to bitlocker or not to bother?
Bitlocker - is it worth it? Win10 pro apparently has it, win7 pro doesn't. I'm probably going to downgrade win10 pro to win7 pro but is it worth paying for an ultimate licence to get bitlocker on win7? Are there any alternatives for giving some security to a laptop? Sounds like bitlocker will run with hardware encryption rather than software via TPM which my machine should have (TBC when it arrives) .
Re: to bitlocker or not to bother?
There was some kind of encryption with Win 7 Pro.. thought that was bitlocker?
EDIT: Ah no, that was just EFS.
Re: to bitlocker or not to bother?
Notwithstanding the controversy surrounding Truecrypt, I would suggest that it is still suitable for protecting data-at-rest in a home environment. Presumably you want to protect sensitive data if the laptop gets stolen.
Truecrypt is still effective at protecting that unless you have a very skilled forensic based thief. Most casual thieves will put it on eBay or pawn it, and if they can't get it to boot, probably just bin it.
Otherwise BeCrypt's Disk Protect will do the job - at a price.
Re: to bitlocker or not to bother?
Quote:
Originally Posted by
ik9000
Bitlocker - is it worth it? Win10 pro apparently has it, win7 pro doesn't. I'm probably going to downgrade win10 pro to win7 pro but is it worth paying for an ultimate licence to get bitlocker on win7? Are there any alternatives for giving some security to a laptop? Sounds like bitlocker will run with hardware encryption rather than software via TPM which my machine should have (TBC when it arrives) .
What laptop are you getting?
Re: to bitlocker or not to bother?
Quote:
Originally Posted by
ik9000
Sounds like bitlocker will run with hardware encryption rather than software via TPM which my machine should have (TBC when it arrives) .
As far as Bitlocker running with "hardware encryption", this is purely Self-Encrypting SSDs, via what Microsoft call 'eDrive'.
It basically manages the "password" for the drive, the drive itself does the actual encryption, BUT, if the drive does not have it enabled by default you need to erase it and reinstall Windows, as SED can not be enabled after the fact.
Otherwise, Bitlocker would operate as software encryption, using the TPM for boot validation.
Re: to bitlocker or not to bother?
Quote:
Originally Posted by
GoNz0
What laptop are you getting?
XPS13 9350
Quote:
Originally Posted by
peterb
Presumably you want to protect sensitive data if the laptop gets stolen.
Bingo - going to be lugging this around to/from work each day.
Quote:
Originally Posted by
BobF64
As far as Bitlocker running with "hardware encryption", this is purely Self-Encrypting SSDs, via what Microsoft call 'eDrive'.
It basically manages the "password" for the drive, the drive itself does the actual encryption, BUT, if the drive does not have it enabled by default you need to erase it and reinstall Windows, as SED can not be enabled after the fact.
Otherwise, Bitlocker would operate as software encryption, using the TPM for boot validation.
I will be reinstalling windows from the off and from what I can glean from various forums most people on the XPS13 are getting samsung NVME ssds which should support hardware encryption. Some folk get Toshiba ones, so I'll have to wait and see what I get when/if the thing ever arrives. Looks like I can still get a win7 ultimate key if it all goes well.
Re: to bitlocker or not to bother?
Dell seem to be switching to Toshiba SSD's and they don't support eDrive with no plans to do so, annoying as hell as I have the top speed 9550 business edition so you would kinda expect it to support eDrive!
Re: to bitlocker or not to bother?
Quote:
Originally Posted by
ik9000
...from what I can glean from various forums most people on the XPS13 are getting samsung NVME ssds which should support hardware encryption. ... Looks like I can still get a win7 ultimate key if it all goes well.
However, from what I read, for Bitlocker to work with it as an eDrive, you need Windows 8 or later.
Windows 7 Ultimate using Bitlocker would be software encryption over the top of the SSDs self-encryption. Which seems rather redundant.
Re: to bitlocker or not to bother?
I use bitlocker on my laptop and work desktops, but otherwise don't bother.
I guess it depends on what you're trying to secure. It only really provides protection from having the drive pulled out and accessed later. If Windows boots then it will decrypt the drive. Although I seem to remember you have to enter the key if you're running safe mode etc.
Re: to bitlocker or not to bother?
Bitlocker with a TPM and no additional security does "measured boot", that is it validates nothing has been changed in the files required to boot Windows. Effectively it checks a pre-established machine "fingerprint" hasn't changed.
Assuming nothing is compromised, the TPM essentially provides the decryption of the disk, it then relies on you setting a Windows password, along with other settings like blocking remote access, to protect your actual data.
This stops the disk being removed and put in another PC.
If you want to stop people accessing the disk on the correct PC, you just set it to require a PIN or use a Smartcard in addition to using the TPM.
Re: to bitlocker or not to bother?
Quote:
Originally Posted by
Dashers
I use bitlocker on my laptop and work desktops, but otherwise don't bother.
I guess it depends on what you're trying to secure. It only really provides protection from having the drive pulled out and accessed later. If Windows boots then it will decrypt the drive. Although I seem to remember you have to enter the key if you're running safe mode etc.
Simply after protection against the machine being nicked and someone accessing my files - either by using the machine as-is or by removing the SSD and plugging it into another machine.
Quote:
Originally Posted by
BobF64
However, from what I read, for Bitlocker to work with it as an eDrive, you need Windows 8 or later.
Windows 7 Ultimate using Bitlocker would be software encryption over the top of the SSDs self-encryption. Which seems rather redundant.
Could I use the SSD's native encryption (assuming it offers it) for this without needing bitlocker then? That would save me having to buy an ultimate licence, and I can just stick with win7 pro
Re: to bitlocker or not to bother?
I've never used a drive with built-in encryption, but my understanding is they work in a similar way to BitLocker in terms of user experience. They use TPM to store the key so you don't have to type it on each boot, but if the drive is pulled you'll need the key to decrypt the drive.
Obviously the weak point in transparent encryption is that if somebody guesses your OS password or somehow circumvents OS security to gain access to the system then the drive has already been decrypted. But this should be fine for most uses providing you have a reasonably secure password.
Re: to bitlocker or not to bother?
Quote:
Originally Posted by
ik9000
Simply after protection against the machine being nicked and someone accessing my files - either by using the machine as-is or by removing the SSD and plugging it into another machine.
Could I use the SSD's native encryption (assuming it offers it) for this without needing bitlocker then? That would save me having to buy an ultimate licence, and I can just stick with win7 pro
Maybe it has the option to put a HDD password in the BIOS then the info cannot be recovered the same as Bitlocker once it kicks in?
Re: to bitlocker or not to bother?
but wouldn't that password be stored in the BIOS? Presumably it would achieve nothing if the drive is moved to another machine. It's been a while since I looked, but I thought the BIOS passwords only stopped you tinkering with things like the boot order etc in the BIOS itself?
Re: to bitlocker or not to bother?
HDD Password is stored on the HDD not in the BIOS.
Re: to bitlocker or not to bother?
Quote:
Originally Posted by
ik9000
Could I use the SSD's native encryption (assuming it offers it) for this without needing bitlocker then? That would save me having to buy an ultimate licence, and I can just stick with win7 pro
I don't know, I would assume so as its a hardware thing, rather than anything related to the OS installed.
If the drive is already configured, it will already be encrypting things, but I've never looked in to how the drives unlock themselves.
Quote:
Originally Posted by
ik9000
but wouldn't that password be stored in the BIOS? Presumably it would achieve nothing if the drive is moved to another machine.
Well, the other machine wouldn't have the password for the BIOS to provide, so it wouldn't be accessible.
Quote:
Originally Posted by
ik9000
It's been a while since I looked, but I thought the BIOS passwords only stopped you tinkering with things like the boot order etc in the BIOS itself?
Don't confuse the password to enter or change the BIOS settings themselves with other passwords stored to unlock drives.
I would hope that the HDD password in the BIOS isn't ever visible in the plain once entered.