to bitlocker or not to bother?

[ik9000]

Bitlocker - is it worth it? Win10 pro apparently has it, win7 pro doesn't. I'm probably going to downgrade win10 pro to win7 pro but is it worth paying for an ultimate licence to get bitlocker on win7? Are there any alternatives for giving some security to a laptop? Sounds like bitlocker will run with hardware encryption rather than software via TPM which my machine should have (TBC when it arrives) .

[kalniel]

There was some kind of encryption with Win 7 Pro.. thought that was bitlocker?

EDIT: Ah no, that was just EFS.

[peterb]

Notwithstanding the controversy surrounding Truecrypt, I would suggest that it is still suitable for protecting data-at-rest in a home environment. Presumably you want to protect sensitive data if the laptop gets stolen.

Truecrypt is still effective at protecting that unless you have a very skilled forensic based thief. Most casual thieves will put it on eBay or pawn it, and if they can't get it to boot, probably just bin it.

Otherwise BeCrypt's Disk Protect will do the job - at a price.

[GoNz0]

Bitlocker - is it worth it? Win10 pro apparently has it, win7 pro doesn't. I'm probably going to downgrade win10 pro to win7 pro but is it worth paying for an ultimate licence to get bitlocker on win7? Are there any alternatives for giving some security to a laptop? Sounds like bitlocker will run with hardware encryption rather than software via TPM which my machine should have (TBC when it arrives) .

What laptop are you getting?

[BobF64]

Sounds like bitlocker will run with hardware encryption rather than software via TPM which my machine should have (TBC when it arrives) .

As far as Bitlocker running with "hardware encryption", this is purely Self-Encrypting SSDs, via what Microsoft call 'eDrive'.

It basically manages the "password" for the drive, the drive itself does the actual encryption, BUT, if the drive does not have it enabled by default you need to erase it and reinstall Windows, as SED can not be enabled after the fact.

Otherwise, Bitlocker would operate as software encryption, using the TPM for boot validation.

[ik9000]

What laptop are you getting?

XPS13 9350

Presumably you want to protect sensitive data if the laptop gets stolen.

Bingo - going to be lugging this around to/from work each day.

As far as Bitlocker running with "hardware encryption", this is purely Self-Encrypting SSDs, via what Microsoft call 'eDrive'.

It basically manages the "password" for the drive, the drive itself does the actual encryption, BUT, if the drive does not have it enabled by default you need to erase it and reinstall Windows, as SED can not be enabled after the fact.

Otherwise, Bitlocker would operate as software encryption, using the TPM for boot validation.

I will be reinstalling windows from the off and from what I can glean from various forums most people on the XPS13 are getting samsung NVME ssds which should support hardware encryption. Some folk get Toshiba ones, so I'll have to wait and see what I get when/if the thing ever arrives. Looks like I can still get a win7 ultimate key if it all goes well.

[GoNz0]

Dell seem to be switching to Toshiba SSD's and they don't support eDrive with no plans to do so, annoying as hell as I have the top speed 9550 business edition so you would kinda expect it to support eDrive!

[BobF64]

...from what I can glean from various forums most people on the XPS13 are getting samsung NVME ssds which should support hardware encryption. ... Looks like I can still get a win7 ultimate key if it all goes well.

However, from what I read, for Bitlocker to work with it as an eDrive, you need Windows 8 or later.

Windows 7 Ultimate using Bitlocker would be software encryption over the top of the SSDs self-encryption. Which seems rather redundant.

[Dashers]

I use bitlocker on my laptop and work desktops, but otherwise don't bother.

I guess it depends on what you're trying to secure. It only really provides protection from having the drive pulled out and accessed later. If Windows boots then it will decrypt the drive. Although I seem to remember you have to enter the key if you're running safe mode etc.

[BobF64]

Bitlocker with a TPM and no additional security does "measured boot", that is it validates nothing has been changed in the files required to boot Windows. Effectively it checks a pre-established machine "fingerprint" hasn't changed.

Assuming nothing is compromised, the TPM essentially provides the decryption of the disk, it then relies on you setting a Windows password, along with other settings like blocking remote access, to protect your actual data.

This stops the disk being removed and put in another PC.

If you want to stop people accessing the disk on the correct PC, you just set it to require a PIN or use a Smartcard in addition to using the TPM.

[ik9000]

I use bitlocker on my laptop and work desktops, but otherwise don't bother.

I guess it depends on what you're trying to secure. It only really provides protection from having the drive pulled out and accessed later. If Windows boots then it will decrypt the drive. Although I seem to remember you have to enter the key if you're running safe mode etc.

Simply after protection against the machine being nicked and someone accessing my files - either by using the machine as-is or by removing the SSD and plugging it into another machine.

However, from what I read, for Bitlocker to work with it as an eDrive, you need Windows 8 or later.

Windows 7 Ultimate using Bitlocker would be software encryption over the top of the SSDs self-encryption. Which seems rather redundant.

Could I use the SSD's native encryption (assuming it offers it) for this without needing bitlocker then? That would save me having to buy an ultimate licence, and I can just stick with win7 pro

[Dashers]

I've never used a drive with built-in encryption, but my understanding is they work in a similar way to BitLocker in terms of user experience. They use TPM to store the key so you don't have to type it on each boot, but if the drive is pulled you'll need the key to decrypt the drive.

Obviously the weak point in transparent encryption is that if somebody guesses your OS password or somehow circumvents OS security to gain access to the system then the drive has already been decrypted. But this should be fine for most uses providing you have a reasonably secure password.

[GoNz0]

Simply after protection against the machine being nicked and someone accessing my files - either by using the machine as-is or by removing the SSD and plugging it into another machine.



Could I use the SSD's native encryption (assuming it offers it) for this without needing bitlocker then? That would save me having to buy an ultimate licence, and I can just stick with win7 pro

Maybe it has the option to put a HDD password in the BIOS then the info cannot be recovered the same as Bitlocker once it kicks in?

[ik9000]

but wouldn't that password be stored in the BIOS? Presumably it would achieve nothing if the drive is moved to another machine. It's been a while since I looked, but I thought the BIOS passwords only stopped you tinkering with things like the boot order etc in the BIOS itself?

[GoNz0]

HDD Password is stored on the HDD not in the BIOS.

[BobF64]

Could I use the SSD's native encryption (assuming it offers it) for this without needing bitlocker then? That would save me having to buy an ultimate licence, and I can just stick with win7 pro

I don't know, I would assume so as its a hardware thing, rather than anything related to the OS installed.

If the drive is already configured, it will already be encrypting things, but I've never looked in to how the drives unlock themselves.

but wouldn't that password be stored in the BIOS? Presumably it would achieve nothing if the drive is moved to another machine.

Well, the other machine wouldn't have the password for the BIOS to provide, so it wouldn't be accessible.

It's been a while since I looked, but I thought the BIOS passwords only stopped you tinkering with things like the boot order etc in the BIOS itself?

Don't confuse the password to enter or change the BIOS settings themselves with other passwords stored to unlock drives.

I would hope that the HDD password in the BIOS isn't ever visible in the plain once entered.