Scott Lowe discusses a new encryption feature that is available with Windows Vista—BitLocker Drive Encryption. Does it really offer more data protection options for mobile users?
I've written before about the critical need to secure your company's data, particularly when you might have sensitive data being transported around the country on a user’s laptop. There are a number of options you can consider when it comes to securing that data. First, you can try to find a way to avoid having users transport sensitive data, but this is not always feasible. Second, you can encrypt sensitive data using Windows XP’s built-in EFS encryption, but this method still has some holes. (Most importantly, EFS doesn’t protect the entire volume; it protects only those files and folders specifically encrypted with EFS and cannot protect system files, or files located in the system root.) Third, you can look to a third-party vendor that provides full-disk encryption.
One other option is that you can upgrade your mobile users to Windows Vista. Windows Vista has a new feature that aims to help organizations keep their private data in the right hands—Windows BitLocker Drive Encryption. BitLocker provides full-volume encryption in an "off-line" way. What this means is that, no matter what, if you’ve implemented BitLocker, your system is being actively protected by encryption, even if a potential hacker gets physical access to the system. Further, organizations using BitLocker—in theory—will no longer have to worry as much in the event that even just a physical hard drive is lost or stolen. The disk will remain encrypted and protected.
The technical particulars
BitLocker uses either 128- or 256-bit AES (Advanced Encryption Standard) encryption; the level of encryption is up to you and is configurable using Group Policies. BitLocker works best when used on a system with a Trusted Platform Module (TPM) 1.2. A TPM is actually another chip that sits on a computer’s motherboard and is responsible for the generation of cryptographic keys, which are vital to a successful encryption project. According to Microsoft and other independent testers, the use of BitLocker Drive Encryption comes with a negligible system performance penalty.
There are some caveats, though. BitLocker protects only the operating system volume of a computer. If you deploy laptops with a single volume, this isn’t a problem; but on systems with multiple volumes or multiple drives, BitLocker alone cannot protect all of the data. In these circumstances, Microsoft continues to recommend the use of EFS for non-OS volumes. When used in conjunction with BitLocker, EFS is also more effective since the root secrets of EFS are housed on the OS volume. So, once BitLocker is enabled for the OS volume, these EFS root secrets themselves are then protected by BitLocker and much less susceptible to tampering. Further, you get around one serious EFS limitation—the inability to encrypt files in the system root. Now, these files will be protected by BitLocker and the rest of your system protected with EFS.
There are also a number of areas in which BitLocker does not provide protection, including:
Tampering by system administrators: By default, these people frequently have carte blanche access to data. Encryption is not designed to keep those out who have been granted access to data.
Attacks by other authenticated users: If an attack is launched against a system and that attack is using appropriate user credentials, BitLocker will freely give up your secrets. In short, BitLocker cannot protect you if your system is compromised as a part of an online attack. The lesson here: multiple layers of defense remain critical. Always run a firewall, antivirus, and antispyware software for the maximum protection of your data assets.
Hardware attacks: A hacker can still attach a dedicated hardware debugger to a system and gain access to the underlying data.
I will go over a full deployment sample in my next article. However, you should know that you can deploy BitLocker two different ways—either by using TPM 1.2 or not using TPM 1.2. Using TPM 1.2 offers the highest level of security, but not every system is capable of supporting this. In order to offer protection to those that cannot or will not deploy TPM, Microsoft makes available a non-TPM deployment method. The non-TPM mode supports multiple authentication methods, including the entry of a PIN by the user upon boot, or the insertion of a USB drive that has a startup key stored on the device. In my next article, you’ll see this second method in action.
And now, the bad
BitLocker is supported only on the Enterprise and Ultimate editions of Vista and will also be available under Longhorn Server. Why Microsoft would exclude the other Vista editions, particularly the Business edition, is beyond me. Only the Ultimate edition of Vista can run BitLocker in a standalone way. Further, the Enterprise edition supports BitLocker only when the machine is joined to a domain. Now, this is not as much of a drawback as it would seem at first glance. Since you can store BitLocker recovery keys in Active Directory, this makes sense. You probably don’t want thousands of people out there carrying around their private recovery keys…and losing them, thus, making your company’s data irrecoverable.
While it has its limitations, BitLocker is a welcome addition to the family. The tool provides enterprises with additional data protection options that can help organizations keep data safe.
TechRepublic's free Storage NetNote newsletter is designed to help you manage the critical data in your enterprise. Automatically sign up today!