Hey all. I have questions and I know i have my old thread to post questions here in this subforum but i rather post it here as im sure most ppl would probably would want insight into this. If thats an issue, you can move it to my thread but then most people wouldn't be able to see it.



First off, I have a windows 10 pro laptop. Its a dell xps 15 9550 if that matters. I had previous laptops previously. I play online poker on this laptop, keep some crypto on it as well... reason being my hardware wallet doesn't support certain coins so other coins i download wallets on this computer to store it there. I also use a program called keepass to store my passwords and it works great.



My main concern of laptop encryption is theft. But its not only theft. If someone steals my laptop, that sucks but as long as they can't view my hard drive that to me is not that bad. But my bigger issue would be someone gets my laptop, turns it on... and then installs malware/trojan/keylogger and then leave my computer as is... then i go and use it and everything i type is being visible to the hacker. Thus if i enter my keepass password, well they could basically view all my passwords for everything correct? Thus they could view any file i use? Besides keepass, i use axcrypt to encrypt my documents and files. Thus everytime i want to view certain files, i need to put my password into axcrypt to unlock it so i could view my files. So these are basically the only 2 forms of security i have in my laptop.



I read about laptop encryption and was told to use either bitlocker since its already included in windows 10 pro... or use veracrypt. I got a few different options from ppl and I went with bitlocker because most ppl said go with that one since its already built in... no need to download it. I had someone on a forum help me with this. But i have questions on this because after i followed his process... i thought my computer is secure. But i got different answer from him and others on this and would like your opinion.



I followed steps online to enable bitlocker. When i did this, it ask for me a pin number. I wanted a password but it ask me for a pin. The person who helped me told me to cancel this process and go with TPM unlock. He said most ppl do it this way. I did it this way and thought... how is this secure because there is no password to log in? He says its safe because when i start up computer, it ask for your windows 10 password. I said... i dont have one and said its because i read that is useless and can be bypassed easily online. So because of that, he said make sure you set that up. So I did.


My setup as of now is turn on laptop... it goes straight to windows 10 password screen. I enter it and have access to my desktop. Now this is where i get lot of conflicting answers. I was told by him because i did not secure bios with a password and disable usb boot... my computer is not secure at all. I told him i never touched bios on this computer before. He said without it, a thief/hacker could just turn on your laptop, take out your hard drive... put it on another computer and start it up because bios is not secured and there is no disable boot. Is he correct on this or not? I then spoke to someone on a forum who claims to be an IT guy. He told me the guy who helped me through the bitlocker process is a moron that i set up bitlocker tpm with unlock. He said i should have a bitlocker pin or password. I told him thats what i thought because how is that safe? He said my win10 password can be reset easily. That guy who helped me says because my hard drive is encrypted, its safe from that. However, my computer is not secure because i didnt secure bios with password and boot. He says if i did that, then someone taking my laptop and hard drive out cant just put it on another computer and boot it up from there. So is he correct or wrong?


Do most of you secure bios with a password? What about disable usb boot? Is this necessary?

Now this gets even more confusing. Another guy commented on this and tells me


Wrong - you do not need a BIOS password for your computer to be protected.

I use TPM to unlock bitlocker and a PIN or fingerprint (in place of Password) to unlock Windows. This is not a BIOS PIN - see here: Add PIN to your Account in Windows 10 | Tutorials

This is what MS recommend - see: BitLocker Security FAQ (Windows 10) | Microsoft Docs




So this guy seems to imply he has the same sort of setup as me... which is start up laptop, computer turns on and it ask for windows 10 pin as oppose to password. He said the pin is more secure than the password. Anyone know if this is true? He mention this is the windows 10 pin... not bitlocker pin.


He did also say


No-one can access your disk without either your bitlocker recovery key or without using your Windows logon credentials. When system drive is encrypted with bitlocker you can't reset Windows password or PIN from boot media so your only risk is leaving it unlocked which applies to any encryption. As such locking your BIOS to stop people changing boot order and booting from USB is pointless as it doesn't help.

If you want extra security then you can use any or all of of a BIOS password, a harddisk password (if your BIOS supports it), a bitlocker startup password or setting bitlocker to require a USB key or smartcard to be present when booting.




This is like the complete oppose of what the other two guys said to be about needing both bios secure with password and bitlocker encryption on. So who is correct here?


He did say you could get more security with a bios password and bitlocker password but he seems to say its not required?


The IT guy suggested i use veracrypt instead. It was basically that or bitlocker but more ppl on the forum suggested bitlocker since its easy to install since its already there so i went with that instead.


But with my setup now, what should i do? Should i change my win10 password to a pin instead? Should i change the tpm unlock to a pin or password? Should i definitely secure bios and disable boot? The thing that confuses me is all of them have conflicting answers to this. The last guy basically implied my computer is secure already with the tpm unlock with win10 password though i probably should change it to win10 pin instead. That would be a pretty simple thing to do in settings.


Anyone who knows about encryption can tell me who is correct/wrong here?

Should i go with veracrypt instead? Or stick with bitlocker? The other thing that i get 3 different answers is this. The guy who helped me out said any encryption whether bitlocker or veracrypt will have a tiny affect on your laptop battery. He said his old laptop he noticed this but not his current laptop. He said anyone that doesnt think encryption affects battery at all is foolish.


The IT guy said that guy doesn't have a clue what hes talking about. Encryption does not affect any battery life at all.


The last guy who commented who said you do not need a bios password to be protected... tells me he read that software based encryption like veracrypt affects battery life. But hardware based like bitlocker does not...



Who is right here? Is like im getting 3 different answers from 3 different people. But my main concern is the laptop encryption though. 2 guys say my current setup is not secure, the last guy seems to imply it already is.

First, it sounds like TPM is for generating and storing encryption keys not for encryption. So when you are using any system wide encryption you are going to be doing more work than when you aren't using is, which means more battery usage.

I'm not sure I see the connection between a secure bios and someone being able to take the hard disk out of your laptop. My understanding is that the bios lives on the mother board and controls basic i/o stuff, (hence the name) such as boot order and how big a sector is or things like that.

Pin vs Password: https://docs.microsoft.com/en-us/win...-than-password
Basically, a pin is only for the laptop, not your account. Pins aren't transmitted over a network and the laptop can be set up to lock itself after a certain number of failed attempts, which can prevent brute forcing the pin.

Bitlocker vs Veracrypt probably depends on your level of paranoia. Being built into Windows means there is a better than even chance MS has a way to decrypt the data which means it could be compromised by a hacker. Why a hacker that sophisticated would be interested in your $3.50 is another question. On the other hand, Bitlocker being built into the OS implies an ease of use and level of support and security that may give it the edge. Lots and lots of people rely on MS so MS is going to make damn sure BL stays secure.

Seems to me if the disc is encrypted at rest and you have secure passwords in place you are in pretty good shape. You may want to invest in a small Linux laptop for even more security to store your bit wallet, check out: https://www.makeuseof.com/tag/linux-...re-distros-si/

Hi there. Well i just know it gives you a few options ... which is tpm unlock, or tpm with pin or no tpm and just password.


Well two people mentioned you need both bios secured with password and disable bios in order to prevent theif from doing something to your computer such as taking hard drive out and putting it on their computer or sticking a malware/keylogger usb to it. But one person said bios has nothing to do with it. So do you need to secure bios with a password or not? Do you need to disable usb boot? Those people told me if you don't, well someone can access your bios easily if you don't have a password on it. If you put password, they can't get into your bios.


Well i mean if someone gets your laptop, the find out by turning it on... hey this guy has crypto wallets here. So this person most likely has crypto in their computer. So imagine they put a virus or keylogger or malware on it.. then let the computer as is. Then the moment you use it... well every information you type in whether its keepass or anything such as email or open crypto wallets will be available to them.


Well most people with they get the laptop, they would just sell it. But they obviously turn it on. So imagine you find out this person has tons of crypto wallets. Well if you were to return that laptop to that person as is... which would be too late already since that would be way too suspicious, imagine that person turn on that laptop at that person's place when they are not there, put in malware usb in it... turn off computer... i read this could take 1 minute only especially if that computer owner has no encryption on their laptop. Then that person wouldn't have a clue it was accessed. I mean if you have no password on it whether encryption or even windows password, someone can get to your desktop really quick. A windows password might take them few minutes or so. But they still can get there. So i want to know whether bitlocker or veracrypt is the best for this.


Well i do everything on this laptop such as play poker, store crypto wallet on it. If i get a linux, i cannot do any of this because you cannot play poker on it.



I want to know is my setup as of now secure or not? I have no bios password no disable bios boot. I have tpm unlocked with bitlocker which goes straight to my windows 10 password screen. Thus i do not have pin or password with bitlocker to boot up.
Am i secure or not? Do i need to disable bitlocker... turn on bios password and disable usb boot. Then turn back on bitlocker and now im secure? Or do i have to also add a bitlocker pin or password?

You need to appreciate that there are different ways to skin a cat. People having different opinions doesn't necessarily make any of them wrong (although they often will be).

I'm going to say no, you are not secure. From what I know of your posts from the last few years I'm going to guess that your Windows password is nowhere near strong enough to also be the gateway to your disk encryption.

Given how worried you are about all of this, I would suggest you either enable Bitlocker with its own separate password (the convenience of using your Windows credentials is clearly unsettling you) or use Veracrypt for full disk encryption again with its own password. In either case make sure the password is strong. That does not mean 8 characters with one upper case and one number. It means a much longer string of characters. If you don't already know about passphrases look that up as a starting point.

Hi there. Well let say my windows 10 password is pretty strong. If that is strong, is my computer safe or not?


Is it secure against


1. Thief who takes my laptop and tries to view the files? Can they view it basically?


2. Hacker who takes my laptop and tries to view my files? Same as above but obviously they are more smarter.


3. Hacker who takes my laptop and tries to put a usb stick with malware/keylogger/virus and put it in my laptop for a few seconds... takes it out and then leaves my computer as is and then i use it later on not knowing its compromised? Can they do this if I only encrypted my hard drive with bitlocker tpm unlock with no bitlocker pin or password... and also no bios secure?


4. Hacker who takes my laptop and takes out hard drive and put my hard drive on another laptop to read it?


5. Hacker who takes my laptop and takes out hard drive and put my hard drive on another laptop to read it but also put malware/keylogger/virus on it?




When i first tried installing bitlocker, i followed the steps to put a password on it. It did not give me this option. I followed the steps exactly on the guide for bitlocker. It asked me to put a pin. I did not want this because first off... it was 6-20 numbers and well... i thought couldn't someone just keep entering numbers and get it via trial and error? But they cannot because after x amount of times, it gets locked right? I did thought about that but didn't want pin. Someone on another forum suggested i do it via tpm unlock. I thought how is that safe since it goes straight to your computer? But he said as long as you have a windows 10 password you are safe. So i thought okay great. But then after that, i asked him a question about bios relating to something else... not security. He said make sure your bios was secure and thats when i was confused and he told me you need bios secure with password and disable boot along with bitlocker encrypted for it to be secure. So is he correct on this or not?


A guy who claims to be an IT guy on the forums told me... my setup is useless because i don't even have a bitlocker pin or password. He said just by that its not secure. I said well someone has to still know my windows 10 password. He said that can get bypassed easily. I then said but my hard drive is encrypted with bitlocker. He said that does not matter. Is that true or not? If that was true, then why would bitlocker offer you tpm unlock then? That is like the first option as well. I would do the password but i didn't get that option... only pin.


Well i wanted to do veracrypt but ppl on the forum told me since you have window 10 pro, go with that since you dont even need to download it... its already there.. you enable it. More ppl use bitlocker on that forum and so because of that, i went with it. But you say either is fine? Is one preferred than the other? The IT guy told me i should have went with veracrypt. But i didn't because most ppl before i did this say go with bitlocker and they all said the process to enable it and install is very easy... which is why i went with it.

If you're using BitLocker, I'd suggest using both TPM and Bitlocker PIN protectors. Windows sign-in PIN (Windows Hello PIN) is separate from BitLocker PIN.

TPM protector protects against the drive being accessed while not connected to the computer it was set up on (aka someone takes your drive and tries to access files).

BitLocker PIN protects against someone with access to the entire device accessing your files without it (aka someone steals your entire laptop). You have to enter this PIN during boot to unlock the drive and allow the computer to boot Windows.

Make sure that you have your BitLocker recovery key backed up and stored in more than one location but also secure from access. Printing a copy and storing in a safe deposit box at the bank is a valid option. If your drive is in recovery mode and you don't have your recovery key, the data is inaccessible and functionally lost to you.

Also make sure to encrypt your backup drive. If you have an external drive that you use for backups, someone trying to access your data with physical access to the hardware is likely to grab that too.

Hi there.


So you say avoid the windows 10 password? Is it because the windows 10 pin is more safer? Would you recommend both? One person said you could use your current windows 10 password but add the windows pin as well... so you have 2 options to log in. You agree with this or just get rid of the windows 10 password and keep the pin?


What do you mean use both tpm with bitlocker pin protectors? The options are tpm unlock, tpm with pin... and no tpm so password. So you mean the 2nd option of TPM with pin? Why not no tpm and password only?


Well if someone has my hard drive... well most likely they have my laptop. So you are saying if i do not have a bitlocker pin... someone who has access to my laptop such as stealing it or accessing it while i do not know... they can check my hard drive by bypassing my windows 10 password? But my hard drive is encrypted... so that doesn't protect it? One person on another forum did saw im protected as of now with the windows 10 password because my hard drive is encrypted. Two others say its not because i did not secure bios password and disable usb boot.


I have the bitlocker recovery key backed up.


When you say encrypt your backup drive, well that is usually my external hard drive correct? Yes they would most likely that that hard drive as well.


So as of now my current setup, it is not safe? Thus current setup is TPM unlocked and windows 10 password.


Also you mention nothing about bios at all. So bios secure with password and disable boot is not necessary at all? Two of the people on another forum told me if i don't have bios password secure and disable boot, having the bitlocker encrypted even with a bitlocker pin and the windows 10 password or pin is useless. So are they right or wrong here? I got several opinions from theres and everything was different opinions. When i thought this should be a simple yes or no answer...

Hey Pauly,

Drop any consideration of Windows 10 sign-in password vs. PIN. They are not related to the drive encryption concerns. Even if you set up PIN sign in for Windows, you can still use your password to sign in instead.

All computer security is a balance of security vs convenience. TPM only BitLocker makes your data more secure than it was before, but less secure than TPM+PIN. Inputing a 6+ digit PIN during bootup is a pretty minor inconvenience for the additional security it provides.

Think through the logical process of what your computer needs to access in order to boot Windows.

The system can't access an encrypted volume that hasn't been unlocked yet. The UEFI bootloader lives on a separate, hidden (no drive letter, visible in disk tools)partition on the system drive. This partition doesn't get encrypted, but also doesn't store your personal data.

Your system starts up, reads the boot config from the firmware/BIOS, then attempts to read the UEFI partition on the system drive. This fires the Windows bootloader. If you're set to TPM unlock, the system reaches out to the TPM requesting the cert to unlock. If this is present, the drive unlocks and the system continues booting to Windows. If it is absent (drive moved to another machine, TPM reset, certain other config changes) it prompts for the recovery key (which is quite long and difficult to brute force crack). If you supply the recovery key, the drive unlocks and the system can boot. If not, the BitLocker UI times out and the system reboots. Data not exposed.

Now if you add the BitLocker PIN in addition to TPM protector, the system will start the Windows boot loader, check for TPM cert, then launch a UI to prompt the user to input the BitLocker PIN. This second factor hits the security model of something that you have (TPM) + something that you know (BL PIN). After entering your BL PIN, the drive unlocks, the system boots and you go to the Windows sign in screen and enter your password(or Hello PIN if configured, again, this is completely separate from BL PIN and should be a different number).

Your backup can be set up for encryption in different ways than your OS drive.

You can enable BitLocker on the backup drive also, please be sure to backup and safely but securely store the recovery drive for this volume as well. This will be a different recovery key than your OS drive.

Alternatively, you can enable encryption of the backup file in the backup program you use. I currently use Macrium Reflect. You can set a password and set the desired encryption strength when setting up the backup config. Encryption support does require a paid version of the software. The higher the encryption strength you set, the more CPU will be required for encrypting/decrypting the backup when creating or reading it. This option only encrypts the backup file and does not protect any other files you copy to the drive.


BIOS/Firmware password: This is mostly unrelated to drive encryption and protection of data at rest. You can set one to make it more difficult to change the boot order of the machine to boot from USB or other drive. I may be wrong on modern machines, but in the past BIOS passwords could pretty trivially be removed by removing the CMOS battery or setting the BIOS clear jumper.

If you have BitLocker TPM+PIN configured, clearing the BIOS PW and booting to USB drive will not unlock your drive without inputting the BitLocker PIN or recovery key. See links below for accessing BitLocker volume in Linux. You still have to provide the recovery key to access the data.
https://www.m3datarecovery.com/bitlo...ive-linux.html

Hey man thanks for the reply. Okay so the win10 password and pin is not that much difference and i could add a pin if i want.



Yes thats i thought with the tpm. Having it tpm unlock doesn't seem secure compared to adding a pin. I mean just adding a pin isn't a big thing at all. But do you say most ppl who do this... do more ppl do tpm unlocked... or tpm with bitlocker pin... or no TPM and either a password or usb stick i believe its called? So of all these 3 options... there are only 3 options right? The most secure is TPM with bitlocker pin... and then which one after that?




Does the bitlocker pin need to be all numbers? If you or someone enters it incorrectly after x tries, what happens? Because if you could keep entering numbers... couldnt someone keep typing 22222222, 22222223 and keep repeating until they hit it? Or it gets locked after x attempts? And is it always x attempts or you could set the amount of attempts? And if it gets locked, what happens? As long as you have your bitlocker recovery key, you are good? But when you restore it, does it restore to exactly as how it was? I assume not right? It would just be new windows 10 but empty?



Okay so with my current setup now... which is bitlocker enabled with TPM unlocked and windows10 password, you cannot get into my computer without knowing my windows 10 password correct? Thus you cannot get into it or take out my hard drive and put it in another computer because if you do that... you still need that long bitlocker recovery key right?


Also... most importantly... someone cannot stick a usb stick into my usb port and put malware/trojan/keylogger right assuming they cannot get in my computer without the windows 10 password?




Okay so you say don't bother with the secure bios with password and disable usb boot then? What are your thoughts about me updating bios? The thing is i never updated bios every with this laptop. I never did because well i never did with previous laptops i ever had. Also im worried if something goes wrong when updating bios when reading. The thing is my laptop battery is pretty low... 1.5 hours max even when lowest battery settings and 25 percent screen brightness. But could the bios update improve my laptop battery? Again i never updated bios ever but someone said you should do it.



Okay so with what im doing now, you suggest adding the bitlocker pin and im good right? Do you suggest me adding a windows10 pin as well or not? I do like my windows 10 password.


Also if i add the bitlocker pin... do i need to suspend bitlocker or anything like that? Because i first set it up with bitlocker tpm unlocked.

Also with the bitlocker pin, i checked online and apparently you can make the pin use letters as well right? That is an enhanced pin? So if you do this, you can make your pin for bitlocker and combination of numbers and letters... similar to like a password?


If so, do you recommend this or just the regular bitlocker pin which only allows numbers? Because if its only numbers... that makes it less secure right? I have tpm 1.2 by the way. I checked and read that someone could attempt 13 times with a pin per day every 24 hours. So in a year... that person if they have the laptop, could input less than 5000 attempts? So say your pin was 6 numbers, well i it could take that person between 10-20 years to break the pin? But if you put 10 numbers as the pin, that would be basically impossible for them to crack it? Now if you put a few letters into it, now its almost uncrackable?


Also the person would have no idea if you pin is a bitlocker pin or an enhanced pin right? So just adding say a few letters to your pin would make it more than secure? But even if you put a 10 digit pin... that would be more than good enough?