This is a purely theoretical approach, without claim to completeness.
1. Golden key, the pre-boot arena has become a prime target!
Example: The trouble will be the binding / wrapping. TPM can store keys outside the Trust Storage (for example, on the hard disk). Those are also organized in a key tree and encrypts their roots with a “Key” in the TPM.
Thus it would be possible to the Bitlocker separate partition of the hard drive to get?
Bitlocker Drive decryption starts before the operating system and is defaulting to a Trusted Platform Module (TPM) to see whether the hardware is unchanged and therefore trustworthy. The Microsoft Secure Boot policies allowed “manipulating”, which means golden keys are prone to be leaked by a side attack, which can result in attacking and hijacking the system
2. Vulnerable to side attacks.
That is, if you or anyone install it into your firmware, the Windows boot manager will not verify that it is booting an official Microsoft signed operating system. It will boot anything you give it provided it is cryptographically signed, even a self signed binary, like a shim that payload any credentials and also access to a Bitlocker encrypted hdd. Example: Insecure bootloader means it’s possible to install a fake or altered login interface, if it boots and gets measured then TPM thinks everything is OK!
Also toggling secure boot normally triggers Bitlocker recovery there are differences in behavior on TPM 1.2 and 2.0. .
This is the reason why the idea of backdooring cryptosystems with a “secure or golden key” is bad and a security nightmare for everyone. What we need are open not closed systems. This is a perfect example of the dominance of the big players, which have the power to provide damage to other companies and users.
A Solution by Amy C Nelson @amynelsondss1 – Security Architect Dell Data Security Software – Works for Dell
SecureBoot verifies the signatures of loaded code. BIOS puts the hashes of the actual code in the TPM. Depending (cont) on how you config Bitlocker, enc key can be sealed to BIOS measurements, Secure Boot sig checks or both. If your policy is “seal to PCR 7″ you are relying on code signatures to protect your encryption key. If your policy is seal to PCR 4, 5, and 7, you rely on boot order, bootloader code hash AND signature. Downside is if boot order changes you are in recovery if bootloader changes, you are in recovery.
What is the most secure setting: Dpnds – if users can’t change boot order or boot to usb/removable media, then 4,5 and 7
For more info on Bitlocker GPO see: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/Bitlocker-group-policy-settings#bkmk-tpmbios
Golden Key Source:
License: Creativ Commons – CC-by-nc-sa 4.0