703

BitLocker encryption broken in less than 43 seconds with sub-$10 Raspberry Pi Pico — key can be sniffed when using an external TPM (www.tomshardware.com)

submitted 10 months ago by throws_lemy@lemmy.nz to c/technology@lemmy.world

64 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[-] smileyhead@discuss.tchncs.de -3 points 10 months ago

Solution: Just encrypt it with a password.

[-] BaroqueInMind@kbin.social 31 points 10 months ago

Bit locker is a password controlled drive encryption. Am I being dumb or are you seriously saying that?

[-] tias@discuss.tchncs.de 26 points 10 months ago* (last edited 10 months ago)

I guess they mean use the password as part of the encryption key, or encrypt the key with the password. Bitlocker doesn't use the user's password in that way, which is why it can boot an encrypted system without user interaction. That part always seemed very sketchy to me.

[-] d3Xt3r@lemmy.nz 12 points 10 months ago

FYI: You can set it to require a PIN + TPM, or even just a password eg using manage-bde -on c: -password.

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-on

[-] tias@discuss.tchncs.de 3 points 10 months ago

Thanks, that sounds really useful. I'm guessing it won't work unless you're local admin though.

[-] d3Xt3r@lemmy.nz 4 points 10 months ago

Yep, you'll need local admin of course.

[-] tias@discuss.tchncs.de -2 points 10 months ago* (last edited 10 months ago)

Which kind of makes it useless in many corporate environments where it's most needed, since the users won't be able to set their own password.

[-] d3Xt3r@lemmy.nz 5 points 10 months ago

I mean, if it's a corporate device then it's really a policy IT should be setting - this can be easily be done via a GPO or Intune policy, where an elevated script can prompt the end-user for a password.

[-] LifeInMultipleChoice@lemmy.world 2 points 10 months ago* (last edited 10 months ago)

Yarp. And when they forget it we use the 48 numerical recovery key found using the recovery ID that shows on the screen when you hit escape (from the bitlocker screen)

[-] lud@lemm.ee 1 points 10 months ago

It would be insane to let non admin change settings like this.

[-] tias@discuss.tchncs.de 1 points 10 months ago

I'm talking about letting the user change their own password. I'm honestly not sure how that would be technically accomplished in this situation without having to contact IT each time. It seems like something Microsoft should provide a no-frills GUI for that doesn't require elevation.

[-] lud@lemm.ee 1 points 10 months ago* (last edited 10 months ago)

Yeah, that could be neat as long as they still add a recovery key to the AD or somewhere else. A problem with that is that the users will likely choose shit passwords. That could be mitigated with password rules but still

I suspect Microsoft wants you to use TMP or physical keys instead of passwords.

[-] Kraven_the_Hunter@lemmy.dbzer0.com 10 points 10 months ago

Yes.

this post was submitted on 07 Feb 2024

703 points (97.8% liked)

Technology

60165 readers

1692 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 2 years ago

MODERATORS