BIOS boot password for the computer upon startup VS Bitlocker PIN?
Consider the setup where a drive is encrypted with Bitlocker.
I need to protect my already Bitlocker encrypted drive from Cold Boot/DMA attacks. My assumption is that I have 2 options:
- Create a boot password for the computer upon startup (configured in BIOS/UEFI)
- Create a PIN for Bitlocker
Does that start-up password(configured in BIOS/UEFI) have the same level of security as Bitlocker's PIN against Cold Boot/DMA?
1 Answer
(This answer is by no means complete, but should give you some things to think about.)
Startup password alone offers no data protection. I can unscrew the side panel, disconnect the drive and read all your files. All it does is it stops me from booting that particular motherboard.
If the password is also used to encrypt the disk on hardware/firmware level, that's slightly better if BIOS implements it correctly. Some BIOSes offer just an illusion of security by always using the same hardcoded password for all disks (your password is used only to authorize decryption with the hardcoded password). This scheme is fundamentally flawed because everyone can decrypt the disk by knowing the fixed hardcoded password. Once you learn it, we're back to square one.
Finally, you have to trust that the hardware encryption is reliable. Historically this has been a problem in a number of disks, for example due to usage of predictable RNGs. You can't really test this yourself without access to expensive hardware and a significant time investment.
Solutions such as Bitlocker and VeraCrypt offer reliable implementations of full disk encryption validated by experts. There's a slight performance impact and you may need to use additional means to ensure bootloader integrity, such as UEFI Secure Boot. Bitlocker may also decide to use drive's built-in encryption rather than encryption in software, again relying on quality of drive's encryption implementation. If you want to avoid it, you'll need to configure appropriate group policy.
3
