Protecting Data With BitLocker Drive Encryption
BitLocker Drive Encryption is a hardware-based security feature in the Microsoft Windows Vista and Windows 7 operating system that provides better data protection for your computer. It uses a Trusted Platform Module (TPM) to protect user data. This is a full volume encryption solution designed to protect the data on laptops and desktop machines, such as branch office servers, even if the machine is lost or falls into the wrong hands. A TPM is a microchip that is typically affixed to the motherboard of a computer. It stores keys, passwords, and digital certificates. Information stored on the TPM is more secure from external software attacks and physical theft.
How does BitLocker Drive Encryption work?
To use all of the BitLocker functionality, your computer must have a compatible TPM microchip and BIOS. Compatible means a version 1.2 TPM and BIOS that supports the TPM and the Static Root of Trust Measurement as defined by the Trusted Computing Group (TCG). However, computers without a compatible TPM and BIOS can still use BitLocker encryption.
BitLocker provides full-volume encryption to ensure that all data written to the Windows OS volume is encrypted. This is key to protect confidential information stored on your organization’s computers, especially laptops and mobile computers.
Why Encrypt the Entire Volume?
If you’re an experienced Windows administrator, you’re probably already familiar with Windows-based encryption options such as the Encrypting File System (EFS) and perhaps the encryption and protection provided by Rights Management Services (RMS). The big difference with BitLocker is that, once enabled, it is automatic, transparent, and includes the entire volume.
For example, with EFS, you have to specifically indicate which files and folders will be protected. In Windows Vista, there are some new options that make EFS more flexible, and EFS and RMS each address some scenarios that BitLocker does not. But both EFS and RMS require significant administrator configuration and are not designed to protect everything stored on the volume.
Conversely, BitLocker encrypts everything written to a BitLocker-protected volume, including the operating system itself, the registry, the hibernation and paging files, applications, and data used by applications.
There are three items not encrypted: the boot sector, any bad sectors already marked as unreadable, and the volume metadata. The volume metadata consists of three redundant copies of data used to manage BitLocker, including statistical information about the volume, and protected copies of some decryption keys. These items do not require encryption because they are not unique, valuable, or personally identifiable.
Full-volume encryption protects against offline attacks—the kind of attacks that are mounted by trying to bypass the operating system. For example, a common offline attack is to steal a computer, remove the hard drive, and install it as a second drive in another computer (running a different copy of Windows or a different operating system) to avoid NTFS permissions and user passwords. It is not possible to read a BitLocker-protected volume using this kind of attack.
How BitLocker Encrypts Data?
BitLocker uses the Advanced Encryption Standard (AES) algorithm with 128-bit keys. For better protection, the keys can be increased to 256-bit keys using Group Policy or the BitLocker Windows Management Instrumentation (WMI) provider.
Each sector in the volume is encrypted individually, with a part of the encryption key being derived from the sector number itself. This means that two sectors containing identical unencrypted data will result in different encrypted bytes being written to the disk, making it much harder to attempt to discover keys by creating and encrypting known pieces of information.
Before data is encrypted using AES, BitLocker also uses an algorithm called a diffuser. Without going into the cryptography, a simple description of the diffuser is that it ensures that even minute changes to the plaintext result in the entire sector changing in the encrypted ciphertext. This also makes it much harder for an attacker to discover keys or data.
Enabling BitLocker for the First Time without TPM
BitLocker is available in Windows 7 Professional and Vista Enterprise and Windows 7 Ultimate and Vista Ultimate. The following discussion assumes that you have a computer without a compatible TPM.
BitLocker is configured by default to use a TPM, and if you don’t have one, Windows out-of-the-box will not allow you to enable BitLocker. However, the following procedure, will allow you to use BitLocker without a TPM.
To perform the trailing steps, you must be logged on as an administrator. Please follow the trailing steps to turn on BitLocker Drive Encryption on a computer without a compatible TPM:-
- Click Start, type gpedit.msc in the Start Search box and then press ENTER.
- In the Group Policy Object Editor console tree, click Local Computer Policy, click Administrative Templates, click Windows Components, and then double-click BitLocker Drive Encryption.
- Double-click the setting Control Panel Setup: Enable Advanced Startup Options. The Control Panel Setup: Enable Advanced Startup Options dialog box appears.
- Select the Enabled option, select the Allow BitLocker without a compatible TPM checkbox, and then click OK. You have changed the policy setting so that you can use a startup key instead of a TPM.
- Close the Group Policy Object Editor.
- To force Group Policy to apply immediately, you can click Start, type gpupdate.exe /force in the Start Search box, and then press ENTER. Wait for the process to finish.
- Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.
- If the User Account Control message appears, verify that the proposed action is what you requested, and then click Continue. For more information, see Additional Resources later in this document.
- On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume.
- On the Set BitLocker Startup Preferences page, select the Require Startup USB Key at every startup option. This is the only option available for non-TPM configurations. This key must be inserted each time before you start the computer.
- Insert your USB flash drive in the computer, if it is not already there.
- On the Save your Startup Key page, choose the location of your USB flash drive, and then click Save.
- On the Save the recovery password page, you will see the following options:
* Save the password on a USB drive. Saves the password to a USB flash drive.
* Save the password in a folder. Saves the password to a network drive or other location.
* Print the password. Prints the password.
Choose any of these options to preserve the recovery password. Store recovery passwords apart from the computer for maximum security. To choose more than one recovery password storage method, select one, follow the wizard to determine the location for saving or printing, and then click Next. You can then repeat this step to choose additional recovery password storage methods.
- On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check check box is selected, and then click Continue.
- Confirm that you want to restart the computer by clicking Restart Now. The computer restarts and BitLocker ensures that the computer is BitLocker-compatible and ready for encryption. If it is not, you will see an error message alerting you to the problem before encryption starts.
- If it is ready for encryption, the Encryption in Progress status bar is displayed. You can monitor the ongoing completion status of the disk volume encryption by dragging your mouse cursor over the BitLocker Drive Encryption icon in the tool bar at the bottom of your screen or clicking on the Encryption balloon.
By completing this procedure, you have encrypted the operating system volume and created a recovery password unique to that volume. The next time you turn your computer on, the USB flash drive must be plugged into a USB port on the computer or you must enter your PIN. If you do not, you will not be able to access data on your encrypted volume. Store the startup key away from the computer to increase security. Without the startup key, or your PIN, you will need to go to recovery mode and supply the recovery password to access your data.
A Few Final Points
BitLocker is a powerful tool designed to protect against specific threats, and it does an excellent job. However, it would be a mistake to expect BitLocker to protect against all threats. It is absolutely critical that you continue to use proper defenses and controls, such as strong passwords.
Understand that BitLocker is geared towards offline attacks. That means that if Windows is running, BitLocker has unlocked the volume. In other words, BitLocker does not offer protection to a running system. Technologies such as EFS and RMS complement BitLocker by protecting information while the OS is running.