Friday, August 15, 2008

Become familiar with Windows BitLocker Drive Encryption

Data security on lost or stolen PC devices is a growing concern among security experts and corporate executives. The data stored on the PC asset is often significantly more valuable to a corporation than the asset itself, and the loss, theft or unwanted disclosure of that data can be very damaging.

BitLocker Drive Encryption is a data protection feature available in Windows Vista Enterprise and Ultimate for client computers and in Windows Server 2008. BitLocker is Microsoft's response to a frequent customer request: address these very real threats of data theft or disclosure from lost, stolen or inappropriately decommissioned PC hardware with a tightly integrated solution in the Windows Operating System.

The technical particulars

BitLocker uses either 128- or 256-bit AES (Advanced Encryption Standard) encryption; the level of encryption is up to you and is configurable using Group Policies. BitLocker works best when used on a system with a Trusted Platform Module (TPM) 1.2. A TPM is actually another chip that sits on a computer’s motherboard and is responsible for the generation of cryptographic keys, which are vital to a successful encryption project. According to Microsoft and other independent testers, the use of BitLocker Drive Encryption comes with a negligible system performance penalty.

There are some caveats, though. BitLocker protects only the operating system volume of a computer. If you deploy laptops with a single volume, this isn’t a problem; but on systems with multiple volumes or multiple drives, BitLocker alone cannot protect all of the data. In these circumstances, Microsoft continues to recommend the use of EFS for non-OS volumes. When used in conjunction with BitLocker, EFS is also more effective since the root secrets of EFS are housed on the OS volume. So, once BitLocker is enabled for the OS volume, these EFS root secrets themselves are then protected by BitLocker and much less susceptible to tampering. Further, you get around one serious EFS limitation—the inability to encrypt files in the system root. Now, these files will be protected by BitLocker and the rest of your system protected with EFS.

There are also a number of areas in which BitLocker does not provide protection, including:
Tampering by system administrators: By default, these people frequently have carte blanche access to data. Encryption is not designed to keep those out who have been granted access to data.

Attacks by other authenticated users: If an attack is launched against a system and that attack is using appropriate user credentials, BitLocker will freely give up your secrets. In short, BitLocker cannot protect you if your system is compromised as a part of an online attack. The lesson here: multiple layers of defense remain critical. Always run a firewall, antivirus, and antispyware software for the maximum protection of your data assets.

Hardware attacks: A hacker can still attach a dedicated hardware debugger to a system and gain access to the underlying data.


I will go over a full deployment sample in my next article. However, you should know that you can deploy BitLocker two different ways—either by using TPM 1.2 or not using TPM 1.2. Using TPM 1.2 offers the highest level of security, but not every system is capable of supporting this. In order to offer protection to those that cannot or will not deploy TPM, Microsoft makes available a non-TPM deployment method. The non-TPM mode supports multiple authentication methods, including the entry of a PIN by the user upon boot, or the insertion of a USB drive that has a startup key stored on the device. In my next article, you’ll see this second method in action.

And now, the bad

BitLocker is supported only on the Enterprise and Ultimate editions of Vista and will also be available under Longhorn Server. Why Microsoft would exclude the other Vista editions, particularly the Business edition, is beyond me. Only the Ultimate edition of Vista can run BitLocker in a standalone way. Further, the Enterprise edition supports BitLocker only when the machine is joined to a domain. Now, this is not as much of a drawback as it would seem at first glance. Since you can store BitLocker recovery keys in Active Directory, this makes sense. You probably don’t want thousands of people out there carrying around their private recovery keys…and losing them, thus, making your company’s data irrecoverable.


While it has its limitations, BitLocker is a welcome addition to the family. The tool provides enterprises with additional data protection options that can help organizations keep data safe.