IT tutorials
 
Technology
 

Windows 8 : BitLocker Drive Encryption: The Essentials (part 1) - Understanding BitLocker Drive Encryption

10/5/2013 1:56:12 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

BitLocker is built into all editions of Windows 8 and added as a feature for all editions of Windows Server. Although BitLocker Drive Encryption and BitLocker To Go are often referred to simply as BitLocker, they are separate but similar features. BitLocker Drive Encryption is designed to protect the data on the internal hard drives of lost, stolen, or inappropriately decommissioned computers and is a volume-level encryption technology. BitLocker To Go is designed to protect the data on removable data drives, such as external hard drives and USB flash drives, and is a virtual-volume encryption technology. Standard BitLocker encrypts by wrapping the entire volume or only the used portion of the volume in protected encryption. BitLocker To Go, on the other hand, creates a virtual volume on a USB flash drive. This virtual volume is encrypted by using an encryption key stored on the USB flash drive.

Understanding BitLocker Drive Encryption

On a computer without BitLocker Drive Encryption, a user with direct physical access to the computer has a variety of ways he could gain full control and then access the computer’s data, whether that data is encrypted with EFS or not. For example, a user could use a boot disk to boot the computer and reset the administrator password. A user could also install and then boot to a different operating system and then use this operating system to unlock the other installation.

BitLocker Drive Encryption prevents all access to a computer’s drives except by authorized personnel by wrapping entire drives or only the used portion of drives in tamper-proof encryption. If an unauthorized user tries to access a BitLocker-encrypted drive, the encryption prevents the user from viewing or manipulating the protected data in any way. This dramatically reduces the risk of an unauthorized person gaining access to confidential data through offline attacks.

Caution

BitLocker Drive Encryption reduces disk throughput. It is meant to be used when a computer is not in a physically secure location and requires additional protection.

BitLocker Drive Encryption can use a TPM to validate the integrity of a computer’s boot manager and boot files at startup and to guarantee that a computer’s hard disk has not been tampered with while the operating system was offline. BitLocker Drive Encryption also stores measurements of core operating system files in the TPM.

Every time the computer is started, Windows validates the boot files, the operating system files, and any encrypted volumes to ensure that they have not been modified while the operating system was offline. If the files have been modified, Windows alerts the user and refuses to release the key required to access Windows. The computer then goes into Recovery mode, prompting the user to provide a recovery key before it allows access to the boot volume. The Recovery mode is also used if a BitLocker-encrypted disk drive is transferred to another system.

BitLocker Drive Encryption can be used in both TPM and non-TPM computers. If a computer has a TPM, BitLocker Drive Encryption uses the TPM to provide enhanced protection for your data and to ensure early boot file integrity. These features together help prevent unauthorized viewing and accessing of data by encrypting the entire Windows volume and by safeguarding the boot files from tampering. If a computer doesn’t have a TPM or its TPM isn’t compatible with Windows, BitLocker Drive Encryption can be used to encrypt entire volumes, and in this way protect the volumes from tampering. This configuration, however, doesn’t allow the added security of early boot file integrity validation.

On computers with a compatible TPM that is initialized, BitLocker Drive Encryption typically uses one of the following TPM modes:

  • TPM-Only In this mode, only TPM is used for validation. When the computer boots, TPM is used to validate the boot files, the operating system files, and any encrypted volumes. Because the user doesn’t need to provide an additional startup key, this mode is transparent to the user, and the user logon experience is unchanged. However, if the TPM is missing or the integrity of files or volumes has changed, BitLocker enters Recovery mode and requires a recovery key or password to regain access to the boot volume.

  • TPM and PIN In this mode, both TPM and a user-entered numeric key are used for validation. When the computer boots, TPM is used to validate the boot files, the operating system files, and any encrypted volumes. The user must enter a PIN when prompted to continue startup. If the user doesn’t have the PIN or is unable to provide the correct PIN, BitLocker enters Recovery mode instead of booting to the operating system. As before, BitLocker also enters Recovery mode if the TPM is missing or the integrity of boot files or encrypted volumes has changed.

  • TPM and Startup Key In this mode, both TPM and a startup key are used for validation. When the computer boots, TPM is used to validate the boot files, the operating system files, and any encrypted volumes. The user must have a USB flash drive with a startup key to log on to the computer. If the user doesn’t have the startup key or is unable to provide the correct startup key, BitLocker enters Recovery mode. As before, BitLocker also enters Recovery mode if the TPM is missing or the integrity of boot files or encrypted volumes has changed.

  • TPM and Smart Card Certificate In this mode, both TPM and a smart card certificate are used for validation. When the computer boots, TPM is used to validate the boot files, the operating system files, and any encrypted volumes. The user must have a smart card with a valid certificate to log on to the computer. If the user doesn’t have a smart card with a valid certificate and is unable to provide one, BitLocker enters Recovery mode. As before, BitLocker also enters Recovery mode if the TPM is missing or the integrity of boot files or encrypted volumes has changed.

With Windows 8 and Windows Server 2012, network unlock allows the system volume on a computer with TPM to be automatically unlocked on startup, provided the computer is joined and connected to the domain. When not joined and connected to the domain, other means of validation can be used, such as a startup PIN.

On computers without a TPM or on computers that have incompatible TPMs, Windows 8 and Windows Server 2012 can be configured to use an unlock password for the operating system drive. To configure this, you must enable the Configure Use Of Passwords For Operating System Drives policy in the Administrative Templates policies for Computer Configuration under Windows Components\BitLocker Drive Encryption. The unlock password can be configured with minimum length and complexity requirements. The default minimum password length is 8 characters, meaning the password must be at least 8 characters. Complexity requirements can be:

  • Always validated using the Require Password Complexity setting.

  • Validated if possible using the Allow Password Complexity setting.

  • Not validated using the Do Now Allow Password Complexity setting.

The unlock password is validated when you enable BitLocker Drive Encryption and set the password, as well as whenever the password is changed by a user. With required complexity, you can only set a password (and enable encryption) when the computer can connect to a domain controller and validate the complexity of the password. With allowed complexity, the computer will attempt to validate the complexity of the password when you set it but will allow you to continue and enable encryption if no domain controllers are available.

On computers without a TPM or on computers that have incompatible TPMs, BitLocker Drive Encryption also can use Startup Key Only or Smart Card Certificate Only mode. Startup Key Only mode requires a USB flash drive containing a startup key. The user inserts the USB flash drive in the computer before turning it on. The key stored on the flash drive unlocks the computer.

Smart Card Certificate Only mode requires a smart card with a valid certificate. The user validates the smart card certificate after turning on the computer. The certificate unlocks the computer.

It’s also important to point out that standard users can reset the BitLocker PIN and password on operating system drives, fixed data drives, and removable data drives. This is an important change for Windows 8 because administrator privileges are required to perform these tasks on Windows 7. If you don’t want standard users to be able to perform these tasks, enable the Disallow Standard Users From Changing The PIN Or Password policy. This Computer Configuration policy is found under Windows Components\BitLocker Drive Encryption\Operating System Drives.

Several important changes have been made to BitLocker Drive Encryption since the technology was first implemented on Windows Vista. For Windows 7 and later, you can do the following:

  • Encrypt FAT volumes as well as NTFS volumes. Previously, you could only encrypt NTFS volumes. When you encrypt FAT volumes, you have the option of specifying whether encrypted volumes can be unlocked and viewed on computers running Windows Vista or later. This option is configured through Group Policy and is enabled when you turn on BitLocker. In the Administrative Templates policies for Computer Configuration under Windows Components\BitLocker Drive Encryption, there are separate policies for earlier versions of Windows that allow FAT-formatted fixed drives and FAT-formatted removable drives to be unlocked and viewed.

  • Allow a data-recovery agent to be used with BitLocker Drive Encryption. This option is configured through Group Policy. The data-recovery agent allows an encrypted volume to be unlocked and recovered by using a recovery agent’s personal certificate or a 48-digit recovery password. You can optionally save the recovery information in Active Directory. In the Administrative Templates policies for Computer Configuration, there are separate policies for operating system volumes, other fixed drives, and removable drives.

  • Deny write access to removable data drives not protected with BitLocker. This option is configured through Group Policy. If you enable this option, users have read-only access to unencrypted removable data drives and read/write access to encrypted removable data drives.

In a domain, domain administrators are the default data-recovery agents. A homegroup or workgroup has no default data-recovery agent, but you can designate one. Any user you want to designate as a data-recovery agent needs a personal encryption certificate. You can generate a certificate by using the Cipher utility and then use the certificate to assign the data-recovery agent in Local Security Policy under Public Key Policies\BitLocker Drive Encryption.

Windows Vista and Windows 7 support AES encryption with a diffuser. Windows 8 moves away from this to support standard AES with 128-bit encryption by default or 256-bit encryption (if you enable the Choose Drive Encryption Method And Cipher Strength policy to set the cipher strength to 256-bit encryption). The cipher strength must be set prior to turning on BitLocker. Changing the cipher strength has no effect if the drive is already encrypted or encryption is in progress.
 
Others
 
- System Center Configuration Manager 2007 : Patch Management - Troubleshooting Software Updates
- System Center Configuration Manager 2007 : Patch Management - Using NAP to Protect Your Network (part 2) - System Health , Client Compliance
- System Center Configuration Manager 2007 : Patch Management - Using NAP to Protect Your Network (part 1) - NAP Prerequisites , Agent Settings
- Implementing Edge Services for an Exchange Server 2007 Environment : Managing and Maintaining an Edge Transport Server
- Implementing Edge Services for an Exchange Server 2007 Environment : Implementing Safelist Aggregation for Outlook 2003 and Outlook 2007
- Implementing Edge Services for an Exchange Server 2007 Environment : Using EdgeSync to Synchronize Active Directory Information to the Edge Transport Server
- Implementing Edge Services for an Exchange Server 2007 Environment : Using Address Rewriting to Standardize on Domain Address Naming for an Organization
- Implementing Edge Services for an Exchange Server 2007 Environment : Using Sender Reputation to Filter Content
- Microsoft Systems Management Server 2003 : Creating Collections (part 3) - Creating Subcollections, Unlinking Subcollections
- Microsoft Systems Management Server 2003 : Creating Collections (part 2) - Creating a Query-Based Collection
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us