Windows BitLocker Drive Encryption offers protection
Wednesday, December 13, 2006 10:02 AM
Scott Lowe discusses a new encryption feature that is available with Windows Vista--BitLocker Drive Encryption. Does it really offer more data protection options for mobile users?
There is a critical need to secure your company's data, particularly when you might have sensitive data being transported around the country on a user's laptop. There are a number of options you can consider when it comes to securing that data.
First, you can try to find a way to avoid having users transport sensitive data, but this is not always feasible. Second, you can encrypt sensitive data using Windows XP's built-in EFS encryption, but this method still has some holes. (Most importantly, EFS doesn’t protect the entire volume; it protects only those files and folders specifically encrypted with EFS and cannot protect system files, or files located in the system root.) Third, you can look to a third-party vendor that provides full-disk encryption.
One other option is that you can upgrade your mobile users to Windows Vista. Windows Vista has a new feature that aims to help organizations keep their private data in the right hands--Windows BitLocker Drive Encryption.
BitLocker provides full-volume encryption in an "off-line" way. What this means is that, no matter what, if you’ve implemented BitLocker, your system is being actively protected by encryption, even if a potential hacker gets physical access to the system.
Further, organizations using BitLocker--in theory--will no longer have to worry as much in the event that even just a physical hard drive is lost or stolen. The disk will remain encrypted and protected.
The technical particulars
BitLocker uses
either 128- or 256-bit AES (Advanced Encryption Standard) encryption; the level
of encryption is up to you and is configurable using Group Policies. BitLocker
works best when used on a system with a Trusted Platform Module (TPM) 1.2. A TPM
is actually another chip that sits on a computer’s motherboard and is
responsible for the generation of cryptographic keys, which are vital to a
successful encryption project. According to Microsoft and other independent
testers, the use of BitLocker Drive Encryption comes with a negligible system
performance penalty.
There are some caveats, though. BitLocker protects only the operating system volume of a computer. If you deploy laptops with a single volume, this isn’t a problem; but on systems with multiple volumes or multiple drives, BitLocker alone cannot protect all of the data. In these circumstances, Microsoft continues to recommend the use of EFS for non-OS volumes. When used in conjunction with BitLocker, EFS is also more effective since the root secrets of EFS are housed on the OS volume. So, once BitLocker is enabled for the OS volume, these EFS root secrets themselves are then protected by BitLocker and much less susceptible to tampering. Further, you get around one serious EFS limitation--the inability to encrypt files in the system root. Now, these files will be protected by BitLocker and the rest of your system protected with EFS.
There are also a number of areas in which BitLocker does not provide protection, including:
Tampering by system administrators: By default, these people frequently have carte blanche access to data. Encryption is not designed to keep those out who have been granted access to data.
Attacks by other authenticated users: If an attack is launched against a system and that attack is using appropriate user credentials, BitLocker will freely give up your secrets. In short, BitLocker cannot protect you if your system is compromised as a part of an online attack. The lesson here: multiple layers of defense remain critical. Always run a firewall, antivirus, and antispyware software for the maximum protection of your data assets.
Hardware attacks: A hacker can still attach a dedicated hardware debugger to a system and gain access to the underlying data.
Deployment
I will go over a
full deployment sample in my next article. However, you should know that you
can deploy BitLocker two different ways--either by using TPM 1.2 or not using
TPM 1.2. Using TPM 1.2 offers the highest level of security, but not every
system is capable of supporting this. In order to offer protection to those
that cannot or will not deploy TPM, Microsoft makes available a non-TPM
deployment method. The non-TPM mode supports multiple authentication methods,
including the entry of a PIN by the user upon boot, or the insertion of a USB
drive that has a startup key stored on the device. In my next article, you’ll
see this second method in action.
And now, the bad
BitLocker is
supported only on the Enterprise and Ultimate editions of Vista and will also
be available under Longhorn Server. Why Microsoft would exclude the other Vista
editions, particularly the Business edition, is beyond me. Only the Ultimate
edition of Vista can run BitLocker in a standalone way. Further, the Enterprise
edition supports BitLocker only when the machine is joined to a domain. Now,
this is not as much of a drawback as it would seem at first glance. Since you
can store BitLocker recovery keys in Active Directory, this makes sense. You
probably don’t want thousands of people out there carrying around their private
recovery keys…and losing them, thus, making your company’s data irrecoverable.
Summary
While it has its
limitations, BitLocker is a welcome addition to the family. The tool provides
enterprises with additional data protection options that can help organizations
keep data safe.
There are currently no comments for this post.