Tag Archives: encryption

Bitlocker: How to require Startup PIN

A lot of people use Bitlocker for full-disk encryption of their hard drives. For extra security you might want to be prompted for a PIN when you unlock your hard drive, because allowing attackers to boot your system without authentication might open up extra attack vectors. Setting a PIN can be easily accomplised if you know how… :-)

The below instructions are exact for Windows 10, but they are very similar in Windows 7, too.

Launch the Local Group Policy Editor by typing gpedit.msc into your Windows search, then when it has been found right-click on it and select Run as administrator from the pop-up menu. Then maneuver to the following path in the left “folder” pane:

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives.

This is what it looks like if you did it correctly:

Bitlocker_Group_PolicyThen double-click on the setting Require additional authentication at startup, and you see the following dialog:

Bitlocker_PINNow change option Configure TPM startup PIN to read:

Require startup PIN with TPM

Then reboot. Now you can right-click on your system drive and select Set Bitlocker PIN or Change Bitlocker PIN (I forgot to take a screenshot of this last step, so I’m not 100% how exactly this looked like, but it should be obvious) from the pop-up menu.

You’re done. Wasn’t that easy?

Please leave a message if this was helpful.

Attention changing BIOS Settings with Bitlocker

The Problem

If your laptop has been set up to use Bitlocker, by your company or yourself, you should be very cautious when playing with your BIOS settings.

Bitlocker considers BIOS settings changes a potential security breach, as somebody could e. g. change boot order to boot from an external media to try to fiddle with the boot mechanism set up on your hard drive or SSD. This is why when you change something in the BIOS or just boot from an external drive, such as a thumb stick, Bitlocker will prompt you for your recovery code.

The Solution

To prevent this you just have to disable the so-called “protector” for your boot drive. Only then should you change BIOS settings or boot from a drive other than your normal boot drive.

You do so using the manage-bde tool which is part of Windows:

manage-bde –protectors –disable <Drive>

Don’t forget to re-enable the protector after you’re done:

manage-bde –protectors –enable <Drive>

If this helped, I’d appreciate a comment from you here on my blog.

Snow Leopard’s “Disk Utility” can’t create encrypted image

Two months or so I ordered the Snow Leopard DVD for my Macbook Pro. Finally I had the time to perform the upgrade from Leopard. Before actually doing so, I tried to create a disk image of my current Leopard installation. So I booted the Snow Leopard DVD and ran “Disk Utility” from it. Because the target of that disk image was an external hard drive shared by my team, I wanted to create an encrypted image.

Regardless of whether I selected “128-Bit AES” or “256-Bit AES” as an encryption method, I immediately received the following error message on screen:

Unable to create "Macintosh HD.dmg" (Cannot allocate memory)

What is this trying to tell me? No space on hard drive? Impossible, since the external hard drive is a 2 TB empty drive. Moreover, “memory” usually refers to “main memory”, or “RAM.” So is Disk Utility actually trying to read the whole 200 GB hard drive into the RAM, then encrypting it, and then creating the disk image from it?! I can’t believe that anyone would be that stupid to design a disk imaging program like this…

I finally changed the image format to “Compressed”, and presto, it worked!

Anyway, why, oh why is it so hard to generate “user friendly” error messages? And why does this happen under Mac OS X of all operating systems, supposedly being the “user friendliest” OS in the universe?

This is not the first time I receive such useless error messages in OS X. Hey Apple, care to finally make your homework???

TrueCrypt for Mac

I was very happy to see that there’s TrueCrypt for the Mac, a disk encryption tool I really like and use since a long time on my Windoze PC.

Quickly I installed it. The installation went smoothly, and a quick test was successful. However, when I played some more with it, I found a strange oddity which I couldn’t clarify myself. I doubt that it’s because I’m a new Mac user, but I rather think it’s a quirk in TrueCrypt. Let’s see whether anyone can reproduce the issue, and whether it will be fixed (shortly). :)

Anyway, this is a tool that you should definitely use when you have confidential data on your laptop.

GPG with IDEA on the Mac

One of the first things I did when I got my new Mac was install Mozilla Thunderbird, the invaluable EnigMail extension, which is a very easy-to-use frontend to GNU Privacy Guard (GPG), and of course GPG itself.

All went very smoothly, and to check whether the installation was fine I tried to opened an encrypted message which I had received some days ago. Unfortunetly GPG couldn’t decrypt the message. A quick look at EnigMail’s console window told me that the message was encrypted using IDEA, and that the version of GPG I had installed was lacking support of that encryption algorithm.

Continue reading GPG with IDEA on the Mac