Q. Why would I use BitLocker on a device without the requirement to enter a PIN or a USB device? Does it just protect against someone removing the hard disk from the machine?

A. The Full Volume Encryption Key decrypts  protected volumes. It's stored in the Trusted Platform Module (TPM), which is part of a computer's hardware. If someone steals the whole machine, they have the TPM and the disk together. So if no PIN input or USB device presence is required, the thief now has full access to the machine. So in this case, BitLocker has done nothing to help you, right? Wrong.

BitLocker is designed to protect the data "at rest." In the scenario above, the thief would be able to turn the laptop on and the OS would boot, but it would boot into the normal Windows secure logon screen, at which point the thief wouldn't be able to do anything without logon credentials. If the thief tried to boot the machine from Linux or another OS to access the NTFS volume outside of Windows, the early Windows boot code that interacts with the TPM and decrypts the drive wouldn't be called, so volume would still be encrypted with BitLocker and unreadable.

Obviously, it's normally recommended that you use a PIN or USB key with part of the code, which would stop the OS from even booting. But don't think that BitLocker without these configured gains you nothing. You still protect the volumes from attack outside of the Windows OS and the intruders would only gain access to a logon screen with no credentials.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.