August 26, 2021

Daily discussion at work: bitlocker encryption only works when the laptop is powered down

Had a wild discussion at work today. The claim was that bitlocker encryption as a technical control only is effective when the laptop is powered down.

People on both sides of the argument.




Decrypting/encrypting an entire drive takes a long time and a lot of cycles.

It would be impractical to wait while windows used Bitlocker to decrypt your entire drive every time you boot your computer up.

So, windows decrypts the data on the fly as you use it.

You can’t reasonably encrypt the data while you use it- encryption makes the data not usable by definition.

So, the purpose of bitlocker is to encrypt the data “at rest” when it’s not in use by the system. This is true of all encryption and there’s no real way around it.

But it’s not true that your entire drive is being decrypted/encrypted every time you power up/down.


Good question – let’s cover some bases to find where each side of the argument may come from.

* System is off: Let’s assume of the sake of argument that the key is secure, and not [craptastic]( – in that case, the storage media cannot be decrypted and BitLocker is a valuable control.
* System is on:
* If the attacker has *any* userland access (physical access while logged in, or malware on system, etc.): All or nearly all of what an attacker would want is already transparently decrypted anyway, so BitLocker is not providing value.
* If the attacker does not yet have userland access (physical access while locked): BitLocker at best stops an attacker from powering off the system and pulling out the drive – barring the most obvious and probably most common attacker route to data, but also just going back to “the system is off, and that’s where the value predominantly lies.” Outside of that case, you’re relying on the security of the running OS/user passwords/etc. to prevent a malicious login – not BitLocker itself.

I’d side with the folks saying BitLocker is a technical control only when the system is powered down. It’s not technically correct – there *is* a value provided to running systems at least in the sense that an attacker can’t turn it off for easy drive access – but that’s a bit too cyclical for my taste, so I think generalizing is acceptable in this case.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.