I am always Hibernating my System, is there any risk for my Encrypted drive with BitLocker?

Using the old martial art of Google-Fu I managed to find these two comments on the first and second page after providing the search parameters: "Bitlocker hibernation".

From the Microsoft website:

What are the implications of using the sleep or hibernate power management options?

BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method.

From the msdn website:

Use BitLocker Advanced Modes with Hibernation

Note: This is the primary and most effective way to protect your system from DRAM remanence and other platform attacks.

Platform attacks that access encryption keys in DRAM obviously rely on those keys to be present in DRAM. As with all practical disk encryption approaches, these encryption keys must exist in system memory in order to provide the performance that makes disk encryption usable.

When BitLocker is configured in its advanced modes, encryption keys are not loaded into system memory until after the authorized user has provided credentials like a PIN, dongle, or both. An attacker without these credentials will not be able to boot the system to a state where confidential information – including encryption keys – are in DRAM.

There are some caveats though; one is a very practical threat, the other less so. If an attacker gains access to the system after the authorized user has authenticated with their BitLocker credentials, but before its owner turns it off or hibernates, the encryption keys are in DRAM and an attacker could use one of the Princeton researchers’ ‘DRAM remanence’ attacks or other platform attacks such as direct memory access (DMA) to gain access to those keys.

This is why it’s important when using BitLocker’s advanced modes to use ‘hibernation’ rather than ‘sleep’. To provide high-performance for sleep transitions, BitLocker does not encrypt RAM contents nor does it require BitLocker re-authentication when waking up from sleep. With hibernation, a system is effectively ‘off’, and keys will not be resident in physical memory (I’ll get to the second caveat that discusses this shortly). On resume from hibernation, BitLocker will require the credentials I discussed earlier, and without those credentials, encryption keys will not be loaded into DRAM.

During design and implementation, the BitLocker team worked with other teams within Microsoft to enable complete control of system-suspend settings by local and domain administrators through group policy. Instructions on how to configure this and other BitLocker settings can be found in the design and deployment guides available in BitLocker's online documentation.

Now let me address the second caveat, which is less of a practical threat. As described in the Princeton researchers’ paper and elsewhere, DRAM may retain state under normal temperatures for several seconds or a few minutes. If an attacker gains access to a laptop within this window, they may be able to access information located in DRAM. Again, the risk of an attacker exploiting this is low relative to other platform threats.

Again, this is the primary and most effective way to protect your system from DRAM remanence and other platform attacks.


Best practice depends on what you are worried about.

The danger of Sleep mode is that your key is still in memory, and can be extracted by an attacker with that expertise. Hibernation significantly reduces that risk in all scenarios. As Lucas Kauffman's answer indicates, using the advanced BitLocker implementation modes provides extra security, as well as taking measures such as disabling mechanisms for easily gaining DMA access or avoiding those mechanisms (ie. Firewire).

Your controls for the risks depend on you. If you're worried about a thief primarily interested in the physical device, you don't have to worry too much about it. If you're protecting trade secrets, etc, you need to carefully read the documention, implement and operate the computer appropriately.