Final's avatar
Final final@stacker.news 1 month ago
There is also a way bigger flaw beyond this, and that is this Device Encryption feature (and by extension BitLocker) has **no PIN or password**. The device will just decrypt itself by powering on as it only uses the PC's TPM. The only threat this kind of protects against is the hard disk being removed from the PC. It doesn't prevent someone exploiting the OS to extract data like you commonly see in mobile device forensic tools... This request for the recovery key is just to allow law enforcement to access the data while the hard disk is removed from the seized PC, because they insert hard disks into write blocked imaging kits to create a forensic clone of it's data to analyse with. Back before TPMs were widely embedded into CPU firmware it wasn't common to see them get sniffed to get the keys. Anyone could do it too:
Pulse Security
Extracting BitLocker keys from a TPM
Extracting BitLocker keys sealed with a TPM by sniffing the LPC bus
 BitLocker has a TPM+PIN, TPM+Key and TPM+PIN+Key pre-boot authentication setting but you need to tinker on Group Policy to do that. You'd also need to enable other policies to make the PIN an alphanumeric password...
↑ Parent

Replies (3)

Final's avatar
Final final@stacker.news 1 month ago
TLDR: Use a secure passphrase if you want the device protected against any resourceful actor When most distros provide encryption with LUKS they at least ask you to set up a credential. Almost all distros just ask for a password. They don't seamlessly allow setting up in other ways in a UI like BitLocker does or in the installer. You often need to read up on docs and such which can be tiresome. LUKS full disk encryption in how most users would know it would only be safe if they used a long, secure passphrase that would be impossible to brute force. A short 6 digit numeric PIN works for some phones because a secure element throttles unlock attempts but would be brute forced very quickly on LUKS, VeraCrypt and so on because they aren't using a TPM for throttling. Secureblue (hardened Linux distro we like) supports LUKS with TPM and also FIDO2.
1 replies ↓
Bill Cypher's avatar
Bill Cypher bill@nostrplebs.com 1 month ago
I hear great things about secureblue but I still can't overcome my grudge over RPMhell back in the day. My LUKS pw is NOT 6 characters and for bonus points I have no idea what it is thanks to my onlykey. FIDO2 LUKS sounds even better for sure.