Locking all the bits with BitLocker

So you want data at rest encryption. Bitlocker by default uses this nasty numeric password as a recovery option. However, you can actually lock this down pretty well after removing this giant security risk of a password and here's how.

Requirements:


  • Enable Enhanced Pins
    • I'm going to save some effort and defer to the many articles on the internet for this.
    • You can find a decent article here. Or you can use some google fu to find similar ones.
  • Learn about manage-bde and the other powershell commandletts here.

Enable TPM and PIN and Startup Key (flash drive)

  • Add-BitLockerKeyProtector c: -TpmAndPinAndStartupKeyProtector
    • This will make bitlocker require a TPM AND USB flash drive AND a password on boot. It's the most secure option but a bit annoying.
  • You will be presented with a couple prompts. One for the path to the flash drive and one for the password
  • Enter the path to the flash drive
  • Enter your strong password

Enable TPM and Startup Key (flash drive)

  • Add-BitLockerKeyProtector c: -TpmAndStartupKeyProtector
    • This will make bitlocker require a TPM AND USB flash drive on boot.
  • Enter the path to the flash drive

     Remove the insecure all numeric recovery key

    • manage-bde -protectors -delete C: -type RecoveryPassword

    • WARNING: Buy a couple small name brand USB flash drives and copy the key to each of them. If your flash drive dies, you won't be able to boot your PC. Make sure you test booting with each of them.

    Backup your key

    • In your folder options, show system files.
    • Copy the BLOB from your flash drive and store it in a secure location (like keepass)

    Verify

    Some commands to show the status of bitlocker and your drives
    • manage-bde c: -status
    • Get-BitlockerVolume c: | ft -AutoSize -Wrap
    • Get-BitLockerVolume c: | select -ExpandProperty "keyprotector"

    Comments

    Post a Comment

    Popular posts from this blog

    pfSense DHCP: Dynamic DNS Updates to a Windows DNS server over a Site-to-Site VPN.

    Image
    Scenario: Remote site running on pfSense SG-1000 (or other appliance) isn't updating DNS with hosts obtained via pfSense DHCP. Site1 : AD/DNS/DHCP pfSense firewall Site to Site VPN connection to site2 Site2: pfSense firewall appliance running DHCP Site to Site VPN connection to site1 Prerequisites: DHCP: Credentials for DNS Forward and reverse lookup zones Allow DNS secure/non-secure updates DHCP > IPV4/6 > Properties DNS > domain > properties Solution: On the pfSense box in Site2, enable DNS Dynamic Updates. Services > DHCP Server > Dynamic DNS > Advanced Options Resources : DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server
    Read more

    Setting up DNS over HTTPS using cloudflared

    I thought this would be a simple task, and it was now that I'm looking back on it. However the cloudflare documentation isn't clear when deploying to a dedicated server/container. So here's how I did it. Install This section is going to walk you through installing the cloudflared client as a service. The documentation is a bit vague and shows you how to spin up the client but leaves out some important info regarding running it as a service. Install the package, as root, for your OS here . Create /etc/cloudflared/config.yml (see below for contents) Run the client to generate the .pem certs. `cloudflared proxy-dns` The certs won't be put in `/etc/cloudflared` by default. Instead they can be found in roots home dir `/root/.cloudflared`. Move the `cert.pem` to `/etc/cloudflared`.  Now you can install the service `cloudflared service install` Ensure that the service enabled and running via systemctl. `systemctl status cloudflared.service` config.yml:...
    Read more

    Python Flask: Web apps in seconds

    Flask is a python microframework that makes creating web apps easy. It reminds me a lot of AngularJS, but I find it easier to set up and use. Their site is a great live demo  http://flask.pocoo.org/. Create a frontend using this, deploy with docker, app engine, beanstalk, etc... and you have a scalable app that can be used anywhere. Excerpt from their site: Flask is a microframework for Python based on Werkzeug, Jinja 2 and good intentions. And before you ask: It's  BSD licensed ! Latest Version:  0.12.2 Flask  is Fun from flask import Flask app = Flask(__name__) @app.route("/") def hello(): return "Hello World!" And Easy to Setup $ pip install Flask $ FLASK_APP=hello.py flask run * Running on http://localhost:5000/
    Read more