Security Advisor

Bit by Bit

Encrypt an entire system partition with Microsoft's BitLocker for Windows Vista.

When Windows 2000 hit the streets six years ago, it kept your data confidential with something called the Encrypting File System (EFS). This worked well, but created almost as many problems as it solved.

You can't use EFS to encrypt many of your system files, for example. This leaves some data unprotected, including paging and hibernation files. Also, recovering EFS-encrypted data can be difficult if not impossible when the profile for the user who originally encrypted the files is lost or inactive. These limitations led many companies to disable EFS altogether.

BitLocker should make file encryption easier and more effective. One of the new security features coming in the Enterprise and Ultimate editions of Vista, BitLocker lets you encrypt your entire system partition. This prevents unauthorized hard drive access without locking you out of your own data. With the release of Vista only a few months away, now is the time to evaluate whether or not this is the right tool for you.

BitLocker Tips

BitLocker can be dangerous, so plan carefully before using it for encryption. Make sure you've planned your recovery strategies, including procedures to help remote users who lose access to data on their laptop.

  • Disable BitLocker until you're ready. Use Group Policy to disable BitLocker until you've planned and practiced your recovery strategy.
  • Store recovery keys centrally. Use Group Policy to store recovery keys in Active Directory so administrators can get to them to quickly restore access to data in an emergency.
  • Buy compatible computers. If you're buying new laptop computers now, make sure they have a TPM chip that complies with version 1.2.
  • Learn about BitLocker now. Microsoft has created many documents to define and describe BitLocker, including detailed deployment guides. You can access this information here.
    -- J.W.

Laptop computers are the most obvious candidate for an encryption system like BitLocker. Every day, hundreds of laptops are lost in taxicabs. The recent theft of a laptop containing the personal data of more than 26 million people from a Department of Veterans Affairs employee made national news. The cost of replacing the hardware pales in comparison to the havoc wreaked by leaked information.

BitLocker applies strong encryption to your computer's entire system drive. You won't have to worry who might access data on a lost or stolen laptop. BitLocker is also helpful for desktop computers or servers. (Longhorn, the next version of Windows Server, will also include BitLocker.) After all, desktop computers and servers are also susceptible to data theft. File system permission rules won't prevent unauthorized data access if someone starts the computer with a different operating system.

BitLocker also has a feature to help companies needing to decommission computers, like leased computers up for return. Normally, you'd have to erase all data from the hard disk before returning the computer. With BitLocker, you can skip this tedious step. Simply leave the drive as is, because no one will be able to read the data. A better practice, however, is to use BitLocker's secure deletion capability. This quickly removes all data from the drive.

What You'll Need
BitLocker uses a startup key to encrypt data, and Microsoft enforces some stringent hardware requirements to protect the key. BitLocker encryption keys are typically stored on a Trusted Platform Module (TPM) chip. A TPM chip functions like a smartcard built into the motherboard.

It's essentially a small computer that stores private keys and performs some basic encryption tasks. A TPM blocks any attempt to retrieve this key or other confidential information. Access to TPM functions is controlled by a PIN or biometric authentication.

The TPM will prevent any access after a pre-determined number of unsuccessful attempts. BitLocker requires the TPM chip be permanently attached to the computer -- normally to the motherboard -- and that it meets at least version 1.2 of the TPM specification.

Many laptop computers (and a few desktop models) have this chip, but older models may not or they may have an outdated TPM. Make sure your computer meets Microsoft's current TPM requirements.

Fortunately, you're not completely out of luck if you don't have a current TPM chip. You'll be able to use a USB storage device to hold your encryption keys (although the current beta does not yet support this). If you choose this option, your computer's BIOS must be able to access USB devices before the operating system has started up. Of course, using a USB stick means you have to remember to bring it along when you travel. You also must take care to store it into a safe place. A TPM is more convenient because it's always in the computer.

Encryption Essentials
Encrypting your system drive is fairly straightforward. You may have to create a separate partition of at least 1.5GB. BitLocker needs that space to hold some startup files and have a temporary space for setup. Once the encryption process starts, plan on going out for dinner or watching a movie. It can take more than an hour.

Once the drive is encrypted, you can restart your computer. If everything proceeded as planned, you'll be prompted for a PIN or USB stick before Vista starts. This will unlock the startup key used to decrypt the data on the system partition.

After this, you won't even notice BitLocker is there until the next time you restart your computer. There will be a very small impact on system performance, but it's unlikely you'll even notice any slowdown.

BitLocker Bits

There are numerous overviews, deployment guides and technical references about BitLocker on the Microsoft Web site:

  • An executive overview gives a thorough rundown on how BitLocker works and how it can help secure drives on lost or stolen devices.
  • A step-by-step guide walks you through the drive encryption process using BitLocker.
  • Technical overviews explain how it fits within the Trusted Platform Model.
  • A list of client host requirements explain what you need to run BitLocker.

Recovery Options
If things go wrong with BitLocker, there's a risk you may lose access to all data on your hard drive. Microsoft provides several safeguards to protect against this, but it's up to you to put them in place.

First, BitLocker creates a recovery key when you encrypt the drive. You have a number of options for storing this key, whether on a separate USB stick or simply by writing it down. If you use Active Directory, you can also configure a policy that automatically copies the key into Active Directory.

If BitLocker can't decrypt the drive because it can't access the TPM (if something happens like you install the drive in a different computer or lose the USB key), you can enter the recovery key and things should be back to normal. Just make sure you don't store the recovery key with your laptop, or you'll effectively lose any protection that BitLocker provides.

Because of the potential recovery and support issues, you should learn how to handle any recovery scenarios before using BitLocker. For example, you may have to help a user on a business trip who is having a panic attack because he lost his USB stick or another who can't get at his presentation after having the motherboard on his laptop replaced.

Don't Ditch EFS Just Yet
BitLocker is easier to use and more comprehensive than EFS. It transparently encrypts all files on your system disk, including the swap and hibernation files. And you won't have to configure files or directories for encryption.

However, as BitLocker only encrypts data on the system disk, you still have to use EFS to protect any files stored on a different partition. Also, BitLocker might not be practical if you share a computer with other users. Imagine having to share the PIN for the TPM with multiple users or handing a USB device back and forth.

BitLocker doesn't protect any files while the computer is running, whereas EFS can prevent unauthorized access to specific files, while still permitting access to other files for normal operations. You can think of BitLocker as protection for when someone steals your computer, and EFS as protection against unauthorized access to specific files while your computer is running.

The security benefits of BitLocker are obvious. However, there will also be many cases of people inadvertently locking themselves out from their data because they made a tactical error that prevents BitLocker from decrypting their data. Plan your recovery strategies first so you won't become a victim of your own security.

comments powered by Disqus

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.