How to protect BitLocker-encrypted documents from online threats?

By Eunice Samson | March 20, 2019 |

greater than 5 minutes

BitLocker is Windows’ built-in proprietary encryption program that allows users to encrypt their entire drive. It is also useful in protecting your system against unauthorized changes, including those orchestrated by firmware-level malware. While this feature is helpful in many scenarios, it is still vulnerable to attacks. For instance, hackers have the ability to remove the TPM chip of a computer to extract its encryption keys, allowing them to access the hard drive.

Naturally, you would ask, “Is BitLocker secure enough?” In this post, we will provide the answers surrounding that question. Since we’re taking the dynamic security environment into consideration, we cannot look at the situation in black and white. So, in this post, we are going to discuss the common issues you might encounter with BitLocker. We will also teach you how you can work around those problems to get the right protection you need.

BitLocker is not Available on all Windows PCs

These days, it is not uncommon to find operating systems with standard encryption. It is worth noting that users get to take advantage of reliable encryption technology when they purchase Macs, iPads, Chromebooks, iPhones, and Linux systems. On the other hand, Windows 10 still does not offer encryption on all computers. Unfortunately, Microsoft has not bundled BitLocker with Windows 10 Home.

There are PCs that come with ‘device encryption’ with features similar to what BitLocker offers. However, this technology is limited compared to the full version of BitLocker. Keep in mind that if your Windows 10 Home edition computer is not encrypted, anyone can simply remove your hard drive. They can also use a bootable USB drive to access your files.

Unfortunately, the only way around this problem is to pay the additional fee to upgrade to the Windows 10 Professional edition. Once you’ve done that, you need to go to the Control Panel to enable BitLocker. Make sure you opt out of uploading a recovery key to the servers of Microsoft.

BitLocker Does not Work Well with Many Solid-State Drives (SSD)

You may see manufacturers advertising that their SSDs support hardware encryption. If you’re using this type of drive and enable BitLocker, your operating system will believe that your drive will take care of the encryption tasks. After all, Windows usually optimizes operations, leaving the drive to perform tasks that it can handle.
Unfortunately, there is a loophole in this design. According to researchers, a lot of SSDs fail to implement this task properly. For instance, your operating system may believe that BitLocker is activated, but in reality, it is not doing a lot in the background. It is not ideal for this program to silently rely on SSDs to perform encryption tasks. In most cases, this problem affects Windows 10 and Windows 7 operating systems.

At this point, you’re probably asking, “Is BitLocker for Windows 10 effective?”

Well, your operating system may confirm that BitLocker is enabled, but it is just letting your SSD fail to encrypt your data securely. So, criminals may find a way to bypass your SSD’s poorly implemented encryption to access your files.

The solution to this problem is to tell BitLocker to use software-based encryption instead of hardware-based encryption. You can do this via the Local Group Policy Editor.

To proceed, follow the steps below:

  1. On your keyboard, press Windows Key+R. Doing so will launch the Run dialog box.
  2. Inside the Run dialog box, type “gpedit.msc” (no quotes), then click OK.
  3. Once the Local Group Policy Editor is up, navigate to this path:
    Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption
  4. Go to the right pane, then double-click the ‘Configure use of hardware-based encryption for fixed data drives’ option.
  5. Choose Disabled from the options, then click OK.

Once you’ve completed the steps above, unencrypt and then re-encrypt your drive to let the changes take effect.
TPM Chips are Removable

The Trusted Platform Module (TPM) in your computer is where BitLocker stores your encryption key. Supposedly, this hardware component is tamper-resistant. Unfortunately, a hacker can use some open-source code or purchase a field-programmable gate array to extract the key from the TPM. While doing this will destroy the hardware, it will enable the attacker to bypass the encryption and extract the key successfully.

Theoretically, once a hacker gets a hold of your computer, they will tamper with the hardware to bypass the TPM protections. Once they’ve done this, they will be able to extract the encryption key. Thankfully, there is a workaround for this issue. You can use the Local Group Policy Editor and configure BitLocker to require a pre-boot PIN.

When you select the ‘Require startup PIN with TPM’ option, your system will only be able to unlock the TPM at startup by using a PIN. Basically, once your PC boots, you need to type a PIN. So, you will provide the TPM with an extra layer of protection. Without your PIN, hackers will not be able to extract the encryption key from the TPM.

The Vulnerability of Computers in Sleep Mode

While learning how to use BitLocker drive encryption on Windows 10 is crucial, it is equally important to know how to optimize its security. When you’re using this program, you should disable Sleep Mode. You should know that your PC stays powered, and its encryption key is stored in RAM. On the other hand, you can use Hibernate mode because you can still use a PIN once you wake your computer up.

If you’re using Sleep Mode, once a hacker gains access to your computer, they can simply wake the system up and sign in to access your files. They may also be able to acquire the contents of your RAM by using direct memory access (DMA). Once they are successful with this, they will be able to get your BitLocker key.

The easiest way around this issue is to avoid leaving your computer asleep. You can either shut it down or put it into Hibernate mode. You can also secure the boot process by using a pre-boot PIN. Doing so will protect your computer against cold boot attacks. You should also configure BitLocker to require a PIN at boot even when resuming from hibernation.

All of the threats we mentioned in this article require physical access to your PC. However, your computer is still vulnerable to online attacks. So, if you want to reinforce your security, you should use a reliable and powerful anti-virus like Auslogics Anti-Malware. This tool will scan your browser extensions to prevent data leaks. It will even get rid of cookies that track your online activities. You can ensure that no malicious programs will run in the background to steal your data.

So, what do you think? Is BitLocker secure enough?

Let us know your thoughts in the comments below!

Share it:
Do you like this post?
1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading...