Bit by Bit
Encrypt an entire system partition with Microsoft's BitLocker for Windows Vista.
- By Joern Wettern
When Windows 2000 hit the streets six years ago, it kept your data confidential
with something called the Encrypting File System (EFS). This worked well, but
created almost as many problems as it solved.
You can't use EFS to encrypt many of your system files, for example. This leaves some data unprotected, including paging and hibernation files. Also, recovering EFS-encrypted data can be difficult if not impossible when the profile for the user who originally encrypted the files is lost or inactive. These limitations led many companies to disable EFS altogether.
BitLocker should make file encryption easier and more effective. One of the new security features coming in the Enterprise and Ultimate editions of Vista,
BitLocker lets you encrypt your entire system partition. This prevents unauthorized hard drive access without locking you out of your own data. With the release of Vista only a few months away, now is the time to evaluate whether or not this is the right tool for you.
BitLocker can be dangerous, so plan carefully
before using it for encryption. Make sure you've planned
your recovery strategies, including procedures to help remote
users who lose access to data on their laptop.
- Disable BitLocker until you're ready. Use
Group Policy to disable BitLocker until you've planned
and practiced your recovery strategy.
- Store recovery keys centrally. Use Group Policy
to store recovery keys in Active Directory so administrators
can get to them to quickly restore access to data in an
- Buy compatible computers. If you're buying
new laptop computers now, make sure they have a TPM chip
that complies with version 1.2.
- Learn about BitLocker now. Microsoft has created
many documents to define and describe BitLocker, including
detailed deployment guides. You can access this information
Laptop computers are the most obvious candidate for an encryption system like
BitLocker. Every day, hundreds of laptops are lost in taxicabs. The recent theft
of a laptop containing the personal data of more than 26 million people from
a Department of Veterans Affairs employee made national news. The cost of replacing
the hardware pales in comparison to the havoc wreaked by leaked information.
BitLocker applies strong encryption to your computer's entire system drive. You won't have to worry who might access data on a lost or stolen laptop. BitLocker is also helpful for desktop computers or servers. (Longhorn, the next version of Windows Server, will also include BitLocker.) After all, desktop computers and servers are also susceptible to data theft. File system permission rules won't prevent unauthorized data access if someone starts the computer with a different operating system.
BitLocker also has a feature to help companies needing to decommission computers,
like leased computers up for return. Normally, you'd have to erase all data
from the hard disk before returning the computer. With BitLocker, you can skip
this tedious step. Simply leave the drive as is, because no one will be able
to read the data. A better practice, however, is to use BitLocker's secure deletion
capability. This quickly removes all data from the drive.
What You'll Need
BitLocker uses a startup key to encrypt data, and Microsoft enforces some stringent
hardware requirements to protect the key. BitLocker encryption keys are typically
stored on a Trusted Platform Module (TPM) chip. A TPM chip functions like a
smartcard built into the motherboard.
It's essentially a small computer that stores private keys and performs some basic encryption tasks. A TPM blocks any attempt to retrieve this key or other confidential information. Access to TPM functions is controlled by a PIN or biometric authentication.
The TPM will prevent any access after a pre-determined number of unsuccessful attempts. BitLocker requires the TPM chip be permanently attached to the computer -- normally to the motherboard -- and that it meets at least version 1.2 of the TPM specification.
Many laptop computers (and a few desktop models) have this chip, but older models may not or they may have an outdated TPM. Make sure your computer meets Microsoft's current TPM requirements.
Fortunately, you're not completely out of luck if you don't have a current
TPM chip. You'll be able to use a USB storage device to hold your encryption
keys (although the current beta does not yet support this). If you choose this
option, your computer's BIOS must be able to access USB devices before the operating
system has started up. Of course, using a USB stick means you have to remember
to bring it along when you travel. You also must take care to store it into
a safe place. A TPM is more convenient because it's always in the computer.
Encrypting your system drive is fairly straightforward. You may have
to create a separate partition of at least 1.5GB. BitLocker needs that space
to hold some startup files and have a temporary space for setup. Once the encryption
process starts, plan on going out for dinner or watching a movie. It can take
more than an hour.
Once the drive is encrypted, you can restart your computer. If everything proceeded as planned, you'll be prompted for a PIN or USB stick before Vista starts. This will unlock the startup key used to decrypt the data on the system partition.
After this, you won't even notice BitLocker is there until the next time you
restart your computer. There will be a very small impact on system performance,
but it's unlikely you'll even notice any slowdown.
There are numerous overviews, deployment guides
and technical references about BitLocker on the Microsoft
- An executive overview gives a thorough rundown on how
BitLocker works and how it can help secure drives on lost
or stolen devices.
- A step-by-step guide walks you through the drive encryption
process using BitLocker.
- Technical overviews explain how it fits within the Trusted
- A list of client host requirements explain what you need
to run BitLocker.
If things go wrong with BitLocker, there's a risk you may lose access
to all data on your hard drive. Microsoft provides several safeguards to protect
against this, but it's up to you to put them in place.
First, BitLocker creates a recovery key when you encrypt the drive. You have a number of options for storing this key, whether on a separate USB stick or simply by writing it down. If you use Active Directory, you can also configure a policy that automatically copies the key into Active Directory.
If BitLocker can't decrypt the drive because it can't access the TPM (if something happens like you install the drive in a different computer or lose the USB key), you can enter the recovery key and things should be back to normal. Just make sure you don't store the recovery key with your laptop, or you'll effectively lose any protection that BitLocker provides.
Because of the potential recovery and support issues, you should learn how
to handle any recovery scenarios before using BitLocker. For example, you may
have to help a user on a business trip who is having a panic attack because
he lost his USB stick or another who can't get at his presentation after having
the motherboard on his laptop replaced.
Don't Ditch EFS Just Yet
BitLocker is easier to use and more comprehensive than EFS. It transparently
encrypts all files on your system disk, including the swap and hibernation files.
And you won't have to configure files or directories for encryption.
However, as BitLocker only encrypts data on the system disk, you still have to use EFS to protect any files stored on a different partition. Also, BitLocker might not be practical if you share a computer with other users. Imagine having to share the PIN for the TPM with multiple users or handing a USB device back and forth.
BitLocker doesn't protect any files while the computer is running, whereas EFS can prevent unauthorized access to specific files, while still permitting access to other files for normal operations. You can think of BitLocker as protection for when someone steals your computer, and EFS as protection against unauthorized access to specific files while your computer is running.
The security benefits of BitLocker are obvious. However, there will also be
many cases of people inadvertently locking themselves out from their data because
they made a tactical error that prevents BitLocker from decrypting their data.
Plan your recovery strategies first so you won't become a victim of your own
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping
companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.