Managing Windows Server 2012 Storage and File Systems : TPM and BitLocker Drive Encryption (part 5) - Hardware encrypted drives, Optimizing encryption

Windows 8 and Windows Server 2012 add support for disk drives with hardware encryption (referred to as encrypted hard drives). Encryption in hardware is faster and moves the processing burden from the computer’s processor to the hardware processor on the hard disk. By default, if a computer has hardware encryption, Windows 8 will use it with BitLocker. To use encrypted hard drives with Windows Server 2012, you must add the Enhanced Storage feature.

When the operating system initializes an encrypted hard drive, it activates a security mode that allows the drive controller to generate a media key for every volume created on the encrypted hard drive. This media key set is used to encrypt every byte of data written to the drive and decrypt every byte of data read from the drive. The key set consists of the following:

An encrypted drive is locked and inaccessible when it is in a powered-off state. When the drive is powered on (as part of the computer startup), the drive remains locked until the authentication key is used to decrypt the data-encryption key. All data read from or written to the drive passes through the encryption engine. If the data-encryption key needs to be changed or erased, the drive doesn’t need to be re-encrypted. Instead, the encryption engine creates a new authentication key and then re-encrypts the data-encryption key. Afterward, the data-encryption key can be unlocked with the new authentication key and data can be read from and written to the drive as before.

Before you enable hardware encryption there are some important caveats. With data drives, the drive must be in an uninitialized state and in a security-inactive state. With system drives, the drive must be in an uninitialized state and in a security-inactive state, and the computer must always boot natively from Unified Extensible Firmware Interface (UEFI). Further, neither data drives nor system drives can be attached to RAID controllers. Although future updates or service packs could change or remove these restrictions, these are the restrictions as of the time I wrote this.

In Group Policy, you can precisely control whether to permit software-based encryption when hardware encryption is not available and whether to restrict encryption to those algorithms and cipher strengths supported by hardware. To do this, use Group Policy to enable hardware-based encryption for system drives, data drives, or both.

You can enable hardware-based encryption for data drives using the Configure Use Of Hardware-Based Encryption For Fixed Data Drives policy, shown in Figure 11. When the policy is enabled, you must specifically allow software-based encryption when hardware-based encryption isn’t available. You also have the option of restricting the encryption algorithms used to a specific subset. Keep in mind that the encryption algorithm is set when a drive is partitioned and that the Choose Drive Encryption Method And Cipher Strength policy doesn’t apply to hardware-based encryption.

Figure 11. Enable and configure the use of hardware-based encryption for fixed data drives.

You can enable hardware-based encryption for system drives using the Configure Use Of Hardware-Based Encryption For Operating System Drives policy, shown in Figure 12. As with data drives, when the policy is enabled, you must keep in mind the following:

Finally, as necessary, use the Configure Use Of Hardware-Based Encryption For Removable Data Drives policy to control whether software-based encryption is permitted when hardware encryption is not available and whether to restrict encryption to those algorithms and cipher strengths supported by hardware.

Figure 12. Enable and configure the use of hardware-based encryption for operating system drives.