[BitLocker:] One USB key for more than one computer

Discussion in 'Windows Vista Security' started by Thomas D., Feb 3, 2007.

  1. Thomas D.

    Thomas D. Guest

    Hello,

    let's assume I have got more than one computer using Windows Vista and
    BitLocker. Because my computer don't have TPM 1.2 or better devices or I
    would like to use TPM+PIN+USB-key I need an USB key.

    Do I need to use as many USB keys as computer I have or can I store as many
    BitLocker keys as I want on that single USB key?

    Thanks...
     
    Thomas D., Feb 3, 2007
    #1
    1. Advertisements

  2. Hello Thomas D.,

    First, a TPM Module is -not- absolutely necessary.

    Second, must have one TPM+PIN+USB-key for each HDD that has BitLocker
    Activated. <(that statement is greatly condensed!)

    Respectfully expressed, it seems too apparent that if you read 1st) Vista's
    "Help and Support" Files, including, 2nd) Vista's new "Start Search"
    (immediately above Vista's "Start Button") Field (just type your request)
    also, Microsoft's online Search, and (tied for 1st) explore Vista's "Welcome
    Center" and very easily you will learn more that ever could you imagine !

    Vista presents a new learning curve for (not young first time computer
    users) only experienced computer users.

    Happy Learning to You,
     
    Jonathan Schwartz 2, Feb 4, 2007
    #2
    1. Advertisements

  3. Thomas D.

    Thomas D. Guest

    Thanks for your reply!

    Did I understand you correctly, that I need one USB memory device to store
    each BitLocker USB key for each computer (If I own 3 computer using
    BitLocker, I need 3 USB memory devices)?

    Regards
     
    Thomas D., Feb 4, 2007
    #3
  4. Thomas D.

    Paul Adare Guest

    in the microsoft.public.windows.vista.security news group, =?
    Utf-8?B?Sm9uYXRoYW4gU2Nod2FydHogMg==?= <JonathanSchwartz2
    @discussions.microsoft.com> says...
    This is wrong. In the first place, you can't currently use both
    a TPM with a PIN and store the encryption key on a USB disk. The
    TPM+PIN+USB feature is being looked at for Vista SP1. Secondly,
    if you're using a USB device to store the key, then you do not
    need a separate USB device for each key. You can store multiple
    keys on a single USB device.

    <snip>


    --
    Paul Adare
    MVP - Windows - Virtual Machine
    http://www.identit.ca
    "The English language, complete with irony, satire, and sarcasm,
    has survived for centuries without smileys. Only the new crop of
    modern computer geeks finds it impossible to detect a joke that
    is not clearly labeled as such."
    Ray Shea
     
    Paul Adare, Feb 4, 2007
    #4
  5. Thomas D.

    Paul Adare Guest

    in the microsoft.public.windows.vista.security news group, =?
    No, this is not true. The person who replied to your post is
    wrong and while he keeps switching his posting ID, he
    consistently posts incorrect information to this news group.
    In your case you can certainly use a single USB device.

    --
    Paul Adare
    MVP - Windows - Virtual Machine
    http://www.identit.ca
    "The English language, complete with irony, satire, and sarcasm,
    has survived for centuries without smileys. Only the new crop of
    modern computer geeks finds it impossible to detect a joke that
    is not clearly labeled as such."
    Ray Shea
     
    Paul Adare, Feb 4, 2007
    #5
  6. Thomas D.

    Thomas D. Guest

    Thank you Paul! That answered my question.
     
    Thomas D., Feb 4, 2007
    #6

  7. Please tell me they're also working on "PIN+USB" for those of us without a
    TPM in our existing laptops.

    I'm _so_ not going to tell my corporate masters that they need to replace
    several hundred laptops over the coming year before we implement Vista, not
    because they can't run Vista, but because Vista's implementation of
    BitLocker doesn't let them use a PIN without a TPM.

    Alun.
    ~~~~
     
    Alun Jones [MS-MVP - Windows Security], Feb 11, 2007
    #7
  8. Thomas D.

    Rock Guest

    Yes bitlocker works with a PIN and USB. You don't need TPM, but the BIOS
    has to support recognizing the USB flash drive as it boots. Set it up using
    method 3 in this link.

    http://technet.microsoft.com/en-us/windowsvista/aa905089.aspx
     
    Rock, Feb 11, 2007
    #8
  9. Thomas D.

    Paul Adare Guest

    microsoft.public.windows.vista.security news group, Rock
    Sorry, but that isn't what Alun was asking for and doesn't
    provide you with a PIN. All that does is to store the encryption
    key on the USB device, no PIN involved.

    --
    Paul Adare
    MVP - Windows - Virtual Machine
    http://www.identit.ca
    "The English language, complete with irony, satire, and sarcasm,
    has survived for centuries without smileys. Only the new crop of
    modern computer geeks finds it impossible to detect a joke that
    is not clearly labeled as such."
    Ray Shea
     
    Paul Adare, Feb 11, 2007
    #9
  10. Thomas D.

    Rock Guest

    Ah, sorry about that, I misinterpreted.
     
    Rock, Feb 11, 2007
    #10
  11. USB+PIN (without a TPM) is not secure. I've posted about this somewhere
    before, but basically without the anti-hammering ability of a TPM, a PIN can
    trivially (within a few days) be cracked brute-force negating any benefit of
    having it.

    I considered it, then Niels (the cryptographer) gave me a reality check :)
    -
    Jamie Hunter [MS]
     
    Jamie Hunter [MS], Feb 13, 2007
    #11
  12. Thomas D.

    niknik Guest

    USB+PIN (without a TPM)
    check

    Yes Niels really knows his stuff.

    I'm convinced very soon we'll see 3rd party vendors providing
    smartcards + pin that integrate with bitlocker.
     
    niknik, Feb 13, 2007
    #12
  13. Thomas D.

    Alun Jones Guest

    Pass this by Niels:

    Many corporate laptops do not have a TPM chip, but need to be protected
    against theft.

    USB alone is somewhat secure, as long as you can persuade the users to
    remove the USB keys. If the USB key is left with the laptop, and the pair is
    stolen, there is no barrier to entry. A USB key can be trivially cracked
    brute force by simply plugging it in when you boot.

    USB plus a PIN is a higher barrier to entry than USB alone, and may be a
    sufficiently high barrier to cause the thief to simply wipe the drive,
    rather than try to whack his way through a PIN.

    Replacing a company's entire fleet of laptops is unlikely to happen
    immediately - wouldn't it be nice if your data on those laptops was
    protected, even if only against the guy who doesn't have several days to
    hack into it, until the spanking new laptops get deployed?

    Sometimes it's difficult to remind cryptographers that "better than I have
    right now" is often worth achieving, for people who find "best possible" to
    be unobtainable.

    Alun.
    ~~~~
     
    Alun Jones, Feb 16, 2007
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.