This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 13%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Folks - I'm setting up a new computer and want to make sure I'm using the most optimal and secure method for bitlocker given there have been so many vulnerabilities with it last few years. Can somebody take a look and advise? The data volume and OS volume look a little different at the end of each output. If there is something I should change to make it secure, I want to do it right now before installing applications onto the machine. My data drive will be solely used for a surveillance/VMS software but I need to guard against potential physical theft
[Data Volume]
Volume B: [data drive]
[Data Volume]
Size: 7452.02 GB
BitLocker Version: 2.0
Conversion Status: Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Automatic Unlock: Enabled
Key Protectors:
External Key
Numerical Password
External Key (Required for automatic unlock)
Volume C: []
[OS Volume]
Size: 255.56 GB
BitLocker Version: 2.0
Conversion Status: Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 2%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Hardware encryption will not be used by default, no worries. There is no common vulnerability in hardware encryption present, it were just a few drive models that had problems. But software encryption will do, so leave it.
Without a PIN, an attacker that steals the machine might extract the key from RAM using a cold boot attack. That is not something the ordinary attacker would do, but who knows who is interested in your machines? https://www.youtube.com/watch?v=JDaicPIgn9U
Also is the ssd hardware encryption vulnerability still present and should I configure group policy to use software encryption on all ssd drives (os and data drive)
Thx
how much security am I losing without a pre-boot authentication PIN? can an attacker somehow log into windows and access my data
given this is a surveillance machine, it's critical it boots up hands-free after a power loss
thx
You did not configure a pre-boot authentication PIN, so your config cannot be called optimal for security. However, with such a PIN set, the machine would not be able to start automatically (hands-free) after update installation reboots or crashes, so you need to decide if that matters or not.
Can anybody kindly look into this? I'm hoping to start using this machine over the weekend - thanks!
