Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can a SD card be used in place of TPM for BitLocker on qualifying OS's?


  • Please log in to reply
5 replies to this topic

#1 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:43 AM

Posted 30 October 2014 - 12:20 AM

I'm asking this question because one of my computers (Dell Optiplex 740) has a TPM, but my main desktop doesn't, and it would be costly to find/install a motherboard that does. Plus re-activation of my full licensed MS software would be needed, and the OEM install wouldn't qualify. 

 

What I want to do is find a inexpensive alternative to secure my computer, and from what I'm reading, it looks like an SD card may be the answer, but I need to be certain. 

 

If this is possible, do I have to do it the same way every time? For example, I have both a native SD card reader on my Dell XPS 8700, which I've never used, and also have a Transcend USB 3.0 card reader, which is what I use for all SD/SDHC tasks. 

 

Also, can I use the same SD card on multiple computers & each will find the right code, as a 1 or 2GB SD card can hold many codes? Or do I need a separate for each? 

 

In the past, have tried BitLocker with the password option, and after a couple of times it wouldn't open the Flash drive that was used to test the technology, nor would the printed code, a very long string one (almost like that used to phone activate Windows), nor would the one saved to what was SkyDrive at the time. Fortunately, had a backup of the Flash drive, and formatted and re-installed the data it contained. From what I've read, it looks like I skipped a step along the line, as with three options, it should have opened on the same computer it was encrypted on. 

 

These are the instructions that I've found. In addition to what I've asked above about using an SD card, is this the proper way to setup BitLocker w/out a TPM? I didn't do all of this with the Flash drive, just the quick BitLocker setup. 

 

http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/

 

I've relied on this site for several years & haven't had issues, but this is a much larger undertaking, the encryption of three SSD's, plus my installed Data drive & three external backup ones and I don't want to be locked out of my computer. Am on Linux Mint 17 at the moment, however my updated Speccy specs are in my sig. All is included except my backup drives, a 1TB WD Caviar Black & two 1TB Samsung HD103SJ drives. 

 

The BitLocker function will be controlled by Windows 7 Ultimate, though there are two other Windows OS's on the PC, Windows 7 Pro & the OEM supplied Windows 8, and will be reinstalling Linux Mint 17 on it, as soon as I can find the proper place for it. May merge the Windows 7 Ultimate install beside of Windows 8, which is on the Crucial M550, and use the Intel 330 for Mint 17. 

 

I just need a good idea of where to start, as I know that a password can be created in the UEFI to lock down the PC, but this doesn't encrypt drives, and would only serve to keep a casual thief out, this function is easily reset. Encryption is what I want, not a password that can be reset in less than 5 minutes. My health is poor and getting worse & I don't want anyone accessing my computers or backup drives for any reason. What's on them belongs to me & me only. I'm getting my ducks in a row, so to speak. 

 

On both of my notebooks, there is SSD encryption function available (Samsung 840 EVO), but this has to be setup their way & Windows has to be clean installed afterwards, as I understand it. The restoration of a backup after SSD preparation won't do (I have no idea why), however these will be done last, but would like to be able to use the same SD card if possible. Windows 8.1 Pro is one OS installed on each of those. 

 

All input & advise is highly appreciated.  :)

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 01 November 2014 - 04:09 AM

I don't know if you can use the same SD card. Maybe you can test this with 2 virtual machines that you encrypt with BL.

But in any case, make a full disk backup of your machine before you encrypt it.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 01 November 2014 - 01:42 PM

FYI: I'm trying this out on VMware workstation with WIndows 7 Ultimate.

It didn't work with a USB stick, maybe because the USB stick isn't connected when WIndows needs it.

So I tried with a virtual floppy disk. This works.

 

After encryption, the floppy disk contains a hidden, read-only system file with .BEK extension.

It's only 156 bytes.

 

So I assume this same floppy will also work for a second machine. I'll keep you posted.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 01 November 2014 - 03:15 PM

Update: I encrypted 2 VMs with Bitlocker, the key files (.BEK) were stored on the same floppy.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 cat1092

cat1092

    Bleeping Cat

  • Topic Starter

  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:43 AM

Posted 02 November 2014 - 10:12 PM

Thanks a lot for your testing of this Didier, very highly appreciated! :thumbup2:

 

Yes, I learned long ago, before encrypting anything, to make a backup. It was odd that in my OP I mentioned encrypting a Flash drive with BitLocker, and for 2-3 times, worked fine. One day, it just decided not to anymore, and neither set of generated keys, nor the password would open it, and I did try this over a 3 day period. 

 

I wouldn't even trust the self encrypting SSD's that I have to do the job w/out a backup, though these involves more work, a reinstall of the OS, and fortunately the one drive that I had encrypted was backed up. 

 

Evidently, those steps in the article are needed for non-TPM equipped computers. It's kind of misleading to right click onto a drive & 'Turn on BitLocker' is the 2nd option. I won't do it again w/out preparation. Considering that SSD OEM's are pushing encryption fairly hard now, due to consumer demand, that the computer OEM's would in turn respond by bring back the TPM's as standard equipment. My first three had one, and these were 2003, 05 & 06 models. This is 2014 & encryption of personal data is a selling point for not just SSD's, but also backup & Flash drives. 

 

I feel that due to the competition (Google & Apple) including this feature, the pressure will be ramped up on Windows OEM's to follow suit. Whether they do or not, is another issue altogether. Of course, the next time I purchase a new device, I can demand & pay for a built in TPM, or if buying refurbished, check & see if it's included. A $29 PC that I recently purchased has one, and that's what renewed my interest. 

 

I'll perform my first test this week, have an larger SDHC card coming in for something else, so this will free up the 1GB SD card on hand. 

 

Thanks again! :)

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 03 November 2014 - 12:00 AM

You're welcome.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users