BitLocker Drive Encryption (BDE), or BitLocker, offers volume-level data encryption for data stored on Windows clients and servers. BitLocker protects the data when the Windows systems are offline (i.e. when the OS is shut down) and can prevent data breaches such as the theft of confidential data on laptop computers.
In the first version of BitLocker that shipped with Windows Vista, only a single volume, the OS drive, could be protected by BitLocker. Microsoft added support for BitLocker protection of different volumes, including local data volumes, in Vista SP1 and in the Windows Server 2008 release that had SP1 built in during the release to manufacturer (RTM). In Windows 7 and Windows Server 2008 R2, Microsoft added BitLocker support for removable data volumes, memory sticks, and external data drives. Microsoft refers to this feature as BitLocker To Go (BTG).
BitLocker is a great security add-on to the Windows OS as it helps organizations save money because they don’t need to invest in special third-party disk encryption software. But organizations are often reluctant to implement new security features, primarily because the features lack a proven track record. Also, new cryptographic solutions bring a certain administrative fear factor to administrators and operators.
To give you more BitLocker confidence, this article will highlight three critical steps that you must pay special attention to if you are considering deploying BitLocker in your Windows environment. BitLocker is available in the Ultimate and Enterprise editions of Vista and Windows 7 and in all Server 2008 and Server 2008 R2 editions with the exception of the Itanium edition.
Choose the Right Unlock Method
The strength of the protection BitLocker offers depends to a large extent on the authentication mechanism it uses for unlocking access to a BitLocker-protected drive. In BitLocker speak, this authentication mechanism is referred to as the unlock method.
Before a BitLocker drive is unlocked, BitLocker authenticates the drive based on identification data that the user or the OS provides and that authorizes BitLocker to unlock access to the drive. BitLocker supports different unlock methods based on user knowledge of a secret, presence of a hardware component, or software keys, or a combination of all three of these. You can select the unlock method when you set up BitLocker.
The available unlock methods differ for OS drives and for fixed or removable data drives. For example, only an OS drive can be protected using a Trusted Platform Module (TPM), a special security chip that is part of most of today’s PC motherboards. On an OS drive, you can choose one of the following unlock methods:
- TPM Only
- startup key only
- TPM + PIN code
- TPM + startup key
- TPM + PIN code + startup key
The last three of these unlock methods offer the best protection. Unlock methods involving a PIN require the user to provide a PIN code at system startup time. When a startup key is involved, at startup time the user must insert a USB token that holds the startup key.
On a fixed or removable data drive, you can choose the following three unlock methods: password, smart card + PIN, or automatic. For data drives, the smart card + PIN unlock method offers the strongest protection.
When you use a TPM-based unlock method to protect your OS drive, BitLocker provides integrity checks for critical system files, in addition to data encryption, at boot-up. On the other hand, using a TPM adds setup and management complexity and overhead. For example, the TPM must be enabled in BIOS. On most systems, this can only be done after you have defined a BIOS password. The TPM architecture also requires that an owner password be defined before the TPM can be used. The owner password allows for the clearing and disabling of a TPM and is typically owned by a system administrator.
When you consider deploying BitLocker with a TPM, you must make sure that your computers have a TPM version 1.2 chip and a BIOS that is compatible with TPM version 1.2 or later specifications. To check whether a computer includes an operational TPM chip that can be used for BitLocker, check the TPM Management snap-in (tpm.msc).
Because many organizations still have older computers that don't have a TPM and you cannot simply add a TPM to a computer, Microsoft included the startup key only unlock method for OS drives. To use this unlock method, you must make sure that your users have a USB drive and that the computer BIOS supports the reading of USB devices during computer startup. For more information on how to set up BitLocker without a TPM, read “Using BitLocker Without a Trusted Platform Module”.
When you plan to unlock your BitLocker-protected data drives with a smart card, you must make sure that your users have BitLocker-compatible certificates loaded on a smart card. To generate these certificates, you can use a certification authority (CA), create self-signed certificates, or configure an existing EFS certificate for use with BitLocker. When using smart cards, it is also recommended that you have a smart-card management software in place. You can for example use the smart card management functionality that is offered by Microsoft ForeFront Identity Manager (FIM). When you consider using smart cards, I would advise you to carefully read through the “Using certificates with BitLocker” and “Using smart card with BitLocker” articles on Microsoft TechNet.