[SOLVED] Can a Motherboard secure a whole computer system?

[very_452001]

Can this ASUS Prime B450M-A Micro ATX Motherboard do it?:
https://smile.amazon.co.uk/gp/product/B07F6YQV4J/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1

Lets say you dont need to rely on hardware encrypting hard drives or software security solutions from Windows such as Bitlocker but instead use the Bios/Uefi on the the motherboard to encrypt the whole system. If if can be done then what you do in the Bios/Uefi to enable it?

Is it simply a enter Bios password or is it more to it?

Will changing the CMOS battery or flashing the Bios with the latest firmware makes resetting bios to factory default settings make everything mentioned above become useless?

 

[USAFRet]

What are you trying to protect against?

If someone has physical access. many things can be done. Like remove the drive and put it in something else.
And the data is the only thing that really matters. The hardware is trivially replaceable.

 

[very_452001]

What are you trying to protect against?

If someone has physical access. many things can be done. Like remove the drive and put it in something else.
And the data is the only thing that really matters. The hardware is trivially replaceable.

Yes in that case protect my data on my drive from anyone getting physical access to it and reading off of it.

If they don't take the drive out of system then will a windows 10 password be sufficient? If not what's better than windows password without using biometrics or signing into Microsoft to enable a security feature? I have windows 10 pro.

 

[USAFRet]

Yes in that case protect my data on my drive from anyone getting physical access to it and reading off of it.

If they don't take the drive out of system then will a windows 10 password be sufficient? If not what's better than windows password without using biometrics or signing into Microsoft to enable a security feature? I have windows 10 pro.

A BitLocker or VeraCrypt encrypted volume or second drive, with your sensitive personal data on it.
No one is getting into that without the password. Either still in the PC or out.

Just don't misplace your decryption credentials. If you do, then you also are not getting into it.

 

[very_452001]

A BitLocker or VeraCrypt encrypted volume or second drive, with your sensitive personal data on it.
No one is getting into that without the password. Either still in the PC or out.

Just don't misplace your decryption credentials. If you do, then you also are not getting into it.

Which is better you think Bitlocker or Veracrypt? I have Windows 10 pro.

When you say No one is getting into that you mean not even the Government/Authorities cant get into it? If the Authorities can bypass the encryption then Hackers can also too right otherwise what do the Authorities have that Hackers don't have? Quantum Computers that can bypass any decryption in seconds?

 

[USAFRet]

I invite you to find some publicly published or available "hack" into a Bitlocker or VeraCrypt encrypted volume.

"Quantum Computers " ?
While a nice buzzword, they don't really exist yet except as research projects.
And if you are the target of someone with resources at that level...a hammer works just as well.



I should have asked - "Who are you trying to protect against?"
And "What personal information/data are you trying to protect?"

Level of protection depends on the level of threat.

 

[drea.drechsler]

....
I should have asked - "Who are you trying to protect against?"
And "What personal information/data are you trying to protect?"

Level of protection depends on the level of threat.

I would like to add, actual level of threat and who it is.

I think that government agencies have the resources to if anyone can. But the thing is, if they got the warrants to start such a process you're already in so much trouble it's really become a moot question by that point. Your life is wasted, just ask Jeffrey Epstein. The best course of action is don't stand on principle, just give them the password and let your lawyer fight admissability in court.

If online threats: whole drive encryption in and of itself wouldn't matter if you pick something up while, let's say, browsing the dark web. What you get might even change your key, or trick you into changing it, and lock you out of your own drive until you pay them the ransom.

If some random stoner who steals your laptop then you're probably well enough protected with just BIOS/machine password. He'll soon enough give up trying to get into it and open the drive to see the shiny bits instead, so have backups. On the HP help forums site there are lots of people looking for help recovering their 'forgotten' passwords.

If a Mexican cartel, you'll give them the password before they get to your wrist.

 

[very_452001]

I would like to add, actual level of threat and who it is.

I think that government agencies have the resources to if anyone can. But the thing is, if they got the warrants to start such a process you're already in so much trouble it's really become a moot question by that point. Your life is wasted, just ask Jeffrey Epstein. The best course of action is don't stand on principle, just give them the password and let your lawyer fight admissability in court.

If online threats: whole drive encryption in and of itself wouldn't matter if you pick something up while, let's say, browsing the dark web. What you get might even change your key, or trick you into changing it, and lock you out of your own drive until you pay them the ransom.

If some random stoner who steals your laptop then you're probably well enough protected with just BIOS/machine password. He'll soon enough give up trying to get into it and open the drive to see the shiny bits instead, so have backups. On the HP help forums site there are lots of people looking for help recovering their 'forgotten' passwords.

If a Mexican cartel, you'll give them the password before they get to your wrist.

When you mention whole drive encryption in and of itself doesn't matter do you mean encrypted drives are not protected against ransomware attacks? If so how does one protect their drives against ransomware attacks?

 

[USAFRet]

When you mention whole drive encryption in and of itself doesn't matter do you mean encrypted drives are not protected against ransomware attacks? If so how does one protect their drives against ransomware attacks?

If the you are using it and it is decrypted at the moment of the ransomware starting...the encryption or not does not matter.

One protects against ransomware in 2 ways:

1. By not clicking on dumb stuff to get infected.
2. By having a good backup routine.

If my systems, any or all of its drives, were to get screwed by ransomware right now...I'd simply recover from last nights backup.


Encryption is useful for when the system is off.
If someone steals it or otherwise has access, they cannot decrypt unless they know the password.

My work laptop, for instance.
Full drive encryption. But to log in and access it, you need a smart card with a chip, and the proper 6 digit code, known only to me.
If someone steals this...they cannot get into the drive. At all.
All they could do it remove the drive and wipe it clean.
Changes to the BIOS are also not allowed, unless you know the proper 20(?) digit BIOS password.

My home systems are NOT locked down to that extent, because they do not access sensitive information as my work laptop is.

 

[drea.drechsler]

When you mention whole drive encryption in and of itself doesn't matter do you mean encrypted drives are not protected against ransomware attacks? If so how does one protect their drives against ransomware attacks?

I've no idea, it was just an example. But if you're online with a bitlocker protected drive, it's unlocked and vulnerable to exploits; the 'right' one can cause you harm. That's the point.

 

[very_452001]

If the you are using it and it is decrypted at the moment of the ransomware starting...the encryption or not does not matter.

One protects against ransomware in 2 ways:

1. By not clicking on dumb stuff to get infected.
2. By having a good backup routine.

If my systems, any or all of its drives, were to get screwed by ransomware right now...I'd simply recover from last nights backup.


Encryption is useful for when the system is off.
If someone steals it or otherwise has access, they cannot decrypt unless they know the password.

My work laptop, for instance.
Full drive encryption. But to log in and access it, you need a smart card with a chip, and the proper 6 digit code, known only to me.
If someone steals this...they cannot get into the drive. At all.
All they could do it remove the drive and wipe it clean.
Changes to the BIOS are also not allowed, unless you know the proper 20(?) digit BIOS password.

My home systems are NOT locked down to that extent, because they do not access sensitive information as my work laptop is.

Okay encryption fully works 100% after the system has been turned off? However once user powers on and logs back into the system the drive is decrypted and the drive is then vulnerable to online attacks?

 

[drea.drechsler]

Okay encryption fully works 100% after the system has been turned off? However once user powers on and logs back into the system the drive is decrypted and the drive is then vulnerable to online attacks?

Once stored on the drive it's encrypted all the time and data is encrypted and decrypted 'on the fly' using the key you provided at startup. It may even be encrypted in memory as memory contents can be retained after turn-off. An exploit would use the same 'on the fly' decryption/encryption method the OS uses to do it's harm.

Speaking as a layman I feel modern OS's really are very secure these days. The more common exploits need a highly privileged operator in the loop at some point to get going. The way it would work is you'd click on something and then innocently accept whatever the OS says will happen. Do you use an account with Administrator privilege to browse the web and open e-mail? How many times have you blindly accepted it when notified an app will 'change system settings'? or even lowered the UAC setting to 'never notify'? That's where you should start shoring up your security protocols as doing that can completely circumvent even the best whole-disk encryption.

But yes, once you've turned it off...or logged out...the data is encrypted on the drive. It might be arguable before, but after turn-off it's not: you are the weakest link in the chain of security. They'll get at it through you, and it won't be pretty if they want it bad enough.