Prevent data theft with Windows Vista's Encrypted File System (EFS) and BitLocker

These days, when a stolen notebook can lead to a catastrophic security breach, protecting the data on company computers is absolutely essential. Vista's improved EFS and new BitLocker feature provide a one-two security punch, compensating for each other's weaknesses and offering complementary, multilevel protection.

This article is also available as a PDF download.

It seems as though every other month you hear about a major breech of security, with someone losing a computer containing tons of sensitive consumer information. Just within the last year, I've been inundated with "your data was exposed" letters. In mid-2005, one of the country's largest credit card companies exposed 40 million accounts. The company was cut off from Visa and AMEX within weeks, putting it out of business in a flash.

With all the new breach notification laws that are in effect now, or that soon will be, any company that wants to keep its customers must do everything possible to secure its data. The Ponemon Institute conducted research showing that companies lost a significant number of customers by the second data breach and lost all their customers by the third incident.

One of the main components of keeping company data safe is the security of PCs, and especially notebooks, since they can easily be stolen. Windows Vista now offers complete data encryption security with an improved EFS (Encrypted File System) and the new BitLocker feature. Between these two features, it's possible to cover all aspects of storage security on a Vista PC. Older versions of EFS provide only partial protection to previous versions of Windows. EFS on Windows 2000 and XP are susceptible to certain types of attacks because the Windows directory, page file, and deleted temporary files are exposed by the limitations of EFS. For example:

  • Attackers with access to the Windows directory can attempt dictionary attacks to find the user's password with lighting speed, and the vast majority of passwords will fall within a day. Armed with the user's password, the system might as well be wide open.
  • The page file contains clear text data, which can be exploited.
  • The temporary directory used during the EFS encryption process has temporary clear text files that eventually get encrypted. These clear files are deleted, of course, but the raw data still resides on the hard drive for anyone to see.

The EFS mechanism works after Windows boots up, while BitLocker works before Windows and seamlessly operates beneath the operating system. EFS works on the file system level and encrypts at the file level based on user permissions and PKI-protected session keys; BitLocker is a low-level mechanism that encrypts an entire volume and is oblivious to the concept of users and PKI. This means that EFS offers high-level manageability, while BitLocker operates at a low level without the manageability features—but it can protect those spots EFS can't. Files encrypted by EFS can't be cracked, although the filename and directory structure is not protected. The Windows partition encrypted by BitLocker is completely scrambled so you can't even tell what the filename and directory structure is.

The only potential weakness to BitLocker occurs when a computer either wasn't shut down or is suspended, since the physical key used by BitLocker is not needed for access in those situations. But an attack is still hard to pull off. Since the PC can't be shut down, the attacker has to try to tap the RAM while the computer is running. The recommended procedure for users is to either shut down the PC or use the hibernate option because that will trigger a request for the physical BitLocker key. That key can either be a TPM module on the motherboard or a generic USB that you can carry with you on your keychain. The TPM module option does require you to use a pin or password to activate, since any theft of the PC or notebook means the TPM is stolen too. The USB key, on the other hand, doesn't require a pin or password—so it's a good idea not to store that key with the notebook in the bag.

Since BitLocker won't encrypt additional hard drive volumes, whether they're logical partitions on the same physical disk or additional disks, you must use EFS to encrypt those volumes by selecting all the folders and files from the root. EFS, on the other hand, can't be used to encrypt the entire Boot partition. It can't touch the operating system files because Windows won't boot if they're EFS-encrypted. This means that EFS and BitLocker are essentially the perfect partners, compensating for each other's weaknesses.

There are exceptions, where BitLocker can be used entirely on its own if there is only one hard drive with one partition (not counting the special 1.5 GB BitLocker pre-boot partition). For home users who just want to keep things simple and load everything on a single partition with only one hard drive, just using BitLocker is perfectly reasonable. But if there's more than one partition or more than one hard drive, EFS must be used for everything else outside the main partition Windows is installed in. To learn how to implement BitLocker for Vista Enterprise and Ultimate editions, see "Follow these steps to secure your hard drive with Vista BitLocker."

By protecting Windows, the page file, and the temporary directory, BitLocker closes up the weaknesses that can expose EFS. By offering support for the concept of users and of PKI, which now also allows the use of physical smartcards or USB cryptographic modules, EFS can offer scalable enterprise-level manageability. Armed with BitLocker and EFS, PCs and notebooks can be secured against data theft if they're ever stolen.

Editor's Picks

Free Newsletters, In your Inbox