BitLocker, the encryption technology built into Windows, has taken some hits lately. A recent exploit demonstrated removing a computer’s TPM chip to extract its encryption keys, and many hard drives are breaking BitLocker. Here’s a guide to avoiding BitLocker’s pitfalls.
Note that these attacks all require physical access to your computer. That’s the whole point of encryption—to stop a thief who stole your laptop or someone from gaining access to your desktop PC from viewing your files without your permission.
Standard BitLocker Isn’t Available on Windows Home
While nearly all modern consumer operating systems ship with encryption by default, Windows 10 still doesn’t provide encryption on all PCs. Macs, Chromebooks, iPads, iPhones, and even Linux distributions offer encryption to all their users. But Microsoft still doesn’t bundle BitLocker with Windows 10 Home.
Some PCs may come with similar encryption technology, which Microsoft originally called “device encryption” and now sometimes calls “BitLocker device encryption.” We’ll cover that in the next section. However, this device encryption technology is more limited than full BitLocker.
How an Attacker Can Exploit This: There’s no need for exploits! If your Windows Home PC just isn’t encrypted, an attacker can remove the hard drive or boot another operating system on your PC to access your files.
The Solution: Pay $99 for an upgrade to Windows 10 Professional and enable BitLocker. You could also consider trying another encryption solution like VeraCrypt, the successor of TrueCrypt, which is free.
BitLocker Sometimes Uploads Your Key to Microsoft
Many modern Windows 10 PCs come with a type of encryption named “device encryption.” If your PC supports this, it will be automatically encrypted after you sign into your PC with your Microsoft account (or a domain account on a corporate network). The recovery key is then automatically uploaded to Microsoft’s servers (or your organization’s servers on a domain).
This protects you from losing your files—even if you forget your Microsoft account password and can’t sign in, you can use the account recovery process and regain access to your encryption key.
How an Attacker Can Exploit This: This is better than no encryption. However, this means that Microsoft could be forced to disclose your encryption key to the government with a warrant. Or, even worse, an attacker could theoretically abuse a Microsoft account’s recovery process to gain access to your account and access your encryption key. If the attacker had physical access to your PC or its hard drive, they could then use that recovery key to decrypt your files—without needing your password.
The Solution: Pay $99 for an upgrade to Windows 10 Professional, enable BitLocker via the Control Panel, and choose not to upload a recovery key to Microsoft’s servers when prompted.
Many Solid State Drives Break BitLocker Encryption
Some solid-state drives advertise support for “hardware encryption.” If you’re using such a drive in your system and enable BitLocker, Windows will trust your drive to do the job and not perform its usual encryption techniques. After all, if the drive can do the work in hardware, that should be faster.
There’s just one problem: Researchers have discovered that many SSDs don’t implement this properly. For example, the Crucial MX300 protects your encryption key with an empty password by default. Windows may say BitLocker is enabled, but it may not actually be doing much in the background. That’s scary: BitLocker shouldn’t be silently trusting SSDs to do the work. This is a newer feature, so this problem only affects Windows 10 and not Windows 7.
How an Attacker Could Exploit This: Windows may say BitLocker is enabled, but BitLocker may be sitting idly by and letting your SSD fail at securely encrypting your data. An attacker could potentially bypass the badly implemented encryption in your solid-state drive to access your files.
The Solution: Change the “Configure use of hardware-based encryption for fixed data drives” option in Windows group policy to “Disabled.” You must unencrypt and re-encrypt the drive afterward for this change to take effect. BitLocker will stop trusting drives and will do all the work in software instead of hardware.