BitLocker Drive Encryption
A
new feature that was added to Windows Vista is BitLocker Drive
Encryption, which is designed to protect computers from attackers who
have physical access to a computer. Without BitLocker Drive Encryption,
an attacker can start the computer with a boot disk and then reset the
administrator password to gain full control of the computer, or the
attacker can access the computer’s hard disk directly by using a
different operating system to bypass file permissions.
Workings of BitLocker Drive Encryption
BitLocker Drive Encryption is the feature in Windows Vista that makes use of a computer’s TPM. A Trusted Platform Module (TPM)
is a microchip that is built in to a computer. It is used to store
cryptographic information, such as encryption keys. Information stored
on the TPM can be more secure from external software attacks and
physical theft. BitLocker Drive Encryption can use a TPM to validate
the integrity of a computer’s boot manager and boot files at startup,
and to guarantee that a computer’s hard disk has not been tampered with
while the operating system is offline. BitLocker Drive Encryption also
stores measurements of core operating system files in the TPM.
If
the computer is equipped with a compatible TPM, BitLocker uses the TPM
to lock the encryption keys that protect the data. As a result, the
keys cannot be accessed until the TPM has verified the state of the
computer. Encrypting the entire volume protects all the data, including
the operating system itself, the Windows registry, temporary files, and
the hibernation file. Because the keys needed to decrypt data remain
locked by the TPM, an attacker cannot read the data just by removing
your hard disk and installing it in another computer.
During
the startup process, the TPM releases the key that unlocks the
encrypted partition only after comparing a hash of important operating
system configuration values with a snapshot taken earlier. This
verifies the integrity of the Windows startup process. During computer
startup, if BitLocker detects a system condition that can represent a
security risk (for example, disk errors, a change to the BIOS, or
changes to any startup files), it will lock the drive, go into Recovery
mode, and require a special BitLocker recovery password (48-digit key
is entered with the function keys in 6 groups of 6 digits) to unlock
it. Make sure that you create this recovery password when you turn on
BitLocker for the first time; otherwise, you could permanently lose
access to your files. Recovery mode is also used if a disk drive is
transferred to another system.
On computers with a compatible TPM, BitLocker can be used in three ways:
TPM-only.
This is transparent to the user, and the user logon experience is
unchanged. If the TPM is missing or changed, or if the TPM detects
changes to critical operating system startup files, BitLocker enters
its Recovery mode, and you need a recovery password to regain access to
the data.
TPM with startup key.
In addition to the protection provided by the TPM, a part of the
encryption key is stored on a USB flash drive. This is referred to as a
startup key. Data on the encrypted volume cannot be accessed without
the startup key.
TPM with PIN.
In addition to the protection provided by the TPM, BitLocker requires a
personal identification number (PIN) to be entered by the user. Data on
the encrypted volume cannot be accessed without entering the PIN.
By
default, the BitLocker Setup Wizard is configured to work seamlessly
with the TPM. An administrator can use Group Policy or a script to
enable additional features and options.
On
computers without a compatible TPM, BitLocker can provide encryption,
but not the added security of locking keys with the TPM. In this case,
the user is required to create a startup key that is stored on a USB
flash drive.
On computers with a compatible TPM, BitLocker Drive Encryption can use one of two TPM modes:
TPM-only.
In this mode, only the TPM is used for validation. When the computer
starts up, the TPM is used to validate the boot files, the operating
system files, and any encrypted volumes. Because the user doesn’t need
to provide an additional startup key, this mode is transparent to the
user, and the user logon experience is unchanged. However, if the TPM
is missing or the integrity of files or volumes has changed, BitLocker
will enter Recovery mode and require a recovery key or password to
regain access to the boot volume.
Startup key.
In this mode, both the TPM and a startup key are used for validation.
When the computer starts up, the TPM is used to validate the boot
files, the operating system files, and any encrypted volumes. The user
must have a startup key to log on to the computer. A startup key can be
either physical, such as a USB flash drive with a machine-readable key
written to it, or personal, such as a PIN set by the user. If the user
doesn’t have the startup key or is unable to provide the correct
startup key, BitLocker will enter Recovery mode. As before, BitLocker
will also enter Recovery mode if the TPM is missing or the integrity of
boot files or encrypted volumes has changed.
System Requirements of BitLocker
The system requirements of BitLocker are as follows:
Because
BitLocker stores its own encryption and decryption key in a hardware
device that is separate from your hard disk, you must have one of the
following:
A computer with TPM. If your computer was manufactured with TPM version 1.2 or higher, BitLocker will store its key in the TPM.
A removable USB memory device, such as a USB flash drive. If your computer doesn’t have TPM version 1.2 or higher, BitLocker will store its key on the flash drive.
Your
computer must have at least two partitions. One partition must include
the drive Windows is installed on. This is the drive that BitLocker
will encrypt. The other partition is the active partition, which must
remain unencrypted so that the computer can be started. Partitions must
be formatted with the NTFS file system.
Your
computer must have a BIOS that is compatible with TPM and supports USB
devices during computer startup. If this is not the case, you must
update the BIOS before using BitLocker.
To find out whether your computer has TPM security hardware, follow these steps:
1. | Open
BitLocker Drive Encryption by clicking the Start button, Control Panel,
Security, and then clicking BitLocker Drive Encryption. If you are
prompted for an administrator password or confirmation, enter the
password or provide confirmation.
|
2. | If
the TPM administration link appears in the left pane, your computer has
the TPM security hardware. If this link is not present, you will need a
removable USB memory device to turn on BitLocker and store the
BitLocker startup key that you’ll need whenever you restart your
computer. |
Enabling and Disabling BitLocker
To turn on BitLocker, follow these steps:
1. | Open
BitLocker Drive Encryption by clicking the Start button, Control Panel,
Security, and then clicking BitLocker Drive Encryption. If you are
prompted for an administrator password or confirmation, enter the
password or provide confirmation.
|
2. | Click Turn On BitLocker. This opens the BitLocker Setup Wizard. Follow the instructions in the wizard.
|
To turn off or temporarily disable BitLocker, follow these steps:
1. | Open
BitLocker Drive Encryption by clicking the Start button, Control Panel,
Security, and then clicking BitLocker Drive Encryption. If you are
prompted for an administrator password or confirmation, enter the
password or provide confirmation.
|
2. | Click Turn Off BitLocker. This opens the BitLocker Drive Encryption dialog box.
|
3. | To decrypt the drive, click Decrypt the Volume. To temporarily disable BitLocker, click Disable BitLocker Drive Encryption.
|
The
BitLocker Control Panel applet enables you to recover the encryption
key and recovery password at will. You should consider carefully how to
store this information, because it will allow access to the encrypted
data. It is also possible to escrow this information into Active
Directory.