3

Constraint: I cannot use a TPM (the only Mini PCIe port is already used by a Wi‑Fi/Bluetooth module).

Device / context:

The target system is a portable Pico‑ITX device (Jetway NP93, Intel Celeron N2930, single SATA SSD) used in industrial repair tasks. It runs Windows 10 Enterprise IoT, may occasionally be connected to power/network, and must boot automatically without any user interaction. There is no secondary storage.

Goal / threat model:

We want to encrypt the SSD (OS + sensitive application data) with BitLocker so that:

  • Boot is fully automatic (no password prompt or USB key entry).

  • The BitLocker startup key is stored locally, ideally on a hidden partition of the same SSD. If someone dismantles the device and removes the SSD, they should not be able to read the data.

  • The threats are clients, technicians, or competitors who might try to extract or clone the SSD.

  • The BIOS is password-protected, but the SSD is removable.

Current situation / clarification:

The usual method is to store the BitLocker startup key on an external USB drive. Storing the key on the same SSD raises concerns: a determined attacker could potentially read the key by connecting the SSD to another system, cloning partitions, or using NVMe/SATA adapters. Hiding the partition alone is unlikely to fully prevent access.

Concrete questions:

Is it technically possible with BitLocker on Windows 10 Enterprise IoT (without TPM) to:

  • Boot automatically from the SSD, and

  • Store the key on a hidden partition of the same SSD, so that if the SSD is removed, it cannot be decrypted elsewhere?

If yes, what are the exact steps / settings to implement this?

Improve this question
6
  • 2
    Your threat model doesn't really state who the actual threat is. Is this a desktop, a server, a home NAS? Is the suppoesd "attacker" the machine's legitimate user, a roommate, a janitor, a dedicated thief, a random thief? Why are they more likely to disassemble the PC and steal just the SSD, rather than steal the entire PC? Commented 16 hours ago
  • @grawity i edited this, thanks for the feedback. The users are the only threat we know. Commented 16 hours ago
  • 1
    Whatever you do, if the system boots from ONLY that SSD, you can just take it out and stick into another PC, and that will boot as well. For what you try to do, you'd need a custom UEFI which maps your 'hidden partition' with the bitlocker key to an USB drive. You need to have some mechanism OUTSIDE of the SSD which is validating the whole thing. As your question is written, it is just too broad and vague to be answered. Commented 15 hours ago
  • 1
    Can you clarify also what prevents you from using a TPM? Commented 15 hours ago
  • @grawity i'm editing this right now (it's a port issue, the mini pcie port is already in use) Commented 14 hours ago

2 Answers 2

Reset to default
4

Assuming that you can write your bootloader so it can read a separate partition to recover a key that the Bitlocker can use to unlock things automatically, you'll still do not have the security you need, because...

That special partition on the drive will have to be unencrypted in order for it to be able to be read by Bitlocker, and so you'll just have stored the Bitlocker key in an insecure location that can be accessed by anyone with access to the system or its drive.

You could make the "security" more obscure by concealing a USB storage device somewhere on the device and using that to store the key, but it doesn't actually make it more secure, it just protects against cases where the attacker takes the drive and doesn't take the USB key.

The point of TPM is that there is a trusted secret module that only gives out the right secret if it can validate the system is trustworthy. Without a trusted module to do this, you're working with a variety of "trust something less trustworthy" and that is not the security you want. If you are serious that you need to avoid corporate espionage and theft of ideas, you need to choose a different hardware platform, one that needs your security needs with the required modules for a properly securable system.

Improve this answer
1
  • 1
    Ok i see what you mean. If this is not possible maybe i'll try changing the bluetooth/wifi module to free the mini pcie slot for a tpm module and use USB instead. Thank you Commented 12 hours ago
4

Bitlocker is a technology developed to protect a drive which is NOT in use. It is totally inadequate to protect anything on a drive a user can start up. There are loads of ways to make a complete disk clone of a system which is running, a working WiFi connection usually is enough (although it will be slow). I would not trust Windows UAC (User Account Control) to protect you against this.

  • If all you want to avoid is a traditional way of cloning the SSD, as described by you, it is sufficient to physically bind the SSD to your mainboard: soldering, glue, one-way screws or drilling out the head of the screw are all ways to achieve this. Whoever wants the drive will neet to physically damage the device. (it also means the device will get unservicable, though)

  • But if you want to efficiently avoid the cloning of your software, you will need to implement some sort of DRM (Digital Rights Management) protection. Most vendors today work with periodic authentication over internet. However, in your setting a physical hardware key, for example on a USB drive, could be more efficient: that way a user needs BOTH the SSD and the USB key in order to run your software.

Also, note that there is no possibility to completely avoid someone using your software outside of your license agreement. You can just make it so difficult that it is not attractive from a cost perspective.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.