Score:0

Server

Do i need to encrypt the OS drive with Bitlocker if i store data only on a second different drive in the same PC?

tasty_tortilla

6/20/24, 9:47 PM

I have a PC with two drives in it. One is used for OS and programs only and the other one is used to store data. I want to encrypt my data to prevent the PC to be stolen and for the thieves to eventually use it at their will (not sure but a SATA adapter could be enough to access my data from another PC without Bitlocker encryption, am I right?)

Do i need to encrypt both of my drives then or I should only be interested to encrypt the one that contains sensitive/private data? Is there any risk that in the OS drive, if left un-encrypted, there could be some useful data to decrypt or to bypass the encryption on the other drive?

What i am trying to achieve is to set a strong password to my Windows login and to set auto-unlock on the second drive so that i should't need (at my understanding) to use the Bitlocker password everytime i boot Windows and i will only need my user password to unlock my Windows user.

Does this makes any sense? Am i missing some important security basics or I should be good doing so? It's the first time for me working with security issues with Windows, i've done some research to understand how everything works but please tell me and teach what/if i am missing something, i'm definitely interested to learn more about this topic!

127

3 + 0

security

encryption

bitlocker

privacy

disk-encryption

Score:0

Server

Bernd Schwanenmeister

6/21/24, 8:27 AM

Yes, the way you plan it makes sense. Set a strong password (better 2FA like virtual SmartCards or Windows hello), see that there's no other account active but yours and encrypt all partitions and set d: to auto-unlock. It's always wrong to only encrypt the data partition since it leaves the OS open to manipulation.

+ 11

tasty_tortilla

6/21/24, 9:20 PM

thanks for your input! i see you're talking about 2FA and windows hello; even if i don't have Hello available on my system, i was curious to know if there was some way to disable the boot password requirement and instead using only the user account password or some 2FA method. also, the local account on the machine is not linked with a Microsoft account (i didn't want bloat or similar connections with this PC/account) but i'm trying to know if it could be a better option. any suggestion?

Bernd Schwanenmeister

6/22/24, 8:21 AM

The boot password? What do you mean? Boot passwords are set in the BIOS. Then there are Bitlocker pre-boot authentication passwords and lastly windows logon passwords. If you set up Bitlocker without the help of a TPM chip, then you will probably have set a Bitlocker password, do you mean that?

tasty_tortilla

6/23/24, 9:23 AM

yeah sorry i meant exactly that! the bitlocker pre-boot password! and yes i set it up without a TPM chip! i guess i can’t get rid of the pre-boot Bitlocker password then unless i disable bitlocker?

Bernd Schwanenmeister

6/23/24, 1:03 PM

Please be aware that 99% of all desktop computers built 2015 and later have a TPM chip that will be embedded in the firmware (fTPM). What's your mainboard model? With a TPM, no preboot auth. wouldneed to be required.

tasty_tortilla

6/24/24, 2:32 PM

thank you this also clarifies me a lot of questions i had with tpm and bitlocker password!!! also, i have a Gigabyte X99-SLI-CF but it looks like it doesn’t have any TPM option. Early today i looked in the bios but found none and in the Manual they talk about external TPM modules. Have to upgrade to new motherboard i guess?

Bernd Schwanenmeister

6/26/24, 8:03 AM

I cannot find info an the -CF one. The manual of the GA-X99-SLI without -CF confirms that the board has a TPM header so you can buy a TPM for it. And no, there does not seem to be a firmware TPM.

tasty_tortilla

7/1/24, 1:52 PM

thanks so much for your help, i think i'll buy a TPM header then and i'll solve the password boot problem at least! :)

tasty_tortilla

7/29/24, 9:43 PM

just an update: i finally bought a TPM for my motherboard and it works perfectly. the problem is that i cannot use it with bitlocker because it looks like the motherboard doesn't support the Secure Boot feature and it looks like it's required for the tpm thing with bitlocker. @Bernd any other suggestion? I think at this point i'm gonna wait until i buy a new updated cpu+motherboard (sad)

Bernd Schwanenmeister

7/30/24, 9:15 PM

Secure boot is no requirement for Bitlocker. What makes you think it is? How do you try to setup Bitlocker and what happens?

tasty_tortilla

7/31/24, 2:01 PM

oh. well once i had the tpm installed i tryied to re-do everything so i removed bitlocker encryption to make it again with tpm instead. but when i was trying to enable it, it wasn’t gonna work unless i enable the password thing to bypass the tpm. looked like it wasn’t reading the tpm module even if it was there available in the tpm windows utility. then i got into a tutorial where it was talking about secure boot and i thought that was right since actually there wasn’t available on my system

Bernd Schwanenmeister

8/1/24, 9:14 PM

To use a password for Bitlocker is forbidden by default. Could it be, that you modified a GPO to make passwords possible and at the same time mistakenly forbade the use of TPM as protector? Verify the configuration here: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Double-click "Require additional authentication at startup"vand see if you forbade it there. Same would be doable via registry, so best would be to allow TPM there explicitely.

Score:0

Server

Greg Askew

6/20/24, 9:53 PM

Typically if an encrypted data drive is to be auto-unlocked, the operating system drive also needs to be encrypted. Should be fairly easy to test and confirm.

+ 1

tasty_tortilla

6/21/24, 9:26 PM

and in fact you are totally correct. i just tryied it and it didn't let me disable Bitlocker on the OS drive without disabling it on every drive. also as you said, the auto-unlock option is available only if OS partition is also encrypted. i was trying to remove the encryption on the OS drive because i don't like the password prompt needed on boot and i wanted something easier or quicker to boot the PC and to login at the same time with my user account. something like a 2FA or a PIN to just login. also, currently my account is not linked with a Microsoft account! would you have any suggestion?

Score:0

Server

ccc_cdxxb

6/20/24, 10:13 PM

If you are going to go through the trouble of applying bitlocker to one drive, you might as well do all of them. In the long run it will save you because even though you will be saving your data to the other drive, some programs (i.e. browsers) will often save sensitive data where they are installed or even in within folders on the main OS drive without you knowing.

Given the security concern within the question, I would recommend simply using bitlocker on both drives and storing the recovery key on a separate device on the rare chance you trigger bitlocker.

+ 1

tasty_tortilla

6/21/24, 9:23 PM

hey thanks so much for your suggestion! i'll leave the OS drive encrypted then; i'm trying to understand tho if it's possible to remove the Bitlocker password on boot and replacing it with a 2FA, PIN or simply the user account password. any suggestion? i've been looking online but it seems like there's no option like that (i'm on Windows 10 btw, i heard that Windows 11 manage Bitlocker a bit different)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Do i need to encrypt the OS drive with Bitlocker if i store data only on a second different drive in the same PC?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.