BitLocker Drive Encryption: How it Works and How it Compares

Made possible by:

© 2011 Monterey Technology Group Inc.

Brought to you by

SpeakersChris MerrittDirector, Solutions Marketing

http://www.lumension.com/Solutions/Intelligent-Whitelisting.aspx

Preview of Key Points

How BitLocker worksImplementation stepsCaveats!

© 2011 Monterey Technology Group Inc.

How BitLocker Works

BitLockerFor fixed diskFull volume encryption

BitLocker To GoFor removable disks

Trusted Platform Module (TPM)Secure, tamper resistant key storageTakes system measurements and can prevent system booting if possible tampering detected

How BitLocker Works

Risks addressedBitLocker on system volume

• Protect data stored there-in• Protect OS from tampering

BitLocker to Go• Prevent data leakage to removable drives• Combine with group policies that prevent writing

to unprotected removable drives

How BitLocker Works

Entire volume encrypted with an AES symmetric key

AES key encrypted with Start up keyRecovery key(s)

How BitLocker Works

Startup key optionsStored in the TPM (Trusted Platform Module)Stored on USB drive

Optional additional protectionPIN

Most common scenariosTPM onlyUSB drive with PIN

Don’t do this!• USB drive without PIN

How BitLocker Works

Data recovery optionsRecovery password (48 digit)

• Can be printed or saved as text file to shared folder• Better: can be backed up to that computer’s account in AD

Best for remote, phone based support

Recovery key• 256-bit key saved to USB drive• Many keys can be stored on one USB flash drive which is then

physically secured

Data recovery agent• Data recovery certificate pushed to all systems via group policy• Volume encryption key encrypted with public key of certificate• Can be recovered by someone with the private key

How BitLocker Works

Data recovery optionsRecovery method Advantages Disadvantages

Recovery password Can be backed up to AD DSDoes not require IT physical presence48-digit password can be read over the phone by a help desk attendantUsers can print or save recovery passwords to a file, or this functionality can be disabled by Group Policy

Not FIPS compliant

Recovery key FIPS compliant Cannot be backed up to AD DSUsers may store USB drives with their computerIf the key to unlock the operating system drive is stored with the computer, the protection is rendered uselessUSB drives could be lostIf users lose the USB drive with their recovery key, they will not have a recovery method

Data recovery agent FIPS compliant

Automatically applied to drives

IT department personnel must be physically presentThe private key must be used to recover the driveThe operating system drive must be installed on another computer running Windows 7 as a data drive

- From TechNet: BitLocker Drive Encryption Design Guide for Windows 7

Implementation Steps

Prep AD schema if Win2003Configure group policyEach PC

Enable TPM in BIOS (physical touch?)Activate TPMEnable BitLocker

VerifyRecovery

Implementation Steps

Configure group policyComputer Configuration\Administrative

Templates\Windows Components\BitLocker Drive Encryption

User restrictions• PIN requirements

• Can user configure BitLocker and/or recover data?

Key backup and data recovery options• Require successful backup to AD before locking

drives

TPM options

Implementation Steps

Each PCEnable, activate TPM, take ownership, generate random password

Enable BitLockerBy script

• Manage-bde• EnableBitLocker.vbs

Options• Startup script pushed out by group policy• SCOM• Et al

Implementation Steps

VerifyCheck individual PCs via WMI GetProtectionStatus

Recovery and trouble shootingUse BitLocker Recovery Password Viewer for Active Directory (part of RSAT)

Repair-bde

Caveats

Win7 Ultimate and Enterprise only Read only access of BitLocker to go on pre-Win7

Things that can mess up the TPM and prevent booting Docking stations CD ROMs Smart batteries Moving the BitLocker-protected drive into a new computer. Installing a new motherboard with a new TPM. Turning off, disabling, or clearing the TPM. Changing any boot configuration settings. Changing the BIOS, master boot record, boot sector, boot

manager, option ROM, or other early boot components or boot configuration data

BitLocker To Go

Removable storage encryptionNo support for DVD/CDs

Authentication OptionsPasswordSmartcard

Policies to prohibit usage of unencrypted devices but can’t force encryption

Read only support for pre Win7 with BitLocker To Go Reader

Caveats

Hardware TPM 1.2BIOS configuration

Trusted Computing Group (TCG)-compliant BIOS

The BIOS must be set to start first from the hard disk, and not the USB or CD drives

The BIOS must be able to read from a USB flash drive during startup

Physical touch to enable?

Caveats

BitLocker To GoCannot force encryption for removable devices

Does not protect media (e.g., CDs / DVDs) as well as UFDs

Caveats

No centralized reporting or visibility in to usage and statusDeployment and monitoringSafe harbor – lost opportunity to reduce breach notifications and associated costs

2/3 all breaches reported• Lost devices or endpoints• 85% of records• Encryption would have negated huge chunk of

costs and vast majority of cases

Brought to you by

SpeakersChris MerrittDirector, Solutions Marketing

http://www.lumension.com/Solutions/Intelligent-Whitelisting.aspx