Bitlocker discussion

[maflynn]

Since rebuilding my Lenovo, i've not yet re-enabled it. I was curious if anyone is choosing not too.

Also another thing, you may want to check if your laptop is using hardware based encryption or software. It seems some SSDs hardware encryption is not very secure.

Run this in the cmd shell
manage-bde.exe -status

Food for thought:
You Can’t Trust BitLocker to Encrypt Your SSD on Windows 10

Microsoft security Advisory

Microsoft is aware of reports of vulnerabilities in the hardware encryption of certain self-encrypting drives (SEDs).

1. Run ‘manage-bde.exe -status’ from elevated command prompt.
2. If none of the drives listed report "Hardware Encryption" for the Encryption Method field, then this device is using software encryption and is not affected by vulnerabilities associated with self-encrypting drive encryption.

To mitigate vulnerabilities associated with self-encrypting drives on Windows systems:

1. Configure and deploy a Group Policy to enable forced software encryption.
2. Fully turn off BitLocker to decrypt the drive.
3. Enable BitLocker again.

 

[Thysanoptera]

I always enable it, I see it as a way to prevent a potential thief from accessing my data. I was never able to get hardware encryption working, it is always software. Which in light of those vulnerabilities is a good thing. Two lessons learned:

1. Don't buy M3 Bitlocker for Mac. It is $60 for 'lifetime' license, but this license is bound to a single Mac, you can't move it to another. And it is just ridiculously slow, like 20MB/s when the drive works at 450MB/s (external one). It is better to load Windows 10 Pro in VM, mount the Bitlockered drive in it, mount the Mac to drive to the VM also and copy at full speed.
2. If you have to set up work Exchange account on your personal laptop, do not select "Allow my organization to manage this device" when adding email account. Leave this unchecked and click "This app only". What happens is the Bitlocker recovery keys will be saved to you work cloud account from now on and you will have no way to retrieve them yourself. Even worse, if your IT set up the work issued laptops they will save their bitlocker keys to local Active Directory, and not to Azure cloud where your key went, and nobody in a fricking multibillion corporation will have any idea how to get your private key, including people who manage Azure. Yeah - it happened to me.

 

[maflynn]

I was planning on doing this, but then two things cropped up that I wanted to do more research. First the vulnerability, and second, I was genuinely interested in anyone who chose not to do it and why.

I dug into the details of the vulnability and it doesn't seem like the SSD that I have in mine wasn't mentioned specifically even though its a samsung SSD. Yet Lenovo did issue a security bulletin - Lenovo Security Advisory: LEN-25256

Affected Drives:

Crucial (Micron) MX100, MX200 and MX300 drives (Lenovo did not ship)
Samsung T3 and T5 portable drives (Lenovo did not ship)
Samsung 840 EVO and 850 EVO drives (Lenovo did not ship)

If you are using Microsoft BitLocker, please follow the instructions in Microsoft Security Advisory ADV180028 to determine the drive encryption type. If you find that you are using hardware-based encryption (this is very unlikely for drives supplied by Lenovo due to manufacturing configurations), please follow Microsoft’s guidance in the advisory to switch to software-based encryption.

So it seems out of the box Thinkpads are not using hardware based encryption and running manage-bde.exe -status confirms this.

Encrypting the drive was incredibly fast, I'm used to seeing it done in the office and taking all day.

As for work exchange servers, since this my personal property, I didn't configure my laptop to access the exchange servers and while my company requires bitlocker encryption, I'm not about to let them access/manage my property

 

[SDColorado]

I thought the ThinkPad used OPAL drives and that OPAL drives were always encrypted. Is that not correct?

 

[maflynn]

I thought the ThinkPad used OPAL drives and that OPAL drives were always encrypted. Is that not correct?

I'm not sure, I'm starting to google it, and it seems if the drive is OPAL and encrypted bit locker won't let you encrypt. I was able to encrypt without any issues, so the X1E may not use OPAL. Maybe other Thinkpads do

 

[SDColorado]

I'm not sure, I'm starting to google it, and it seems if the drive is OPAL and encrypted bit locker won't let you encrypt. I was able to encrypt without any issues, so the X1E may not use OPAL. Maybe other Thinkpads do

I thought they advertise that they do? Am I recalling incorrectly? I thought it was specced as PCIe-NVME OPAL2.0 M.2.

 

[maflynn]

I thought they advertise that they do? Am I recalling incorrectly? I thought it was specced as PCIe-NVME OPAL2.0 M.2.

The more digging I'm doing the more it seems they may offer OPAL compliant devices, or at least had offered them but recent information seems to indicate to use windows bitlocker. Either way, my laptop was not encrypted when I first got it, reloading windows was on an unecrypted drive AFAIK, and windows was unencrypted until I enabled bitlocker.

 

[Thysanoptera]

I think almost all if not all current drives support OPAL, but to get this working you have to jump through some hoops. Lenovo just uses this OPAL designation in product description like it's something unique. On SATA drive you just had to enable BIOS passwords, on those NVMe you had to secure erase it first to put into some state, I don't remember exactly and don't feel like looking for it. IMHO there is no advantage to hardware encryption, I don't see any performance decrease while using software encryption with Bitlocker. You just click enable/disable and you're done. I wouldn't worry about OPAL.

 

[SDColorado]

I think almost all if not all current drives support OPAL, but to get this working you have to jump through some hoops. Lenovo just uses this OPAL designation in product description like it's something unique. On SATA drive you just had to enable BIOS passwords, on those NVMe you had to secure erase it first to put into some state, I don't remember exactly and don't feel like looking for it. IMHO there is no advantage to hardware encryption, I don't see any performance decrease while using software encryption with Bitlocker. You just click enable/disable and you're done. I wouldn't worry about OPAL.

The only advantage I can think hardware encryption would be it would maybe be harder to circumvent in the event the device was stolen and someone tried to bypass the encryption by moving the drive to another computer. But maybe the software encryption is harder to bypass than I think it is

 

[Queen6]

I thought the ThinkPad used OPAL drives and that OPAL drives were always encrypted. Is that not correct?

Believe so, equally I'm a belt and braces guy, brought to you via multiple levels of encryption, with varying IP address. Privacy is a point in principle, one I will defend vehemently for all. The content belongs to the induvial as opinion, not the state or country, nor do they have any right to spy on...

Personally I don't care I just want to live my own life and be with those I care about, everything else can just **** right off. The hypocrisy simply sickens me, few really know the true meaning of serving or the cost...

Q-6

 

[Thysanoptera]

The only advantage I can think hardware encryption would be it would maybe be harder to circumvent in the event the device was stolen and someone tried to bypass the encryption by moving the drive to another computer. But maybe the software encryption is harder to bypass than I think it is

All those vulnerabilities applied to hardware encryption, and forcing the software encryption is one of the mitigation techniques. Bitlocker is solid, I couldn't recover a drive after I lost a key and I'm pretty sure any other random schmuck won't be able to decrypt it. Moving it to another computer actually makes it worse because you loose the original key stored in TPM module and thus give up upon any chance to use vulnerabilities in the TPM itself if any exist.

 

[SDColorado]

All those vulnerabilities applied to hardware encryption, and forcing the software encryption is one of the mitigation techniques. Bitlocker is solid, I couldn't recover a drive after I lost a key and I'm pretty sure any other random schmuck won't be able to decrypt it. Moving it to another computer actually makes it worse because you loose the original key stored in TPM module and thus give up upon any chance to use vulnerabilities in the TPM itself if any exist.

Thanks! I appreciate the clarification. OPAL has always been a bit of a mystery to me

 

[2984839]

I don't recommend or trust any closed source encryption software, including Bitlocker and FileVault.

I recommend VeraCrypt. I use it myself on my Windows drive and with AESNI and an SSD, it's fast enough to not be noticeable.

 

[maflynn]

I don't recommend or trust any closed source encryption software, including Bitlocker and FileVault.

In all honesty that doesn't bother me. It's not like I have state secrets or anything. All I'm protecting against is the common criminal.

 

[2984839]

In all honesty that doesn't bother me. It's not like I have state secrets or anything. All I'm protecting against is the common criminal.

I'm not just talking about backdoors here. Crypto is tricky to do right and I want to see their implementation before trusting it.

Though the backdoor angle is a serious problem, even if you aren't worried about governments. The Clipper chip from the 90s turned out to be vulnerable to everyone. It's so hard to design a cryptosystem securely that deliberately introducing holes in it is always going to end in disaster.

 

[Thysanoptera]

I recommend VeraCrypt. I use it myself on my Windows drive and with AESNI and an SSD, it's fast enough to not be noticeable.

That's a TrueCrypt fork, right? I've been using it during the XP age, and even into Windows 7, but then it died abruptly for unknown reasons, rumors were floating that it was compromised and I started using Bitlocker, and never looked back. Entering password on boot, then again to login to system, then again to mount external drive after explicitly selecting it in gui because it never auto mounted for me. It had unbeaten record vs government agencies trying to access encrypted data, so if VeraCrypt is based on it then it is better choice for sensitive data. But I'm like @maflynn - I just don't want to think about somebody who steals my laptop and goes through my stuff, I like the convenience of Bitlocker (as long as you have TPM chip).

 

[maflynn]

Crypto is tricky to do right and I want to see their implementation before trusting it.

Again, its not something I'm worked up about. I'm happy with BitLocker, the company I work for uses bitlocker and they're very careful about sensitive data, so if its could enough for them

 

[2984839]

That's a TrueCrypt fork, right? I've been using it during the XP age, and even into Windows 7, but then it died abruptly for unknown reasons, rumors were floating that it was compromised and I started using Bitlocker, and never looked back. Entering password on boot, then again to login to system, then again to mount external drive after explicitly selecting it in gui because it never auto mounted for me. It had unbeaten record vs government agencies trying to access encrypted data, so if VeraCrypt is based on it then it is better choice for sensitive data. But I'm like @maflynn - I just don't want to think about somebody who steals my laptop and goes through my stuff, I like the convenience of Bitlocker (as long as you have TPM chip).

Yes, VeraCrypt is forked from TrueCrypt 7.1a which was audited: http://www.istruecryptauditedyet.com/

However, VeraCrypt has added some crypto functionality since that audit, so I would steer clear of the new ciphers and hash functions for now.