[AccessD] Bitlocker

jwcolby jwcolby at colbyconsulting.com
Thu Apr 10 12:28:02 CDT 2008 

AFAICT Bitlocker is NOT user dependent.  It actually kicks in AFTER 
login, i.e. the system boots off of an unencrypted partition.

I am encrypting the entire drive because:

1) I can
2) There is no reason to encrypt only part of it
3) Everything, from browsing habits to turbotax files to browser page 
passwords is encrypted.
4) This is my dev machine.  As such I often carry client information on 
it including sensitive personal information  I do not want to be the 
subject of the next "data loss" headline.  I have never had a machine 
stolen, but we all know Murphey.

Basically I just feel a responsibility to take what steps I can to 
prevent problems should any of my machines ever be stolen.

My understanding is that 2008 has Bitlocker built in as well.  My 
servers do not have the TPM module stuff, nowever it is still possible 
to run Bitlocker without that.  I am seriously considering using it on 
my servers as well.  The servers act as backups for my laptops, and also 
contain some of the client files as well.

One thing to note, as soon as you copy anything off the system it is no 
longer encrypted.  This has implications for backups in particular.

And finally, read the following, scan down to "Vista DVD considered to 
be a security threat.  Basically it appears that anyone can use a DVD 
install disk to get at files on the computer without a logon.  I can't 
really say whether this is a continuing exploit or not (may have been 
fixed?).

http://www.theexperienceblog.com/category/bitlocker/

BTW, the latest version of Truecrypt will allow full volume encryption 
of the "boot drive" as well, so while Bitlocker is only available on the 
high end versions, there are still options for other versions of Windows.

JWColby

Jim DeMarco wrote:
> Hello everyone.  I've been lurking for a bit but I'm still around.
> 
> John,
> 
> You're encrypting the entire drive?  I think you can also use bitlocker
> to create a safe area (encrypted folders) for client and personal info
> you don't want to "share".  Isn't bitlocker log on dependent?  Would
> anyone else ever need to be on your machine logged in?  I don't think
> they'd be able to open files if so.
> 
> Jim DeMarco 
> 
> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com
> [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of jwcolby
> Sent: Thursday, April 10, 2008 7:55 AM
> To: Access Developers discussion and problem solving
> Subject: Re: [AccessD] Bitlocker
> 
> My understanding is that the overhead is extremely low, so there is
> little to no cost.  The benefit is that if the machine is stolen there
> is no data loss.
> 
> jwc
> 
> Michael R Mattys wrote:
>> John,
>>
>> Why are you encrypting your entire drive?
>> Or any of it, for that matter?
>> The benefit must outweigh the cost ...
>>
>> Michael R. Mattys
>> MapPoint & Access Dev
>> www.mattysconsulting.com
>>
>> ----- Original Message -----
>> From: "jwcolby" <jwcolby at colbyconsulting.com>
>> To: "Access Developers discussion and problem solving" 
>> <accessd at databaseadvisors.com>; "Tech" <Dba-Tech at databaseadvisors.com>
>> Sent: Thursday, April 10, 2008 12:52 AM
>> Subject: [AccessD] Bitlocker
>>
>>
>>> I am setting up bitlocker to encrypt my entire hard drive using
> Vista.
>>> Rather an experience as I didn't set it up from the gitgo but it is 
>>> progressing once I managed to get the little boot partition set up.  
>>> My Dell M90 has the TPM hardware and stuff which is cool.
>>>
>>> One thing I thought you might be interested in is my solution for 
>>> storing the "catastrophe" keys required in case the configuration 
>>> changes enough to trigger a refusal to boot.  Everywhere I turned I 
>>> saw comments about the problem of safely storing the key so that it 
>>> was available if needed but couldn't be found.
>>>
>>> My solution... a 1 mbyte Truecrypt volume that stores the keys
> inside.
>>> Not a perfect solution in that it requires mounting the usb thumb 
>>> drive somewhere, running Truecrypt to get the key files out and 
>>> placed on the thumbdrive unencrypted.  However the keys are encrypted
> 
>>> and the little 1 mbyte bitlocker key volume can be stored right on 
>>> the bitlocker boot partition along with Truecrypt itself, as well as 
>>> on a couple of my USB thumb drives.
>>>
>>> I have a 22 character password with alpha, numbers and special 
>>> characters protecting the Truecrypt volume.
>>>
>>> At least if my laptop is stolen I can sleep at night without worrying
> 
>>> about client data.
>>>
>>> So Vista is chugging away encrypting my hard drive.  Off to bed.
>>> --
>>> AccessD mailing list
>>> AccessD at databaseadvisors.com
>>> http://databaseadvisors.com/mailman/listinfo/accessd
>>> Website: http://www.databaseadvisors.com
>>>
> --
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
>

More information about the AccessD mailing list