+ Post New Thread
Results 1 to 12 of 12
Enterprise Software Thread, Bitlocker without a TPM - SD card? in Technical; Were going down the route of encryption and looking to use Bitlocker. Most of our laptops don't have a TPM ...
  1. #1
    jamin100's Avatar
    Join Date
    Feb 2008
    Location
    Birmingham
    Posts
    1,074
    Thank Post
    151
    Thanked 100 Times in 80 Posts
    Rep Power
    33

    Bitlocker without a TPM - SD card?

    Were going down the route of encryption and looking to use Bitlocker.

    Most of our laptops don't have a TPM chip so I will need to use a USB startup key.

    Rather than a USB key I thinking about using a SD card as all the laptops have SD card readers built-in. This would mean that the staff could leave the SD card in the laptop without needed to remove and eventually loose the USB drive.

    So from what I understand, doing it this way is the same as using the TPM on board. If the laptop is stolen the SD key is taken with it as it is in the laptop already. But this would be the same with a laptop that had an onboard TPM.

    Can anyone see any problems with this?

    From what I have read the data is still encrypted and a thief would need to know the windows credentials to get access to the machine. If their tried to boot from a Linux CD or reset the windows password then they wouldn't be able too as the data would still be encrypted..

  2. #2

    Join Date
    Aug 2007
    Posts
    827
    Thank Post
    101
    Thanked 65 Times in 47 Posts
    Rep Power
    26
    I can see the logic. If they were to remove the HDD and mount in another machine it would be encrypted. But if they have the key also would they not be able to decrypt the HDD within another windows install? I doubt the TPM chip can be simply read as the SD card would be..

    We went for USB sticks, they can remove them as soon as it starts to boot so not had any damaged as of yet.
    Last edited by burgemaster; 5th March 2014 at 09:01 PM.

  3. #3


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,365
    Thank Post
    241
    Thanked 2,811 Times in 2,075 Posts
    Rep Power
    812
    Quote Originally Posted by jamin100 View Post
    eventually lose the USB drive.
    If the flash drives were tiny (like the two below), staff could put them on their keyrings?


  4. #4
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    1,056
    Thank Post
    45
    Thanked 86 Times in 81 Posts
    Rep Power
    23
    But if someone steals the laptop the sd card will be left in. It makes encryption a bit pointless.

  5. #5
    jamin100's Avatar
    Join Date
    Feb 2008
    Location
    Birmingham
    Posts
    1,074
    Thank Post
    151
    Thanked 100 Times in 80 Posts
    Rep Power
    33
    Isnt that the same as stealing the laptop with the TPM attached ?

  6. #6


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,365
    Thank Post
    241
    Thanked 2,811 Times in 2,075 Posts
    Rep Power
    812
    Quote Originally Posted by jamin100 View Post
    Isn't that the same as stealing the laptop with the TPM attached?
    The TPM is significantly more secure than an SD card or USB flash drive. Unless the thief works for the NSA/GCHQ, I don't think you would have to worry about the decryption keys being extracted.

    If you left the SD card in the laptop and it was stolen, someone could extract the keys from RAM relatively easily after it has been booted up. For this reason, you may want to consider preventing the installation of Firewire and Thunderbolt drivers through Group Policy.

    Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker

  7. #7

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,130
    Thank Post
    522
    Thanked 2,540 Times in 1,975 Posts
    Blog Entries
    24
    Rep Power
    875
    Quote Originally Posted by free780 View Post
    But if someone steals the laptop the sd card will be left in. It makes encryption a bit pointless.
    Quote Originally Posted by jamin100 View Post
    Isnt that the same as stealing the laptop with the TPM attached ?
    The thing is, both situations still result in a laptop that is inaccessible to the thief - unless they have the user's password - in which case all bets are off. They can't log in, so can't access data. They can't remove the HDD and access data. They can't boot off an OS disc and access data.

    Not to mention, you can make it 2 factor auth quite easily - by enabling the need for a PIN to be entered. So now you have to know something as well as know something.
    Last edited by localzuk; 6th March 2014 at 08:13 AM.

  8. #8

    Join Date
    Oct 2007
    Location
    Northamptonshire
    Posts
    312
    Thank Post
    21
    Thanked 82 Times in 69 Posts
    Rep Power
    45
    Can't do PIN without TPM in BitLocker and I'm fairly sure the Bitlocker key file that will be on SD card could be used to unlock the laptop hdd by connecting it to another computer with Bitlocker available or by running WinPE and using the bde-manage commands.

    I agree with Arthur and the smaller usb drives on a keyring is possibly the way to go or look at Windows 8 which I believe you can set a password on boot rather than using usb drives to unlock drive on boot for laptops without TPM.
    Last edited by Ashm; 6th March 2014 at 08:33 AM.

  9. #9
    jamin100's Avatar
    Join Date
    Feb 2008
    Location
    Birmingham
    Posts
    1,074
    Thank Post
    151
    Thanked 100 Times in 80 Posts
    Rep Power
    33
    You can't require a pin without an SD card though can you ?

  10. #10


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,365
    Thank Post
    241
    Thanked 2,811 Times in 2,075 Posts
    Rep Power
    812
    Quote Originally Posted by Ashm View Post
    I'm fairly sure the Bitlocker key file that will be on SD card could be used to unlock the laptop hdd by connecting it to another computer with Bitlocker available or by running WinPE and using the bde-manage commands.
    The recovery key doesn't have to be stored on the SD card, just the startup key.

    Quote Originally Posted by Ashm View Post
    or look at Windows 8 which I believe you can set a password on boot rather than using usb drives to unlock drive on boot for laptops without TPM.
    Good idea!

  11. #11

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,130
    Thank Post
    522
    Thanked 2,540 Times in 1,975 Posts
    Blog Entries
    24
    Rep Power
    875
    AFAIK, the use of an SD card is the same as using a USB key. In which case, you can have both key + PIN by using the manage-bde command to enable Bitlocker.

  12. #12

    Join Date
    Apr 2014
    Location
    Australia
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi everyone,

    Depending on your security requirements, there is a SD card with built in smart card and TPM. It's marketed for mobile devices and tablets but might work on laptops which have no onboard TPM. I have not checked to see if it has driver support for Windows 8.1. See:http://www.safenet-inc.com/multi-factor-authentication/authenticators/pki-smart-cards/government-mobile-security/. If you are really paranoid, you could get an SSD hd which is edrive compliant in order to offload the crypto to the hardware and use the SD TPM to sure up key security. It might be cheaper to buy a new laptop with a built in TPM and edrive compliant SSD, as opposed to upgrading an existing laptop. Crucial have edrive compliant drives with very fast crypto read/write speeds: http://www.crucial.com/products/m550.aspx
    HIDDN also make a nice encrypted SSD drive which has onboard two factor, but the write speeds are much slower than Crucial: http://hiddn.no/laptop/

    I was passing by the forum and found this discussion. Ive had a similar issue with a client who has 1000's of corporate laptops with no TPM. Cheers, njoy
    Last edited by njoy; 5th April 2014 at 02:52 AM.

SHARE:
+ Post New Thread

Similar Threads

  1. 4Gb SD cards
    By beeswax in forum General Chat
    Replies: 0
    Last Post: 8th June 2008, 01:50 PM
  2. KOd 2GB SD CARD
    By tech_guy in forum Hardware
    Replies: 1
    Last Post: 16th November 2007, 01:06 PM
  3. 4GB SD card for less than £15......!!!!!!!!!!!!!!
    By acrobson in forum General Chat
    Replies: 20
    Last Post: 23rd October 2007, 08:35 PM
  4. Restoring data from a corrupt sd card
    By timbo343 in forum Windows
    Replies: 4
    Last Post: 15th June 2006, 09:37 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •