the right tool for your needs, everything else is irrelevant.
 
Here is what you need to know about bitlocker first - If you are concerned that someone may steal your drive and read data from it, bitlocker will protect you against that. If your concern is anything else, bitlocker will not protect you from that. Until you determine that bitlocker is the right tool for your needs, everything else is irrelevant.
That is the main need that I wanted it for.
 
Back
Top