Bitlocker on a New Laptop

[Big Dog]

I recently purchased a new laptop and have a copy of Vista Ultimate (from the
Server 2008 launch event).

Although my laptop isn't connected to a domain, I'm wondering if it's a good
idea to implement Bitlocker on a personal laptop for data protection and such.

Appreciate any thoughts/suggestions.

 

[Guest]

Re: Bitlocker on a New Laptop

If your laptop has a TPM security chip (version 1.2 or later) do use
BitLocker. It will give you very good privacy protection for your data.
I use it, and wouldn't be without it. But then I always prefer paranoia
class security.

regards
the ancient mariner

"Big Dog" <BigDog@discussions.microsoft.com> skrev i meddelelsen
news:EA4E2E33-93BD-47C9-8A37-D6F5448F5EF1@microsoft.com...
>I recently purchased a new laptop and have a copy of Vista Ultimate (from
>the
> Server 2008 launch event).
>
> Although my laptop isn't connected to a domain, I'm wondering if it's a
> good
> idea to implement Bitlocker on a personal laptop for data protection and
> such.
>
> Appreciate any thoughts/suggestions.

 

[Big Dog]

Re: Bitlocker on a New Laptop

Thanx - it doesn't have a TPM chip, but I do know about the workaround (use
a USB drive for the password).

Just partitioned the drive to the appropriate two volumes and am in the
process of reinstalling everything. Agree with you that preventive paranoia
is always good.

 

[VanguardLH]

Re: Bitlocker on a New Laptop

Big Dog wrote:

> Thanx - it doesn't have a TPM chip, but I do know about the workaround (use
> a USB drive for the password).
>
> Just partitioned the drive to the appropriate two volumes and am in the
> process of reinstalling everything. Agree with you that preventive paranoia
> is always good.

What happens when the USB thumb drive gets lost, damaged, or
catastrophically fails (which it will if you continue writing to it
which wears it out due to oxide stress which eventually surpasses the
recovery space and error algorithms to mask out the errors)?

 

[Chris]

Re: Bitlocker on a New Laptop

You can back up the startup key to another USB drive via:

Control Panel -> Security -> Bitlocker -> Manage Bitlocker keys -> Duplicate
the startup key

Also - when you encrypt a drive, you get a printable recovery password.
This can be used in instead of the USB key.

Cheers!


"VanguardLH" <V@nguard.LH> wrote in message
news:%23Jd%23vJZBJHA.4368@TK2MSFTNGP06.phx.gbl...
> Big Dog wrote:
>
>> Thanx - it doesn't have a TPM chip, but I do know about the workaround
>> (use
>> a USB drive for the password).
>>
>> Just partitioned the drive to the appropriate two volumes and am in the
>> process of reinstalling everything. Agree with you that preventive
>> paranoia
>> is always good.
>
> What happens when the USB thumb drive gets lost, damaged, or
> catastrophically fails (which it will if you continue writing to it
> which wears it out due to oxide stress which eventually surpasses the
> recovery space and error algorithms to mask out the errors)?

 

[VanguardLH]

Re: Bitlocker on a New Laptop

Chris wrote:

> "VanguardLH" wrote ...
>>
>> Big Dog wrote:
>>
>>> Thanx - it doesn't have a TPM chip, but I do know about the
>>> workaround (use a USB drive for the password).
>>>
>>> Just partitioned the drive to the appropriate two volumes and am in
>>> the process of reinstalling everything. Agree with you that
>>> preventive paranoia is always good.
>>
>> What happens when the USB thumb drive gets lost, damaged, or
>> catastrophically fails (which it will if you continue writing to it
>> which wears it out due to oxide stress which eventually surpasses
>> the recovery space and error algorithms to mask out the errors)?
>
> You can back up the startup key to another USB drive via:
>
> Control Panel -> Security -> Bitlocker -> Manage Bitlocker keys -> Duplicate
> the startup key
>
> Also - when you encrypt a drive, you get a printable recovery password.
> This can be used in instead of the USB key.

That was what I alluded to - that something ELSE should be use as a
backup to using just a USB thumb drive as an encryption dongle. I just
wanted to prod the "what if" scenario. Even with the printout, it won't
(and shouldn't) be in the bag with a laptop (and neither should the USB
dongle), and there might be no one at home you can call to get it. Even
if you create a backup USB thumb drive, it's likely you won't have it
with you when traveling (and when theft of the computer is highest).
You're screwed until you get back home.

Personally, and if TPM wasn't available, I'd be leery of relying on a
USB thumb drive to maintain my access to the hard disk versus, say,
instead using whole-disk encryption that only requires me to remember a
password.

If the OP goes the USB drive route, he should read:

http://support.microsoft.com/kb/923123/en-us
http://support.microsoft.com/kb/923124/en-us

 

[Flight]

Re: Bitlocker on a New Laptop



"VanguardLH" <V@nguard.LH> schreef in bericht
news:ub3dAXaBJHA.4108@TK2MSFTNGP05.phx.gbl...
> Chris wrote:
>
>> "VanguardLH" wrote ...
>>>
>>> Big Dog wrote:
>>>
>>>> Thanx - it doesn't have a TPM chip, but I do know about the
>>>> workaround (use a USB drive for the password).
>>>>
>>>> Just partitioned the drive to the appropriate two volumes and am in
>>>> the process of reinstalling everything. Agree with you that
>>>> preventive paranoia is always good.
>>>
>>> What happens when the USB thumb drive gets lost, damaged, or
>>> catastrophically fails (which it will if you continue writing to it
>>> which wears it out due to oxide stress which eventually surpasses
>>> the recovery space and error algorithms to mask out the errors)?
>>
>> You can back up the startup key to another USB drive via:
>>
>> Control Panel -> Security -> Bitlocker -> Manage Bitlocker keys ->
>> Duplicate
>> the startup key
>>
>> Also - when you encrypt a drive, you get a printable recovery password.
>> This can be used in instead of the USB key.
>
> That was what I alluded to - that something ELSE should be use as a
> backup to using just a USB thumb drive as an encryption dongle. I just
> wanted to prod the "what if" scenario. Even with the printout, it won't
> (and shouldn't) be in the bag with a laptop (and neither should the USB
> dongle), and there might be no one at home you can call to get it. Even
> if you create a backup USB thumb drive, it's likely you won't have it
> with you when traveling (and when theft of the computer is highest).
> You're screwed until you get back home.
>
> Personally, and if TPM wasn't available, I'd be leery of relying on a
> USB thumb drive to maintain my access to the hard disk versus, say,
> instead using whole-disk encryption that only requires me to remember a
> password.
>
> If the OP goes the USB drive route, he should read:
>
> http://support.microsoft.com/kb/923123/en-us
> http://support.microsoft.com/kb/923124/en-us

Ever seen Myth Busters? They showed how simple it is to copy a fingerprint
or to cheat it. Don't rely on it.

 

[Paul Montgomery]

Re: Bitlocker on a New Laptop

On Sun, 24 Aug 2008 13:23:47 +0200, "Flight"
<jPUNTvoorbeeld@gmailPUNTcom> wrote:

>Ever seen Myth Busters? They showed how simple it is to copy a fingerprint
>or to cheat it. Don't rely on it.

Yep, you're definitely an idiot.

 

[Flight]

Re: Bitlocker on a New Laptop



"Paul Montgomery" <i.m.nonnymous@NOSPAMgmail.com> schreef in bericht
news:4oh2b4pf8i4fptvmp60uotkh3ueu7svj6g@4ax.com...
> On Sun, 24 Aug 2008 13:23:47 +0200, "Flight"
> <jPUNTvoorbeeld@gmailPUNTcom> wrote:
>
>>Ever seen Myth Busters? They showed how simple it is to copy a fingerprint
>>or to cheat it. Don't rely on it.
>
> Yep, you're definitely an idiot.

And why, you moron? Or was this another hickup from a very sick old man?

 

[Steve Riley [MSFT]]

Re: Bitlocker on a New Laptop

That's why our preferred recommendation is to use both a TPM and a PIN --
essentially storing part of the SRK (storage root key) in the TPM and part
of the SRK in your brain. If you don't have a TPM, then I'd suggest a PIN
rather than a USB drive, simply because it means that you don't have to
worry about keeping track of the drive. It's unlikely that you'd forget the
PIN since you'd have to enter it every time you booted on your PC;
nevertheless, remember that you can also create a recovery password. Store
the recovery password on a piece of paper (that is, print it out) and
protect this piece of paper. Ideal candidates for protecting it include
wallets and purses. And please don't label it "My BitLocker recovery
password"!

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"VanguardLH" <V@nguard.LH> wrote in message
news:#Jd#vJZBJHA.4368@TK2MSFTNGP06.phx.gbl...
> Big Dog wrote:
>
>> Thanx - it doesn't have a TPM chip, but I do know about the workaround
>> (use
>> a USB drive for the password).
>>
>> Just partitioned the drive to the appropriate two volumes and am in the
>> process of reinstalling everything. Agree with you that preventive
>> paranoia
>> is always good.
>
> What happens when the USB thumb drive gets lost, damaged, or
> catastrophically fails (which it will if you continue writing to it
> which wears it out due to oxide stress which eventually surpasses the
> recovery space and error algorithms to mask out the errors)?

 

[VanguardLH]

Re: Bitlocker on a New Laptop

VanguardLH wrote:

> (and when theft of the computer is highest).

Geez, I need to focus on the post instead of the other article I was
reading.

Oops, should've been "and when the dongle might break"

 

[VanguardLH]

Re: Bitlocker on a New Laptop

Steve Riley [MSFT] wrote:

> And please don't label it "My BitLocker recovery password"!

And tape it to your spare house key, and where they can use your
driver's license to find out where is your house. Of course, if you are
the gender or type that carries a purse, the wallet, key ring, and USB
thumb drive are all together to capture in one swoop.