[BitLocker:] One USB key for more than one computer

Hello,

let's assume I have got more than one computer using Windows Vista and
BitLocker. Because my computer don't have TPM 1.2 or better devices or I
would like to use TPM+PIN+USB-key I need an USB key.

Do I need to use as many USB keys as computer I have or can I store as many
BitLocker keys as I want on that single USB key?

Thanks...

 

Hello Thomas D.,

First, a TPM Module is -not- absolutely necessary.

Second, must have one TPM+PIN+USB-key for each HDD that has BitLocker
Activated. <(that statement is greatly condensed!)

Respectfully expressed, it seems too apparent that if you read 1st) Vista's
"Help and Support" Files, including, 2nd) Vista's new "Start Search"
(immediately above Vista's "Start Button") Field (just type your request)
also, Microsoft's online Search, and (tied for 1st) explore Vista's "Welcome
Center" and very easily you will learn more that ever could you imagine !

Vista presents a new learning curve for (not young first time computer
users) only experienced computer users.

Happy Learning to You,

 

Thanks for your reply!

Did I understand you correctly, that I need one USB memory device to store
each BitLocker USB key for each computer (If I own 3 computer using
BitLocker, I need 3 USB memory devices)?

Regards

 

in the microsoft.public.windows.vista.security news group, =?
Utf-8?B?Sm9uYXRoYW4gU2Nod2FydHogMg==?= <JonathanSchwartz2
@discussions.microsoft.com> says...

This is wrong. In the first place, you can't currently use both
a TPM with a PIN and store the encryption key on a USB disk. The
TPM+PIN+USB feature is being looked at for Vista SP1. Secondly,
if you're using a USB device to store the key, then you do not
need a separate USB device for each key. You can store multiple
keys on a single USB device.

<snip>


--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca
"The English language, complete with irony, satire, and sarcasm,
has survived for centuries without smileys. Only the new crop of
modern computer geeks finds it impossible to detect a joke that
is not clearly labeled as such."
Ray Shea

 

in the microsoft.public.windows.vista.security news group, =?

No, this is not true. The person who replied to your post is
wrong and while he keeps switching his posting ID, he
consistently posts incorrect information to this news group.
In your case you can certainly use a single USB device.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca
"The English language, complete with irony, satire, and sarcasm,
has survived for centuries without smileys. Only the new crop of
modern computer geeks finds it impossible to detect a joke that
is not clearly labeled as such."
Ray Shea

 

Thank you Paul! That answered my question.

 

Please tell me they're also working on "PIN+USB" for those of us without a
TPM in our existing laptops.

I'm _so_ not going to tell my corporate masters that they need to replace
several hundred laptops over the coming year before we implement Vista, not
because they can't run Vista, but because Vista's implementation of
BitLocker doesn't let them use a PIN without a TPM.

Alun.
~~~~

 

Yes bitlocker works with a PIN and USB. You don't need TPM, but the BIOS
has to support recognizing the USB flash drive as it boots. Set it up using
method 3 in this link.

http://technet.microsoft.com/en-us/windowsvista/aa905089.aspx

 

microsoft.public.windows.vista.security news group, Rock

Sorry, but that isn't what Alun was asking for and doesn't
provide you with a PIN. All that does is to store the encryption
key on the USB device, no PIN involved.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca
"The English language, complete with irony, satire, and sarcasm,
has survived for centuries without smileys. Only the new crop of
modern computer geeks finds it impossible to detect a joke that
is not clearly labeled as such."
Ray Shea

 

Ah, sorry about that, I misinterpreted.

 

USB+PIN (without a TPM) is not secure. I've posted about this somewhere
before, but basically without the anti-hammering ability of a TPM, a PIN can
trivially (within a few days) be cracked brute-force negating any benefit of
having it.

I considered it, then Niels (the cryptographer) gave me a reality check
-
Jamie Hunter [MS]

 

USB+PIN (without a TPM)

check

Yes Niels really knows his stuff.

I'm convinced very soon we'll see 3rd party vendors providing
smartcards + pin that integrate with bitlocker.

 

Pass this by Niels:

Many corporate laptops do not have a TPM chip, but need to be protected
against theft.

USB alone is somewhat secure, as long as you can persuade the users to
remove the USB keys. If the USB key is left with the laptop, and the pair is
stolen, there is no barrier to entry. A USB key can be trivially cracked
brute force by simply plugging it in when you boot.

USB plus a PIN is a higher barrier to entry than USB alone, and may be a
sufficiently high barrier to cause the thief to simply wipe the drive,
rather than try to whack his way through a PIN.

Replacing a company's entire fleet of laptops is unlikely to happen
immediately - wouldn't it be nice if your data on those laptops was
protected, even if only against the guy who doesn't have several days to
hack into it, until the spanking new laptops get deployed?

Sometimes it's difficult to remind cryptographers that "better than I have
right now" is often worth achieving, for people who find "best possible" to
be unobtainable.

Alun.
~~~~