Programming4us
         
 
 
Windows

Windows Vista - File Encryption : Workings of BitLocker Drive Encryption

11/24/2010 2:26:11 PM

BitLocker Drive Encryption

A new feature that was added to Windows Vista is BitLocker Drive Encryption, which is designed to protect computers from attackers who have physical access to a computer. Without BitLocker Drive Encryption, an attacker can start the computer with a boot disk and then reset the administrator password to gain full control of the computer, or the attacker can access the computer’s hard disk directly by using a different operating system to bypass file permissions.

Workings of BitLocker Drive Encryption

BitLocker Drive Encryption is the feature in Windows Vista that makes use of a computer’s TPM. A Trusted Platform Module (TPM) is a microchip that is built in to a computer. It is used to store cryptographic information, such as encryption keys. Information stored on the TPM can be more secure from external software attacks and physical theft. BitLocker Drive Encryption can use a TPM to validate the integrity of a computer’s boot manager and boot files at startup, and to guarantee that a computer’s hard disk has not been tampered with while the operating system is offline. BitLocker Drive Encryption also stores measurements of core operating system files in the TPM.

If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer. Encrypting the entire volume protects all the data, including the operating system itself, the Windows registry, temporary files, and the hibernation file. Because the keys needed to decrypt data remain locked by the TPM, an attacker cannot read the data just by removing your hard disk and installing it in another computer.

During the startup process, the TPM releases the key that unlocks the encrypted partition only after comparing a hash of important operating system configuration values with a snapshot taken earlier. This verifies the integrity of the Windows startup process. During computer startup, if BitLocker detects a system condition that can represent a security risk (for example, disk errors, a change to the BIOS, or changes to any startup files), it will lock the drive, go into Recovery mode, and require a special BitLocker recovery password (48-digit key is entered with the function keys in 6 groups of 6 digits) to unlock it. Make sure that you create this recovery password when you turn on BitLocker for the first time; otherwise, you could permanently lose access to your files. Recovery mode is also used if a disk drive is transferred to another system.

On computers with a compatible TPM, BitLocker can be used in three ways:

  • TPM-only. This is transparent to the user, and the user logon experience is unchanged. If the TPM is missing or changed, or if the TPM detects changes to critical operating system startup files, BitLocker enters its Recovery mode, and you need a recovery password to regain access to the data.

  • TPM with startup key. In addition to the protection provided by the TPM, a part of the encryption key is stored on a USB flash drive. This is referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key.

  • TPM with PIN. In addition to the protection provided by the TPM, BitLocker requires a personal identification number (PIN) to be entered by the user. Data on the encrypted volume cannot be accessed without entering the PIN.

By default, the BitLocker Setup Wizard is configured to work seamlessly with the TPM. An administrator can use Group Policy or a script to enable additional features and options.

On computers without a compatible TPM, BitLocker can provide encryption, but not the added security of locking keys with the TPM. In this case, the user is required to create a startup key that is stored on a USB flash drive.

On computers with a compatible TPM, BitLocker Drive Encryption can use one of two TPM modes:

  • TPM-only. In this mode, only the TPM is used for validation. When the computer starts up, the TPM is used to validate the boot files, the operating system files, and any encrypted volumes. Because the user doesn’t need to provide an additional startup key, this mode is transparent to the user, and the user logon experience is unchanged. However, if the TPM is missing or the integrity of files or volumes has changed, BitLocker will enter Recovery mode and require a recovery key or password to regain access to the boot volume.

  • Startup key. In this mode, both the TPM and a startup key are used for validation. When the computer starts up, the TPM is used to validate the boot files, the operating system files, and any encrypted volumes. The user must have a startup key to log on to the computer. A startup key can be either physical, such as a USB flash drive with a machine-readable key written to it, or personal, such as a PIN set by the user. If the user doesn’t have the startup key or is unable to provide the correct startup key, BitLocker will enter Recovery mode. As before, BitLocker will also enter Recovery mode if the TPM is missing or the integrity of boot files or encrypted volumes has changed.

System Requirements of BitLocker

The system requirements of BitLocker are as follows:

  • Because BitLocker stores its own encryption and decryption key in a hardware device that is separate from your hard disk, you must have one of the following:

    • A computer with TPM. If your computer was manufactured with TPM version 1.2 or higher, BitLocker will store its key in the TPM.

    • A removable USB memory device, such as a USB flash drive. If your computer doesn’t have TPM version 1.2 or higher, BitLocker will store its key on the flash drive.

  • Your computer must have at least two partitions. One partition must include the drive Windows is installed on. This is the drive that BitLocker will encrypt. The other partition is the active partition, which must remain unencrypted so that the computer can be started. Partitions must be formatted with the NTFS file system.

  • Your computer must have a BIOS that is compatible with TPM and supports USB devices during computer startup. If this is not the case, you must update the BIOS before using BitLocker.

To find out whether your computer has TPM security hardware, follow these steps:

1.
Open BitLocker Drive Encryption by clicking the Start button, Control Panel, Security, and then clicking BitLocker Drive Encryption. If you are prompted for an administrator password or confirmation, enter the password or provide confirmation.

2.
If the TPM administration link appears in the left pane, your computer has the TPM security hardware. If this link is not present, you will need a removable USB memory device to turn on BitLocker and store the BitLocker startup key that you’ll need whenever you restart your computer.

Enabling and Disabling BitLocker

To turn on BitLocker, follow these steps:

1.
Open BitLocker Drive Encryption by clicking the Start button, Control Panel, Security, and then clicking BitLocker Drive Encryption. If you are prompted for an administrator password or confirmation, enter the password or provide confirmation.

2.
Click Turn On BitLocker. This opens the BitLocker Setup Wizard. Follow the instructions in the wizard.

To turn off or temporarily disable BitLocker, follow these steps:

1.
Open BitLocker Drive Encryption by clicking the Start button, Control Panel, Security, and then clicking BitLocker Drive Encryption. If you are prompted for an administrator password or confirmation, enter the password or provide confirmation.

2.
Click Turn Off BitLocker. This opens the BitLocker Drive Encryption dialog box.

3.
To decrypt the drive, click Decrypt the Volume. To temporarily disable BitLocker, click Disable BitLocker Drive Encryption.

The BitLocker Control Panel applet enables you to recover the encryption key and recovery password at will. You should consider carefully how to store this information, because it will allow access to the encrypted data. It is also possible to escrow this information into Active Directory.


Other -----------------
- Windows Vista - File Encryption : Encryption File System
- Windows 7 : Customizing the Taskbar for Easier Program and Document Launching
- Windows 7 : Customizing the Start Menu for Easier Program and Document Launching
- Windows Azure Storage : REST API (part 2) - Storage Client APIs
- Windows Azure Storage : REST API (part 1)
- Windows 7 : Customizing Your Notebook’s Power and Sleep Buttons
- Windows 7 : Customizing the Start Menu’s Power Button
- Windows 7 : Turning Off Your Windows 7 Computer from Anywhere
- Windows 7 : Setting Up One-Click Restarts and Shutdowns
- Windows 7 : Useful Windows 7 Logon Strategies
- Windows 7 : Customizing Startups with the Advanced Options Menu
- Windows 7 : Customizing Startups Using the Boot Configuration Data
- Windows Azure : Queue Service Architecture
- Windows 7 : Customizing Windows 7’s Open With List
- Windows 7 : Customizing the New Menu
- Windows 7 : Creating a New File Type
- Windows Vista - Sharing Files and Folders : Accessing a Shared Folder
- Windows Vista - Sharing Files and Folders : Standard Sharing
- Windows Vista - Sharing Files and Folders : Public Folder
- Windows Vista - Sharing Files and Folders : Network Discovery and Browsing
 
 
Most View
- Windows Server 2008 : Installing the Web Server Role (part 2)
- SQL Server 2008 R2 : Basing the Replication Design on User Requirements
- Windows 7 : Setting Up User Security - Using the Guest Account to Give Folks Temporary Access
- Windows 7 : Creating a Windows Network - Choosing a Network and Cabling System
- Extending Microsoft Dynamics CRM 4.0 : Limitations and Licensing Considerations
- SQL Server 2005 : Data Querying Using Full-Text Indexes
- Visual Basic 2010 : Deploying Applications with ClickOnce - Security Considerations, Programmatically Accessing ClickOnce
- Microsoft Dynamic AX 2009 : The Batch Framework (part 1) - Batch Processing in Dynamics AX, Common Uses of Batch Processing
- Programming with SQL Azure : Connecting to SQL Azure (part 2)
- Windwos Server 2008 : Recovering from a Server or System Failure (part 3)
Top 10
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 3) - Configuring Recipient Filtering
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 2)
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 1)
- Implementing Edge Services for an Exchange Server 2007 Environment : Installing and Configuring the Edge Transport Server Components
- What's New in SharePoint 2013 (part 7) - BCS
- What's New in SharePoint 2013 (part 6) - SEARCH
- What's New in SharePoint 2013 (part 6) - WEB CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 5) - ENTERPRISE CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 4) - WORKFLOWS
- What's New in SharePoint 2013 (part 3) - REMOTE EVENTS