Is USB based bitlocker as safe as tpm based?
Solution 1
The USB stick would still need to be used in conjunction with the bitlocker password to decrypt the drive, all the TPM module does is store it on the module so you have no need to carry an easily lost USB stick.
if you don't tell them your Bitlocker password you are just as protected
Solution 2
The security model is different. (This answer is a work in progress.)
Startup key on USB flash drive
Pros:
- No need for a TPM.
- 2FA: user needs both the startup key (stored on a USB flash drive by default) and the PC, in order to decrypt the system disk.
Cons:
- You might accidentally overwrite or format your USB flash drive, requiring you to manually enter the recovery key in order to be able to boot Windows. This risk can be mitigated by using a USB flash drive with hardware write-protection.
- If your USB flash drive is lost or stolen, then an attacker who comes into possession of it can read (and copy) the startup key from it. This particular attack can be mitigated by using a hardware-encrypted USB flash drive (e.g. this; there are other brands available).
- If your PC is sufficiently compromised, then an attacker could potentially read the startup key from your USB flash drive while it is inserted into the PC during the boot process. This will be true even for hardware-encrypted USB flash drives, as they must be unlocked in order for the PC to boot. However, if your PC were compromised to this extent, then whoever compromised it would probably already be in a position to read everything that BitLocker is protecting, i.e. the startup key would probably be superfluous for them.
TPM
Pros:
- No need to purchase a USB flash drive.
- No risk of that USB flash drive being lost or stolen.
- Unlike USB flash drives, TPMs are intended to prevent the private data that they store from being read. Instead, they use challenge-response mechanisms. As such, an attacker without advanced skills or equipment will not be able to retrieve the private key from a TPM.
Cons:
-
Attackers with advanced skills or equipment, and with electronic or physical access to the PC, may be able to retrieve the private key from a TPM, e.g. by:
- cutting open the TPM and using an electron microscope to read its contents; or
- employing a side-channel attack such as RSA timing analysis or differential power analysis.
-
Attackers with sufficiently advanced skills may be able to fool the TPM into performing the challenge-response successfully even if Windows has been modified by an attacker. (This is more of an attack against "secure boot" than against BitLocker per se.) However, if your PC were compromised to this extent, then whoever compromised it might already be in a position to read everything that BitLocker is protecting.
-
If you move the BitLocker-protected drive to another PC, you will need to manually enter the recovery key.
Related videos on Youtube
08 : 27
03 : 25
10 : 04
05 : 23
03 : 51
user4951
Updated on September 18, 2022Comments
-
user4951 almost 2 years
My computer doesn't have TPM
There is an option to turn on bitlocker if only I used USB to store the private key
How would security be affected on that scenario?
will it be as safe as TPM?
If my house got raided by FBI or syariah cops, for example, and they found the USB but doesn't know my windows password, will my data be okay?
If I rarely shut down my computer and only put them to sleep, can I just hide the USB somewhere?
Also how do I explain this
On computers without a compatible TPM, BitLocker can provide encryption, but not the added security of locking keys with the TPM. In this case, the user is required to create a startup key that is stored on a USB flash drive.
http://windows.microsoft.com/en-id/windows-vista/bitlocker-drive-encryption-overview
-
user4951 almost 10 yearsBut then FBI can get my private key on the USB?
-
user4951 almost 10 yearsCan anyone confirm this?
-
CharlesH almost 10 yearsYes they can get your private key, so one in sense its not as secure as TPM but in another sense without the password its just as secure...
-
user4951 almost 10 yearsAnd once they got my private key, FBI can decrypt the drive with it right?
-
user4951 almost 10 yearsEven though FBI doesn't know the password?
-
Fegnoid almost 10 yearsNo as the password needs to be used in conjuction with the private key to decrypt the drive
-
user4951 almost 10 yearsCan anyone verify this? Do you have source>
-
user4951 almost 10 yearsCan anyone verify this? I just bitlock my operating system. However, nowhere is stated that I need password. The key is in the USB and there is no password.
-
user4951 almost 10 yearsThere is no password involved if you bitlock your operating system partition!!!!!
-
Fegnoid almost 10 yearsHmm, it asked me for a password - but I have a TPM module on my laptop - and when I did it to my desktop (just now) that doesn't have one it also asked for a password
