I am currently looking at ways of improving our team’s encryption protocols using Bitlocker (with TPM) and am a bit confused about why anyone would use the “enter PIN at startup” option.

From what I understand, the actual decryption key is stored in the TPM, and is a 48 digit long code. When you initially setup Bitlocker on the OS drive, MSFT forces you to save this 48 digit key someplace safe, and using this key, you can decrypt the drive (for example if booting into Safe Mode or transferring the drive to a different PC). So this 48 length key is everything, as it allows you to access the drive. And you need this key for certain functions, for example, you cannot boot into Safe Mode unless you manually type in the key.

However, Bitlocker also allows you create a PIN (or enhanced PIN) which you must enter at each boot. I decided to try this out, thinking it would be like having DiskCryptor in the old days.

Unfortunately, it appears this PIN is useless. If you setup the PIN (or Enhanced PIN, which allows ascii characters), but then attempt to boot into Safe Mode, it still asks for the 48 digit key, and does not ask for the PIN at all.

Even on a normal boot, if you can’t remember the PIN, you just push Esc and then it asks for the 48 digit key which unlocks access. So the PIN doesn’t do anything, even on a normal boot, you just bypass it if you have the 48 digit key.

So what’s the point of the PIN then? It still appears that that 48 digit key is everything, it is the only thing which matters for access. And given most of us cannot memorise a 48 digit key, we will have to store it somewhere, which lowers security (most employees keep it in Google Keep, which I don’t think is very secure).

I assumed that the PIN would always be required, along with the 48 digit key, such that even if the 48 key is compromised, your data is still safe since the PIN is only inside your brain. Sort of like a two-key launch protocol for missiles. But it appears that’s not the case, as full access is granted just for the 48 key alone, and the PIN can be bypassed by pressing Esc at startup.

Ideally, I would like to make it a two-key mandatory type system, where booting into Safe Mode or accessing the disk on another PC does require both the PIN and the key. Is this possible to do with Bitlocker alone?

Share This Discussion

Leave a Comment

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.