Sunday, July 13, 2014

How to Set Up BitLocker Encryption on Windows

bitlocker-locked-drive-icon

Windows can encrypt entire operating system drives and removable devices with its built-in BitLocker encryption. When TrueCrypt controversially closed up shop, they recommended their users transition away from TrueCrypt to BitLocker.
BitLocker Drive Encryption and BitLocker To Go require a Professional or Enterprise edition of Windows 7, 8, or 8.1. However, the “core” version of Windows 8.1 includes a “Device Encryption” feature that works similarly.

Enable BitLocker For a Drive


To enable BitLocker, open the Control Panel and navigate to System and Security > BitLocker Drive Encryption. You can also open Windows Explorer or File Explorer, right-click a drive, and select Turn On BitLocker. If you don’t see this option, you don’t have the right edition of Windows.
Click the Turn on BitLocker option next to an operating system drive, internal drive (“fixed data drive”), or removable drive to enable BitLocker for the drive.
There are two types of BitLocker encryption you can enable here:
  • BitLocker Drive Encryption:  Sometimes referred to just as BitLocker, this is a “full-disk encryption” feature that will encrypt an entire drive. When the computer boots, the Windows boot loader loads from the System Reserved partition, and the boot loader will prompt you for your unlock method — for example, a password. BitLocker will then decrypt the drive and load Windows. The encryption is otherwise transparent — your files will appear like they normally would on an unencrypted system, but they’re stored on the disk in an encrypted form. You can also encrypt other drives in a computer, not just the operating system drive.
  • BitLocker To Go: External drives, such as USB flash drives and external hard drives, can be encrypted with BitLocker To Go. You’ll be prompted for your unlock method — for example, a password — when you connect the drive to your computer. If someone doesn’t have the unlock method, they can’t access the files on the drive.
bitlocker-drive-encryption[4]

Use BitLocker Without a TPM


BitLocker Drive Encryption normally requires requires a computer with a TPM to secure an operating system drive. This is a microchip built into the computer, installed on the motherboard. BitLocker can store the encryption keys here, which is more secure than simply storing them on the computer’s data drive. The TPM will only provide the encryption keys after verifying the state of the computer. An attacker can’t just rip out your computer’s hard disk or create an image of an encrypted disk and decrypt it on another computer.If the PC you’re enabling BitLocker on doesn’t have a Trusted Platform Module (TPM), you’ll see a message saying your administrator must set the “Allow BitLocker without a compatible TPM” option.
bitlocker-can't-use-a-trusted-platform-module
If you’re doing this on your own computer, you’re the computer’s administrator. You’ll just need to open the Local Group Policy Editor application and change this setting.
Press Windows Key + R to open the Run dialog, type gpedit.msc into it, and press Enter. Navigate to Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives. Double-click the “Require additional authentication at startup” setting, select Enabled, and check the “Allow BitLocker without a compatible TPM” option. Click OK to save the new setting.
use-bitlocker-to-encrypt-system-drive-withotu-tpm

Choose an Unlock Method

Next, you’ll see the “Choose how to unlock your drive at startup” screen. You can select several different ways of unlocking the drive. If your computer doesn’t have a TPM, you can unlock the drive with a password or by inserting a special USB flash drive that functions as a key.
If your computer does have a TPM, you’ll have additional options. For example, you can configure automatic unlocking at startup — your computer will grab the encryption keys from the TPM and automatically decrypt the drive. You could also secure it in other ways — for example, you could provide a PIN at startup. That PIN would unlock the strong decryption key stored in the TPM and unlock the drive.
Choose your preferred unlock option and follow the instructions in the next screen to set it up.
bitlocker-drive-encryption-choose-how-to-unlock-your-drive-at-startup

Back Up Your Recovery Key

BitLocker will provide you with a recovery key. This key can be used to access your encrypted files if you ever lose your main key — for example, if you forget your password or if the computer with the TPM dies and you have to remove the drive.
You can save the key to a file, print it, store it on a USB flash drive, or save it to your Microsoft account on Windows 8 and 8.1. If you back up the recovery key to your Microsoft account, you can access the key later at https://onedrive.live.com/recoverykey . Be sure to keep this key safe — if someone gains access to your key, they could decrypt your drive and bypass the encryption. You may want to back it up in multiple locations — if you lose this recovery key and your main unlock method, your encrypted files will be lost forever.
bitlocker-drive-encryption-how-do-you-want-to-back-up-your-recovery-key

Encrypt and Unlock the Drive

BitLocker will automatically encrypt new files as you add them, but you’ll need to choose what happens with the files currently on your drive. You can encrypt the entire drive — including the free space — or just encrypt the used disk files to speed up the process.
If you’re setting up BitLocker on a new PC, encrypt the used disk space only — it’s faster. If you’re setting BitLocker up on a PC you’ve been using for a while, you should encrypt the entire drive to ensure no one can recover deleted files. Encrypting only the used disk space is faster, while encrypting the entire drive takes longer.
You’ll be prompted to run a BitLocker system check and reboot your computer. After the computer boots back up for the first time, the drive will be encrypted. Check the BitLocker Drive Encryption icon in the system tray to see its progress. You can continue using your computer while it’s being encrypted, but it perform more slowly.
bitlocker-choose-how-much-of-your-drive-to-encrypt
When your computer boots, you’ll see a BitLocker prompt if you need to enter a password, PIN, or plug in a USB flash drive.
Press Escape here if you lose your unlock method. You’ll be able to enter your recovery key.
bitlocker-unlock-prompt-at-boot
If you choose to encrypt a removable drive with BitLocker To Go, you’ll see a similar wizard but your drive will be encrypted without any rebooting required. Don’t remove the drive while it’s being encrypted.
bitlocker-to-go
When you connect the drive to a computer, you’ll be prompted to provide the password or smart card you chose to unlock the removable device. Drives protected with BitLocker are identified with a lock icon in Windows Explorer or File Explorer.
bitlocker-to-go-enter-password-to-unlock-drive
You can manage a locked drive — change the password, turn off BitLocker, back up your recovery key, or perform other actions — from the BitLocker control panel window. Right-click an encrypted drive and select Manage BitLocker to go directly to it.
manage-bitlocker-in-control-panel

Like all encryption, BitLocker does add some overhead. Microsoft’s official BitLocker FAQ says that “Generally it imposes a single-digit percentage performance overhead.” If encryption is important to you because you have sensitive data — for example, a laptop full of business documents — it’s worth the performance trade-off.

Friday, July 11, 2014

How to Bypass and Reset the Password on Every Operating System

reset-or-bypass-operating-system-or-device-password
Passwords can be reset or bypassed on every operating system. On Windows, Linux, and Mac OS X, you can gain access to a computer’s unencrypted files after resetting the password — the password doesn’t actually prevent access to your files.
On other devices where you can’t gain access to the files, you can still reset the device and gain access to it without knowing a password. These tricks all require physical access to the device.

Windows


Resetting a password without an official tool is fairly simple. For example, the Offline NT Password & Registry Editor works well for this. First, you’ll need to boot from a special disc or USB drive — either a live Linux system or a specialized Offline NT Password & Registry Editor boot disc. The tool can edit the Windows registry, allowing you to clear the password associated with the user account. You can then boot into Windows and log into the account without a password.There are many ways to reset a Windows password. Windows allows you to create a password reset disk that can reset your password in an approved way — create a disk first and you can use it if you ever need it.
Even if you’re using Windows 8 with a Microsoft account, you can always reset the password of the built-in Administrator account to gain access.
To protect against this, you could password-protect your BIOS and restrict booting from external devices. Someone with physical access to the PC could reset the BIOS password to bypass this.Encrypting your Windows system drive with something like BitLocker would prevent the registry from being accessed and modified with this tool — encryption is the only good protection.
image

Linux

We’ll use Ubuntu as a concrete example here. Ubuntu offers a recovery mode in its default Grub boot menu — select Advanced options for Ubuntu and select Recovery mode. You’ll see the boot menu while booting your computer — if you don’t, you can hold the Shift key as you boot and the menu will appear.  You can easily boot directly to a root shell prompt from here.
This option isn’t necessary, as you can just press the e button to edit Ubuntu’s boot options and boot directly to a root shell prompt from within the main Grub menu. You’ll then be able to use the root shell to reset and change passwords on the system. If the Grub boot menu is locked and password-protected, you can still boot to Linux live media and change your password from there.
Once again, encryption would prevent your system from being accessed and modified without your encryption passphrase. We used Ubuntu as an example, but almost every Linux distribution uses Grub and few people set a Grub password.
ubuntu-recovery-menu-drop-to-root-shell-prompt

Mac OS X

Macs have a built-in password reset tool, and it’s very easy to access. This option is available in recovery mode. You’ll need to restart your Mac by clicking the Apple menu and selecting Restart. Press and hold the Command + R keys as the computer boots and it will boot into recovery mode.
Click the Utilities menu in recovery mode, select Terminal, type resetpassword into the terminal, and press Enter. You’ll see the Reset Password utility, which allows you to reset the password of a any user account on the Mac. You can also access this tool from a Mac OS X installation disc.
To prevent your Mac’s password from being reset, you could enable FileVault disk encryption on your Mac, set a firmware password inside recovery mode, or both.
reset-mac-os-x-password-from-recovery

Chrome OS

Your Chromebook’s user account password is your Google account password. You could reset your Google account password on the web to regain access.
Let’s say you have a Chromebook you want to use, but you can’t sign in. Perhaps you’ve forgotten the Google password associated with the device. Perhaps an old Google account is considered the device’s owner account. In this scenario, you can boot the Chromebook to the sign-in screen and press Ctrl + Shift + Alt + R at the same time. You’ll be prompted to factory reset your Chromebook with Powerwash. After you reset it, you can log in with another Google account and that Google account will be considered the owner account. This will erase all data on the device, but most Chromebook data is synced online.
There’s no way to gain access to a user’s files without their password on a Chromebook — those files are encrypted by default.
powerwash-or-reset-chrome-os-from-login-screen

Android


If you don’t have this information either, you may be able to bypass the lock screen in other ways. This should be easy on a device with USB debugging enabled, as you can connect it to a computer and manipulate it over USB with adb — that’s why USB debugging is disabled by default.If you forget your Android’s lock screen code, you can reset it. Try an incorrect password, PIN, or pattern a few times and you’ll eventually see a “Forgot password,” “Forgot PIN,” or “Forgot pattern” option. You can then regain access to your device by entering the username and password of the Google account associated with your device.
You can’t bypass the lock screen without your Google account password unless there’s a hole open in the device — for example, USB debugging. If you want to use the device, you can stillperform a factory reset from recovery mode — this will set the device back to its factory state, wiping the data on it . You can then log in and set up the device with another Google account.
android-wipe-data-factory-reset

iOS

RELATED ARTICLE
iPhones, iPads, and iPod Touches are also built without a way to reset the password. Unlike on Android, you can’t just reset the device’s password with your Apple ID information. If you forget your iOS device’s password, you’ll have to perform a factory reset. However, if you’re syncing the device to an Apple ID and you still remember your Apple ID password, all your device’s data can be restored afterward thanks toiCloud backups.
You can do this in several ways. If you’ve set up Find My iPhone, you can visit the iCloud websiteand erase your device from there. If you’ve backed up your device to iTunes on a computer, you can connect the device to your computer and restore your device from an iTunes backup.
If you don’t have access to Find My iPhone and you’ve never backed up the device to iTunes, you can still reset the device using recovery mode. Turn off the device, press and hold the Home button, and then connect the device’s USB cable to your computer. If it doesn’t turn on automatically, turn it on. iTunes will tell you it’s detected a device in recovery mode and allow you to restore it to factory default settings.
restore-ipad-or-iphone-from-recovery-mode

Passwords keep honest people honest, and they ensure people can’t gain access to your device without knowing the tricks or looking them up. But, if someone has physical access to your device and wants to bypass the password, there’s nothing you can do to stop them. Even encrypting your files will only protect your personal data — they can always wipe the encrypted data and start over fresh.