Bitlocker on a New Laptop

[Big Dog]

I recently purchased a new laptop and have a copy of Vista Ultimate (from the
Server 2008 launch event).

Although my laptop isn't connected to a domain, I'm wondering if it's a good
idea to implement Bitlocker on a personal laptop for data protection and such.

Appreciate any thoughts/suggestions.

 

[Guest]

If your laptop has a TPM security chip (version 1.2 or later) do use
BitLocker. It will give you very good privacy protection for your data.
I use it, and wouldn't be without it. But then I always prefer paranoia
class security.

regards
the ancient mariner

 

[Big Dog]

Thanx - it doesn't have a TPM chip, but I do know about the workaround (use
a USB drive for the password).

Just partitioned the drive to the appropriate two volumes and am in the
process of reinstalling everything. Agree with you that preventive paranoia
is always good.

 

[VanguardLH]

Thanx - it doesn't have a TPM chip, but I do know about the workaround (use
a USB drive for the password).

Just partitioned the drive to the appropriate two volumes and am in the
process of reinstalling everything. Agree with you that preventive paranoia
is always good.

What happens when the USB thumb drive gets lost, damaged, or
catastrophically fails (which it will if you continue writing to it
which wears it out due to oxide stress which eventually surpasses the
recovery space and error algorithms to mask out the errors)?

 

[Chris]

You can back up the startup key to another USB drive via:

Control Panel -> Security -> Bitlocker -> Manage Bitlocker keys -> Duplicate
the startup key

Also - when you encrypt a drive, you get a printable recovery password.
This can be used in instead of the USB key.

Cheers!

 

[VanguardLH]

...

You can back up the startup key to another USB drive via:

Control Panel -> Security -> Bitlocker -> Manage Bitlocker keys -> Duplicate
the startup key

Also - when you encrypt a drive, you get a printable recovery password.
This can be used in instead of the USB key.

That was what I alluded to - that something ELSE should be use as a
backup to using just a USB thumb drive as an encryption dongle. I just
wanted to prod the "what if" scenario. Even with the printout, it won't
(and shouldn't) be in the bag with a laptop (and neither should the USB
dongle), and there might be no one at home you can call to get it. Even
if you create a backup USB thumb drive, it's likely you won't have it
with you when traveling (and when theft of the computer is highest).
You're screwed until you get back home.

Personally, and if TPM wasn't available, I'd be leery of relying on a
USB thumb drive to maintain my access to the hard disk versus, say,
instead using whole-disk encryption that only requires me to remember a
password.

If the OP goes the USB drive route, he should read:

http://support.microsoft.com/kb/923123/en-us
http://support.microsoft.com/kb/923124/en-us

 

[Flight]

That was what I alluded to - that something ELSE should be use as a
backup to using just a USB thumb drive as an encryption dongle. I just
wanted to prod the "what if" scenario. Even with the printout, it won't
(and shouldn't) be in the bag with a laptop (and neither should the USB
dongle), and there might be no one at home you can call to get it. Even
if you create a backup USB thumb drive, it's likely you won't have it
with you when traveling (and when theft of the computer is highest).
You're screwed until you get back home.

Personally, and if TPM wasn't available, I'd be leery of relying on a
USB thumb drive to maintain my access to the hard disk versus, say,
instead using whole-disk encryption that only requires me to remember a
password.

If the OP goes the USB drive route, he should read:

http://support.microsoft.com/kb/923123/en-us
http://support.microsoft.com/kb/923124/en-us

Ever seen Myth Busters? They showed how simple it is to copy a fingerprint
or to cheat it. Don't rely on it.

 

[Paul Montgomery]

Ever seen Myth Busters? They showed how simple it is to copy a fingerprint
or to cheat it. Don't rely on it.

Yep, you're definitely an idiot.

 

[Flight]

Yep, you're definitely an idiot.

And why, you moron? Or was this another hickup from a very sick old man?

 

[Steve Riley [MSFT]]

That's why our preferred recommendation is to use both a TPM and a PIN --
essentially storing part of the SRK (storage root key) in the TPM and part
of the SRK in your brain. If you don't have a TPM, then I'd suggest a PIN
rather than a USB drive, simply because it means that you don't have to
worry about keeping track of the drive. It's unlikely that you'd forget the
PIN since you'd have to enter it every time you booted on your PC;
nevertheless, remember that you can also create a recovery password. Store
the recovery password on a piece of paper (that is, print it out) and
protect this piece of paper. Ideal candidates for protecting it include
wallets and purses. And please don't label it "My BitLocker recovery
password"!

--
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com

 

[VanguardLH]

(and when theft of the computer is highest).

Geez, I need to focus on the post instead of the other article I was
reading.

Oops, should've been "and when the dongle might break"

 

[VanguardLH]

And please don't label it "My BitLocker recovery password"!

And tape it to your spare house key, and where they can use your
driver's license to find out where is your house. Of course, if you are
the gender or type that carries a purse, the wallet, key ring, and USB
thumb drive are all together to capture in one swoop.