Windows supports encryption of the boot drive with two separate features, BitLocker and Device Encryption.<\/p>\n\n\n\n
This feature is available on Windows 10 and 11 Home SKUs (or above) on supported hardware and is enabled by default. It uses the TPM as the key protector. The same underlying infrastructure as BitLocker Drive Encryption is used – but is restricted in this deployment scenario.<\/p>\n\n\n\n
Device Encryption requires mandatory key escrow to a Microsoft account (personal or Azure Active Directory) to be armed.<\/p>\n\n\n\n
This feature requires a Professional SKU (or above). It uses the TPM as a key protector by default. <\/p>\n\n\n\n
This can however be changed via For the Trusted Platform Module to provide the drive encryption key to the host, the Platform Configuration registers have to match. This is a measured<\/em> boot mechanism. The TPM releases the key only if measurements match.<\/p>\n\n\n\n In the case of a system with Secure Boot, a limited set of PCRs (7, 11) is used notably to limit the risk of entering BitLocker Recovery, in which case the user would need to type the recovery key.<\/p>\n\n\n\n Yes, when the defaults are used with BitLocker (TPM key protector), the TPM has the whole drive encryption key. No user action is required on boot up to decrypt the drive’s contents.<\/p>\n\n\n\n This creates a substantial attack class not present on other drive encryption systems, which do not exclusively rely on measured boot. <\/p>\n\n\n\n This can allow to recover user data despite consumers thinking that their data is secure with another party having physical access (example: stolen device) with drive encryption.<\/p>\n\n\n\n Yes, CVE-2022-29127<\/a> is just one of those issues. A vulnerable boot loader allows to extract user data despite drive encryption\/BitLocker being on, without any component of user credentials being required.<\/p>\n\n\n\n BitLocker Security Feature Bypass Vulnerability<\/p> A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to a powered off system could exploit this vulnerability to gain access to encrypted data.<\/p>Microsoft Security Response Center<\/cite><\/blockquote>\n\n\n\n I don’t think that users expect drive encryption to potentially not protect them at all against a device being stolen, so no. <\/p>\n\n\n\n This is unlike other solutions in the industry, such as Apple’s FileVault<\/em>, which does ask for user credentials before being able<\/em> to decrypt the data volume.<\/p>\n\n\n\n edit: more info on Device Encryption.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" Windows supports encryption of the boot drive with two separate features, BitLocker and Device Encryption. The two features Device Encryption This feature is available on Windows 10 and 11 Home SKUs (or above) on supported hardware and is enabled by default. It uses the TPM as the key protector. The same underlying infrastructure as BitLocker… Read More »Boot drive encryption security on Windows<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-443","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/posts\/443","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/comments?post=443"}],"version-history":[{"count":2,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/posts\/443\/revisions"}],"predecessor-version":[{"id":446,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/posts\/443\/revisions\/446"}],"wp:attachment":[{"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/media?parent=443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/categories?post=443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/tags?post=443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}gpedit.msc<\/code> to provide a higher security level. For example, that mechanism can be used to impose a boot-up PIN. As such a configuration is not<\/em> the default, an out-of-the-box configuration only<\/em> relies on measured boot.<\/p>\n\n\n\nTPM key protector?<\/h2>\n\n\n\n
Which PCRs are used?<\/h3>\n\n\n\n
Wait, the TPM has the whole drive encryption key?<\/h3>\n\n\n\n
Does that mean that a vulnerable boot chain can be used to gain access to user data?<\/h3>\n\n\n\n
Are these the guarantees that users expect?<\/h2>\n\n\n\n