Rarely does a month go by without a news report about a company or government agency that suffers some kind of loss in the form of a stolen laptop or PC. Often the theft is nothing more than an attempt to resell the hardware for fast cash, but sometimes it's a specific attempt to steal highly sensitive data.
Computers with hardware-level encryption built in can make such data theft prohibitively difficult. But such machines are expensive, and they are not always a practical solution.
Microsoft offers one possible solution in the form of an operating system (OS)-level extension to Windows Vista called BitLocker. This feature, a combination of on-disk encryption and special key management techniques, makes it possible for any existing PC that can run Vista to use the Advanced Encryption Standard (AES) on the main system partition. In other words, not only the data but also the OS installation itself is protected and they require the presence of a hardware key or a long passphrase to be rendered usable. Without the needed keys, the hard drive is nothing but pseudorandom data.
The basics of BitLocker
When a Windows Vista system is configured to use BitLocker, which is present in the Enterprise and Ultimate editions of Windows Vista, the system's boot drive is split into at least two partitions: a boot volume, with normal NTFS volume, and a system volume, which is encrypted.
The boot volume starts the system, reads any available provided encryption keys and then attempts to read and decrypt the OS files from the system volume. If the right keys are present, the OS loads and all the files on the encrypted volume (and any auxiliary volumes encrypted with that install of Vista) will be available. If the keys can't be read or don't match, the system will not boot, and none of the files on any of the encrypted volumes will be readable.
BitLocker works in one of four ways:
- Transparent authentication. This is the easiest and most hassle-free implementation of BitLocker, but it requires a computer that has the Trusted Platform Module (TPM) implemented in the hardware. The encryption keys are stored in a protected module on board the computer itself that is resistant to tampering or reverse engineering. Any signs of hacking will automatically force the system to boot in user-authentication mode (see below). TPM setups can also work with a PIN -- a user-supplied ID number -- to increase security.
- USB key authentication. This is the most commonplace way to start a BitLocker-encrypted system without a TPA module, and it's the easiest choice for people running existing commodity hardware. The encryption key is stored on a removable USB drive, which is connected to the computer at boot time.
- Combined authentication. A TPM system can also be forced to rely on the presence of an external USB drive with a key for authentication for greater security.
- User authentication. This is the fail-safe way to boot a BitLocker machine. Each BitLocker-protected install of Vista will have a recovery passphrase (it's fairly long) that can be typed in to boot the system.
Note that if the TPM module detects a failure or that it has been compromised, or if the USB drive with the key is not available, the system will automatically boot in user-authentication mode.
Aside from protecting a system during its normal lifecycle, BitLocker protects a system after it's been retired as well. A drive secured with BitLocker doesn't need to be sanitized as aggressively when it's removed from a computer; once the boot volume and partition headers are erased, it's impractical to try and recover the encrypted data.
BitLocker encryption is also reversible. It can be disabled, and the entire volume can be decrypted on demand if needed without reinstalling the OS. In addition, you can move a protected volume to another computer, but only if the recovery key is provided. This simply involves turning off BitLocker, moving the drive and turning it back on again.
Keying up
In order for a system to use BitLocker, the two partitions described above have to be prepared before the initial installation. BitLocker itself is turned on (and the main drive encrypted) after Vista has been installed, and it can be managed remotely through WMI so that it can be administratively set up.
Therefore, if you plan to use BitLocker on multiple systems that are set up through cloning, you'll need to enable BitLocker after the cloning process so that each machine's key will be distinct and will be for that machine only. Microsoft has a quick walkthrough of the setup process for BitLocker for an individual machine; most of the partition preparation work could be done once for a machine image.
Note that once a set of keys is issued for a volume, the keys cannot be revoked or changed. The only way to do that is to shut off BitLocker and re-enable it. It is possible, however, to create a new PIN (not the recovery password) for a volume protected by TPM.
Right now, support for third-party multifactor authentication (i.e., smart cards or fingerprint readers) isn't actively available, but BitLocker was designed to allow the eventual inclusion of such trust mechanisms. A smart-card reader, for instance, could work at boot time as long as the device drivers are available to access the device (and at this point in Windows's evolution, it's a fairly trivial add-on).
You can use Group Policy to control BitLocker behaviors. For instance, you can back up BitLocker and TPM recovery data to Active Directory if needed, and many common BitLocker behaviors can be constrained if needed (such as issuing a new PIN).
Read the second half of this tip, Questions about the use of BitLocker.
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
