Microsoft
added Windows BitLocker Drive Encryption to Windows Server 2008 mostly
as a result of organizations demanding protection not only for their
operating systems in remote locations, but also for the vital data
stored on the system volume, data volumes, and USB flash drives that
were used in these locations. BitLocker Drive Encryption, commonly
referred to as just BitLocker, is a software-based Full Disk Encryption
(FDE) data-protection security feature included in all versions of
Windows Server 2008 and Windows Server 2008 R2, as well as in the
Ultimate and Enterprise Editions of Windows Vista and Windows 7. It is
an optional component that must be installed if you choose to use it.
BitLocker increases data at
rest protection for an operating system by merging two concepts
together: encrypting a volume and guaranteeing the integrity of the
operating system’s boot components. The first component, drive
encryption, safeguards data residing on the system volume and configured
data volumes by preventing unauthorized users from compromising Windows
system files encrypted with BitLocker. The second component provides
integrity verifications of the early boot components, which essentially
refers to components used during the startup process, by validating that
the hard disk has not been tampered with or removed from its original
server. Equally important, when you use BitLocker, confidential data on a
protected server cannot be viewed even if the hard disks are
transferred to another operating system. If these two conditions are
met, only then will data on a BitLocker volume be accessible and the
system allowed to boot.
If you have worked with
previous versions of Windows Server, you will recognize immediately that
BitLocker is a great addition to Windows Server 2008 R2 as it protects
all of the data residing on a server’s hard disks because everything
written to the disk including the operating system is encrypted. In
previous versions of Windows Server, encryption based on integration
with integrity controls was not supported, which meant personal
information could be compromised. In addition, with BitLocker now on the
map, branch offices concerned over the physical security and theft of
their domain controllers stand to benefit the greatest from leveraging
BitLocker because this feature further bolsters security and ensures
confidential data is not disclosed without authorization.
Note
Many
professionals are posing questions as they wonder about the differences
between BitLocker and Encrypting File System (EFS). Both technologies
offer tools for encryption; however, BitLocker is intended to protect
all personal and system files on a system and after it is enabled, it is
transparent as well as automatic. EFS, on the other hand, encrypts
individual files based on an administrator’s judgment call.
Examining BitLocker’s Drive Encryption
BitLocker was first introduced
with the release of Windows Vista. Since entering the Windows Server
2008 family of operating systems, Microsoft has continued to improve
BitLocker by adding new features, for example: support for data volumes,
smart card certificates, data recovery agents, USB flash drives, a new
RSAT BitLocker interface, and so on.
Understanding Its Benefits
By using BitLocker in conjunction with Windows Server 2008 R2, an organization can enjoy a number of benefits:
Prevention of
unauthorized access to data at rest, which is located on Windows managed
system volumes, data volumes, and USB flash drives.
Support
for integrity checking of early boot components using Trusted Platform
Module (TPM) to ensure that a machine has not been tampered with and
that encrypted materials are located on the original machine.
Protection
against cold boot attacks by requiring an interactive form of
authentication (including a PIN or a USB key) in addition to the
presence of the TPM hardware before a machine will boot or resume from
hibernation.
Support for escrow of BitLocker recovery materials in Active Directory.
A streamlined recovery process, which can be delegated to non-Domain Administrators.
Windows Server 2008 R2 and Windows 7 automatically creates the necessary BitLocker disk partitions during installation.
Support for BitLocker protection on USB flash drives. This feature is called BitLocker To Go.
Lastly,
support for Data Recovery Agent (DRA) support so that authorized IT
administrators will always have access to BitLocker protected volumes.
Understanding TPM
The term Trusted Platform
Module (TPM) is used to refer to both the name of a published
specification by the Trusted Computing Group for a secure
cryptoprocessor and the implementation of that specification in the form
of a TPM chip. A TPM chip’s main purpose in life is the secure
generation of cryptographic keys, the protection of those keys, and the
ability to act as a hardware pseudo-random number generator. In
addition, a TPM chip can
also provide remote attestation and sealed storage. Remote attestation
is a feature in which a hash key summary is created based on a machine’s
current hardware and software configuration. Typically, remote
attestation is used by third-party applications such as BitLocker to
ensure a machine’s state has not been tampered with. Sealed storage is
used to encrypt data such that it may only be decrypted once the TPM
chip releases the appropriate decryption key. This release is only done
by TPM chip once the required authenticator for that data has been
provided. Lastly, a TPM chip can also be used to authenticate hardware
devices.
In BitLocker, a TPM chip is
used to protect the encryption keys and provide integrity authentication
for a trusted boot pathway (that is, BIOS, boot sector, and so on).
This type of TPM-supported protection is only performed when BitLocker
is in either Transparent Operation mode or User Authentication mode.
When in either of these modes, BitLocker uses the TPM chip to detect if
there are unauthorized changes to the preboot environment (trusted boot
pathway protection) such as the BIOS and MBR. If unauthorized changes
were made, BitLocker will then request that a recovery key be provided
before the Volume Master Key can be decrypted and bootup of the machine
can continue.
Note
Because of how a TPM chip is used, it is often referred to as a “root of trust.”
Comprehending BitLocker’s Drive Encryption Hardware Requirements
Configuring BitLocker Drive
Encryption is not as simple as clicking through a few screens on a
Windows Server 2008 R2 wizard. A number of prerequisite steps must be
fulfilled before BitLocker can be configured and implemented.
Before you implement
BitLocker Drive Encryption, make certain the following hardware
requirements and prerequisites are met and understood:
The system should have a Trusted Platform Module (TPM) version 1.2 or higher.
A Trusted Computing Group (TCG)-compliant BIOS, which can also support USB devices during startup.
If the system does not have TPM, a removable USB memory device can be used to store the encryption key.
There
must be a minimum of at least two partitions on the system. One
partition is an active partition, referred to as the “system partition,”
which is used by bootmgr to boot Windows. This partition should be at
least 100MB and not be encrypted. The second “primary partition” is
where the Windows binaries are installed.
All drives and partitions must be formatted with the NTFS file system.
Note
The TPM and BIOS requirements
only come into play when you want to use the TPM as a root of trust for
a machine’s BitLocker configuration.
Understanding BitLocker Deployment Scenarios
Similar
to an RODC, branch office domain controllers are great candidates for
implementing BitLocker. BitLocker can be exploited at the branch office
to protect against physical breaches or theft of a domain controller or
hard drive, and it can secure data during shipment of a branch office
domain controller from a hub site to a branch office location. BitLocker
can also be used to protect against data theft using disk cloning by
maintenance or outsourcing techniques.