Is Windows BitLocker secure?

There is currently only one cold boot attack I know of that works against bitlocker. However it would need to be executed seconds after the computer has been turned off (it can be extended to minutes if the DRAM modules are cooled down significantly) but due to the timeframe of execution it's rather implausible. Bitlocker is secure as long as your machine is completely turned off when you store it (hibernate is also ok, but sleep needs to be disabled).


There is also the "Evil Maid" attack that could, in theory be used against any software disk encryption, as the boot loader needs to still be unencrypted. See Bruce Schneier's article about it from 2009. http://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html

The general gist of the "Evil Maid" attack is that someone gets ahold of your laptop for a few minutes when it is unattended (for example, in your hotel room, hence the name) and loads a hacked bootloader into it. You then log in with your password via the hacked boot loader and it unlocks the drive, but also writes your password to a .txt file in the unencrypted part of the HDD. You leave your laptop alone again, they steal it with the password.


Perhaps you can see my question for some related comments on Bitlocker. I recommend Sami Laiho's talk on Building a Bullet Proof Bitlocker.

In general, Bitlocker is secure and is used by companies all over the world. You can't just extract keys out of the TPM hardware. Evil maid attacks are mitigated also since TPM will validate the pre-boot components to make sure that nothing has been tampered with. Booting into another OS like Linux to extract passwords or the data will not be possible also, since the TPM will not release its keys if it sees you're booting into another OS (even if it is another Windows OS).

If you pass the TPM's integrity check, then the keys will be released to be used for on-the-fly encryption and decryption. Failing which, you get a Bitlocker recovery key lockout, and must supply the recovery key in order to unlock the drive. The attacker should not be in possession of this key. Therefore, never put both the recovery key and your computer together.

Some answers alluded to various forensic tools. However, I am personally not convinced that they work on all systems. For example in TrueCrypt, the key is actually derived from the password which the user keys in. You cannot feasibly brute force AES. As for Bitlocker, the TPM is a hardware solution that stores the key. You can't extract the key with software.