Bitlocker

[paulyron]

Hey all. Does anyone here use bitlocker for their windows 10 pro computer?   I installed bitlocker on my windows 10 pro a while back. Once I did this and the second time I had to do it again because I had turned it off. But as you read in my other thread,  I did a clean reinstall of windows 10 pro just recently so everything is wiped.



I like this program since if something were to happen to your laptop, then someone can't turn it without a password or pion and access your files. I have that windows 10 password but as we all know that is relatively useless. The way I had it set up last time, I do not remember exactly all the steps that I did with this as it was a bit confusing. I do know I used that tenforums site for the instructions but got stuck few times.



I know I have TPM 1.2 on this dell xps 15 9550. I remember you could do one of three things for encryption



1. TPM With Pin
2. TPM With No Pin
3. Password



I believe I chosed the password option in my last setup. I don't remember if before that, I used TPM With Pin. I do recall the second option is the worst for security right? So my setup was I turned on my computer, it ask me to enter a pin which I created. That pin also included letters and not just numbers though as I remember I made changes to settings for this because obviously a pin with only numbers is not that good since I remember it was 6-20 characters. So with letters, well its much tougher. So does that mean it had to been password option that I did?

[paulyron]

I did remember someone telling me the way I set it up... let say my laptop is turned on and I want to lock it, I only have to enter my windows password to get back to the computer. I believe that person said because I used a password... then say I'm away from my computer and leave it locked... then someone who had access to my computer could do something malicious to it or get into it easily right? I remember someone saying my security was not good unless my computer was either turned off or hibernating? Because that is the only way the password could protect me here? They said my windows password is only going to be a short deterrence. But if you have TPM with Pin, then locking it will protect it just like if it was turned off? The thing is with TPM with Pin... the pin could contain letters right?



I believe someone said if you use TPM with Pin... not only do you need to enter your pin each time when you turn on your laptop... but if you have this option... anytime you lock your computer when its turned on... you need to enter both your pin and then your windows 10 password to get into the account. Is that correct or not?



I want to have my laptop pretty much like how it was before with bitlocker. Except I need to make it TPM with Pin as oppose to password? The thing that has me confused with TPM with pin is I remember I read it involved just unlocking itself so it isn't secure at all. Or am I confusing it with the TPM without Pin? There was something that deterred me from going with TPM with Pin. I remember it had to do with it unlocking itself or you could only use numbers for pin I believe.



So in my situation, assuming my threat level is if someone has access to my laptop, I don't want someone having access to my files just by turning it on, what do you suggest for me? Again the way I had bitlocker set up last time was fine... except I wouldn't feel comfortable having it turned on and then I lock it and I go outside for a bit before coming back. Thus I started to just turn my laptop off each time I went out before I come back.



Any current bitlocker users can assist me with this? At the moment, my machine is a clean reinstall so I haven't downloaded much programs on it yet. This is the only program I need to install now before I can start using my laptop. Thank you.

[applies-casual-jersey]

You may have figured this out on your own by now, but the BitLocker PIN would only need to be entered when booting the system.  Once the drive(s) are unlocked and the system is booted, the BitLocker PIN won't be required again while the system remains running — not until you power-off, reboot, etc.

 

On my own system, for example, I have all drives encrypted with BitLocker and the primary (OS drive) set to TPM&PIN while the other 2 drives are configured to auto-unlock.  My PIN is the maximum length, and honestly, I'd likely not remember it myself.  I remember part of the PIN in my head and have the rest of it stored in my YubiKeys.  It's kind of like having 2FA for the BitLocker PIN.  I manually enter a partial PIN and my YubiKeys enter a partial PIN, making-up the complete PIN.