3. Introducing BitLocker Drive Encryption
BitLocker Drive Encryption is designed to protect the data on
lost, stolen, or inappropriately decommissioned computers. Without
BitLocker Drive Encryption, there is a variety of ways a user with
direct physical access to a computer could gain full control and then
access the computer’s data whether that data was encrypted with EFS or
not. For example, a user could use a boot disk to boot the computer
and reset the administrator password. A user could also install and
then boot to a different operating system, and then use this operating
system to unlock the other installation.
BitLocker Drive Encryption prevents all access to a computer’s
drives except by authorized personnel by wrapping entire drives or
only the used portions of volumes in tamper-proof encryption. If a
user tries to access a BitLocker encrypted drive, the encryption
prevents the user from viewing or manipulating the data in any way.
This dramatically reduces the risk of an unauthorized person gaining
access to confidential data using offline attacks.
Caution
BitLocker Drive Encryption reduces disk throughput.
Because of this, you might want to use this technology on an
enterprise server only if the server is not in a physically secure
location and requires additional protection.
BitLocker Drive Encryption can use a TPM to validate the integrity of a computer’s boot
manager and boot files at startup, and to guarantee that a
computer’s hard disk has not been tampered with while the operating
system was offline. BitLocker Drive Encryption also stores
measurements of core operating system files in the TPM.
Every time the computer is started, Windows validates the boot
files, the operating system files, and any encrypted volumes to
ensure they have not been modified while the computer is offline. If
the files have been modified, Windows alerts the user and refuses to
release the key required to access Windows. The computer then goes
into Recovery mode, prompting the user to provide a recovery key
before allowing access to the boot volume. The Recovery mode is also
used if a BitLocker encrypted disk drive is transferred to another
system.
BitLocker Drive Encryption can be used in both TPM and non-TPM
computers. If a computer has a TPM, BitLocker Drive Encryption uses
the TPM to provide enhanced protection for your data and to ensure
early boot file integrity. These features together help prevent
unauthorized viewing and accessing of data by encrypting the entire
Windows volume and by safeguarding the boot files from tampering. If
a computer doesn’t have a TPM or its TPM isn’t compatible with
Windows, BitLocker Drive Encryption can be used to encrypt entire
volumes and, in this way, protect the volumes from being tampered
with. This configuration, however, doesn’t allow the added security
of early boot file integrity validation.
On computers with a compatible TPM that is initialized,
BitLocker Drive Encryption typically uses one of the following
TPM modes:
-
TPM-Only In this mode, only
TPM is used for validation. When the computer boots, TPM is used
to validate the boot files, the operating system files, and any
encrypted volumes. Because the user doesn’t need to provide an
additional startup key, this mode is transparent to the user,
and the user logon experience is unchanged. However, if the TPM
is missing or the integrity of files or volumes has changed,
BitLocker enters Recovery mode and requires a recovery key or
password to regain access to the boot volume. -
TPM and PIN In this mode,
both TPM and a user-entered numeric key are used for validation. When the computer boots, TPM is used
to validate the boot files, the operating system files, and any
encrypted volumes. The user must enter a PIN when prompted to
continue startup. If the user doesn’t have the PIN or is unable
to provide the correct PIN, BitLocker enters Recovery mode
instead of booting to the operating system. As before, BitLocker
also enters Recovery mode if the TPM is missing or the integrity
of boot files or encrypted volumes has changed. -
TPM and Startup Key In this
mode, both TPM and a startup key are used for validation. When
the computer boots, TPM is used to validate the boot files, the
operating system files, and any encrypted volumes. The user must
have a USB flash drive with a startup key to log on to the
computer. If the user doesn’t have the startup key or is unable
to provide the correct startup key, BitLocker enters Recovery
mode. As before, BitLocker also enters Recovery mode if the TPM
is missing or the integrity of boot files or encrypted volumes
has changed. -
TPM and Smart Card
Certificate In this mode, both TPM and a smart card
certificate are used for validation. When the computer boots,
TPM is used to validate the boot files, the operating system
files, and any encrypted volumes. The user must have a smart
card with a valid certificate to log on to the computer. If the
user doesn’t have a smart card with a valid certificate and is
unable to provide one, BitLocker enters Recovery mode. As
before, BitLocker also enters Recovery mode if the TPM is
missing or the integrity of boot files or encrypted volumes has
changed.
When working with BitLocker Drive Encryption and TPM, don’t overlook the
importance of Network Unlock. The Network Unlock feature allows the
system volume on a computer with TPM to be automatically unlocked on
startup, as long as the computer is joined and connected to a
domain. When the computer is not joined and connected to a domain,
other means of validation can be used, such as a startup PIN.
On computers without a TPM or on computers that have
incompatible TPMs, the operating system can be configured to use an
unlock password for the system drive. To configure
this, you must enable the Configure Use Of Passwords For Operating System Drives
policy in the Administrative Templates policies for Computer
Configuration under Windows Components\BitLocker Drive Encryption\Operating System Drives. As
with logon passwords, the unlock password can be configured with minimum-length
and complexity requirements. The default minimum password length is
eight characters, meaning the password must be at least eight
characters long. Complexity requirements can be any of the
following:
-
Always validated using the Require Password Complexity
setting -
Not validated using the Do Now Allow Password Complexity
setting -
Validated if possible using the Allow Password Complexity
setting
The unlock password is validated when you enable BitLocker
Drive Encryption and set the password, as well as whenever the
password is changed by a user. With required complexity, you can
only set a password (and enable encryption) when the computer can
connect to a domain controller and validate the complexity of the
password. With allowed complexity, the computer will attempt to
validate the complexity of the password when you set it but will
allow you to continue and enable encryption if no domain controllers
are available.
On computers without a TPM or on computers that have
incompatible TPMs, BitLocker Drive Encryption also can use
-
Startup Key Only
mode This mode requires a USB flash drive containing a
startup key. The user inserts the USB flash drive in the
computer before turning it on. The key stored on the flash drive
unlocks the computer. -
Smart Card Certificate Only
mode This mode requires a smart card with a valid
certificate. The user validates the smart card certificate after
turning on the computer. The certificate unlocks the
computer.
Important
Standard users can reset the BitLocker PIN and password on operating system
drives, fixed data drives, and removable data drives. This is an
important change for Windows 8 and Windows Serer 2012. If you
don’t want standard users to be able to perform these tasks,
enable the Disallow Standard Users From Changing The PIN Or
Password policy. This Computer Configuration policy is found under
Windows Components\BitLocker Drive Encryption\Operating System
Drives.
BitLocker Drive Encryption has changed substantially
since it was first implemented on Windows Vista and Windows Server
2008. With Windows 7 and later, as well as Windows Server 2008 R2
and later, you can
-
Allow a data-recovery agent to be used with BitLocker
Drive Encryption. This option is configured through Group
Policy. The data-recovery agent allows an encrypted volume to be
unlocked and recovered by using a recovery agent’s personal
certificate or a 48-digit recovery password. You can optionally
save the recovery information in Active Directory. In the
Administrative Templates policies for Computer Configuration,
there are separate policies for operating-system volumes, other
fixed drives, and removable drives. -
Deny write access to removable data drives not
protected with BitLocker. This option is configured through
Group Policy. If you enable this option, users have read-only
access to unencrypted removable data drives and read/write
access to encrypted removable data drives. -
Encrypt FAT volumes as well as NTFS and Resilient File
System (ReFS) volumes. When you encrypt FAT volumes, you have
the option of specifying whether encrypted volumes can be
unlocked and viewed on computers running Windows Vista or later.
This option is configured through Group Policy and is enabled
when you turn on BitLocker. In the Administrative Templates
policies for Computer Configuration under Windows
Components\BitLocker Drive Encryption, there are separate
policies for earlier versions of Windows that allow
FAT-formatted fixed drives and FAT-formatted removable drives to
be unlocked and viewed.
In a domain, domain administrators are the default data-recovery agents. A homegroup or workgroup has no
default data-recovery agent, but you can designate one. Any user you
want to designate as a data-recovery agent needs a personal
encryption certificate. You can generate a certificate by using the
Cipher utility and then using the certificate to
assign the data-recovery agent in Local Security Policy under Public
Key Policies\BitLocker Drive Encryption.
Although earlier implementations of BitLocker Drive Encryption
supported Advanced Encryption Standard (AES) encryption with a
diffuser, Windows 8 and Windows Server 2012 move away from this
approach to support standard AES with 128-bit encryption by default. Additionally,
if you enable the Choose Drive Encryption Method And Cipher Strength
policy, you can set the AES cipher strength to 256-bit encryption.
Keep in mind that the cipher strength must be set prior to turning
on BitLocker Drive Encryption. Changing the cipher strength has no
effect if a drive is already encrypted or encryption is in
progress.
|
