BitLocker

BitLocker | Harden System Security

• The app sets up and configures Bitlocker using official documentation, with the most secure configuration and military grade encryption algorithm, XTS-AES-256, to protect the confidentiality and integrity of all information at rest. CSP CSP

  • It offers 2 security levels for OS drive encryption: Enhanced and Normal.

  • In Normal security level, the OS drive is encrypted with TPM and Startup PIN. This provides very high security for your data, specially with a PIN that's long, complicated (uppercase and lowercase letters, symbols, numbers, spaces) and isn't the same as your Windows Hello PIN.

  • In Enhanced security level, the OS drive is encrypted with TPM and Startup PIN and Startup key. This provides the highest level of protection by offering Multifactor Authentication. You will need to enter your PIN and also plug in a flash drive, containing a special BitLocker key, into your device in order to unlock it. Continue reading more about it here.

  • Once the OS drive is encrypted, for every other non-OS drive, there will be prompts for confirmation before encrypting it. The encryption will use the same algorithm as the OS drive and uses Auto-unlock key protector. Removable flash drives are skipped.

  • The recovery information of all of the drives are saved in a single well-formatted text file in the root of the OS drive C:\BitLocker-Recovery-Info-All-Drives.txt. It's very important to keep it in a safe and reachable place as soon as possible, e.g., in OneDrive's Personal Vault which requires additional authentication to access. See here and here for more info. You can use it to unlock your drives if you ever forget your PIN, lose your Startup key (USB Flash Drive) or TPM no longer has the correct authorization (E.g., after a firmware change).

  • TPM has special anti-hammering logic which prevents malicious user from guessing the authorization data indefinitely. Microsoft defines that maximum number of failed attempts in Windows is 32 and every single failed attempt is forgotten after 2 hours. This means that every continuous two hours of powered on (and successfully booted) operation without an event which increases the counter will cause the counter to decrease by 1. You can view all the details using this PowerShell command: Get-TPM.

  • Check out Lock Screen category for more info about the recovery password and the 2nd anti-hammering mechanism.

  • BitLocker will bring you a real security against the theft of your device if you strictly abide by the following basic rules:

    • As soon as you have finished working, either Hibernate or shut Windows down and allow for every shadow of information to disappear from RAM within 2 minutes. This practice is recommended in High-Risk Environments.

    • Do not mix 3rd party encryption software and tools with Bitlocker. Bitlocker creates a secure end-to-end encrypted ecosystem for your device and its peripherals, this secure ecosystem is backed by things such as software, Virtualization Technology, TPM 2.0 and UEFI firmware, Bitlocker protects your data and entire device against real-life attacks and threats. You can encrypt your external SSDs and flash drives with Bitlocker too.

Important

AMD Zen 2 and 3 CPUs have a vulnerability in them, if you use one of them, make sure your Bitlocker Startup PIN is at least 16 characters long (max is 20).

• Enables or disables DMA protection from Bitlocker Countermeasures based on the status of Kernel DMA protection. Kernel DMA Protection is not compatible with other BitLocker DMA attacks countermeasures. It is recommended to disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection (The Harden System Security App does that exactly). Kernel DMA Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals. you can check the status of Kernel DMA protection using this official guide. CSP

  • Kernel DMA Protection (Memory Access Protection) for OEMs page shows the requirements for Kernel DMA Protection. for Intel CPUs, support for requirements such as VT-X and VT-D can be found in each CPU's respective product page. e.g. Intel i7 13700K

• Disallows standard (non-Administrator) users from changing the Bitlocker Startup PIN or password CSP

• Requires you to choose a PIN that contains at least 10 characters CSP

• (Only on Physical machines) Enables Hibernate and adds Hibernate to Start menu's power options. CSP

  • Devices that support Modern Standby have the most security because (S1-S3) power states which belong to the legacy sleep modes are not available. In Modern Standby, security components remain vigilant and the OS stays protected. Applying Microsoft Security Baselines also automatically disables the legacy (S1-S3) sleep states.

• sets Hibernate to full

• Disallows access to Bitlocker-protected removable data drives from earlier versions of Windows.

Refer to this official documentation about the countermeasures of Bitlocker