This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the PIN is also required TPM with startup key and PIN: in addition to the protection that the TPM provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM.TPMs also have anti-hammering protection that is designed to prevent brute force attacks that attempt to determine the PIN Data on the encrypted volume can't be accessed without entering the PIN. TPM with PIN: in addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN.Data on the encrypted volume can't be accessed without the startup key TPM with startup key: in addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key.This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor The user must then enter a recovery password to regain access to the data. If the TPM is missing or changed, or if BitLocker detects changes to the BIOS or UEFI configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. TPM-only: this option doesn't require any interaction with the user to unlock and provide access to the drive.On devices with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways: This feature helps mitigate DMA and memory remanence attacks. Preboot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor. The only option for bypassing preboot authentication is entering the recovery key. If Windows can't access the encryption keys, the device can't read or edit the files on the system drive. Preboot authentication with BitLocker can require the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible.īitLocker accesses and stores the encryption keys in memory only after preboot authentication is completed. Preboot authentication and DMA policies provide extra protection for BitLocker. To defend against malicious reset attacks, BitLocker uses the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR measurement.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |