How safe is Bitlocker?

[kdoggy]

Hi all,

I'm a recent convert to Bitlocker but am wondering how safe it is.

I have it set up with my TPM but I don't use a PIN/password additionally (be it manually entered or via a USB stick), as this would defeat the purpose of having Bitlocker be unobtrusive. I do however have a password on my windows account.

What worries me is that apparently the data is unlocked at the boot stage, so it is accessible even before you enter your Windows password in!

Is this sufficient security for someone who takes their laptop out and about, but isn't likely to be targeted by sophisticated thieves? Since my line of work is fairly mundane.

Thanks!

 

[Alejandro85]

To answer that we must consider what BitLocker is actually designed to protect against, who is your attacker and what kind of protection you expect from it. BitLocker by itself may be relatively secure, but how you use it also affect its security.

From its Wikipedia page, it seems to be using AES256, which is quite secure at the time, and allowing a number of authentication methods that make it difficult to crack, except in very specialized attacks. On the other hand, BiLocker is pure proprietary software, which imposes doubts on the quality of its implementation and the existence of bugs and their fix procedure (and rumors of backdoors are always out there ).

I have it set up with my TPM but I don't use a PIN/password additionally (be it manually entered or via a USB stick), as this would defeat the purpose of having Bitlocker be unobtrusive. I do however have a password on my windows account.

You really need a second authentication method. Think about what will happen if someone simply steals the whole computer? If the TPM module goes with it, they can use it to decrypt the whole disk, and BitLocker will be useless after that. A password server as a second factor of security that cannot be simply stolen.
You mention "unobtrusive". The purpose of every security software is to be obtrusive in the component it protects. If it's unobtrusive to you, so will be it to the attacker. Remember that security and convenience are opposite goals, choose one and leave the other.
The Windows account password is of course an excellent measure, but unrelated to BitLocker.

What worries me is that apparently the data is unlocked at the boot stage, so it is accessible even before you enter your Windows password in!

Yes and no. At boot, the only thing stored is the encryption key, which remains in memory afterwards, but the data itself is decrypted on demand when each particular sector is accessed by the OS, only remaining in memory, and data written is encrypted when saved back to disk. At no point is something else seen in plaintext, much less that data every touches the disk.

Is this sufficient security for someone who takes their laptop out and about, but isn't likely to be targeted by sophisticated thieves? Since my line of work is fairly mundane.

"They don't care about me" is an enormous myth, there are many reasons with completely unknown attackers may want your computer infected.
But your particular worry seems about it being stolen, which then they can access your data. BitLocker is an excellent option for that, given it has a good password, and any USB/TPM modules aren't with the computer permanently. "Sufficient" always depends on who is attacking you, but generally a proper password will deter most simple thieves (they'll simply reformat and move on).