it is pretty much applicable to all devices using the default BitLocker “Device Encryption” setup, as this configuration relies solely on Secure Boot to automatically unseal the disk during boot.
That is, only the default “transparent” bitlocker mode. If you have any other additional protection (pin, password) set it doesn’t affect you.
The TPM takes “measurements” of the system and releases the decryption key only if they’re all correct. Files on the disk are encrypted, so booting into another OS with a bootable media doesn’t work (measurement picks up the fact that you booted into another OS). When the system does boot properly, the Windows lock screen prevents you from viewing the files.
We’re currently evaluating and rolling out encryption at work, so being informed about the limits of these setups is quite good - even if it’s not actually my task to work on those.
threaded - newest
It is (was?) actually worse
neodyme.io/…/bitlocker_screwed_without_a_screwdri…
That is, only the default “transparent” bitlocker mode. If you have any other additional protection (pin, password) set it doesn’t affect you.
Why would anyone use the “transparent” mode? Seems rather pointless.
People who prefer that much convenience vs security.
The TPM takes “measurements” of the system and releases the decryption key only if they’re all correct. Files on the disk are encrypted, so booting into another OS with a bootable media doesn’t work (measurement picks up the fact that you booted into another OS). When the system does boot properly, the Windows lock screen prevents you from viewing the files.
Thank you for sharing. Very interesting.
We’re currently evaluating and rolling out encryption at work, so being informed about the limits of these setups is quite good - even if it’s not actually my task to work on those.