When Microsoft introduced Windows Vista, one of its most anxiously anticipated features was its encryption capability...
called BitLocker. Many mistakenly refer to BitLocker as whole-disk encryption, but the more accurate description is full-volume encryption.
This distinction is important. A single physical disk can be partitioned into multiple volumes. Whole-disk encryption encrypts all the data on the entire physical disk drive, while full-volume encryption protects each volume or partition separately. BitLocker might be encrypting the volume designated as the C: drive, but the data on other volumes may still be unencrypted.
Microsoft BitLocker encryption can occur with a Trusted Platform Module (TPM), user authentication -- preboot PIN or password -- or with a USB key. BitLocker encrypts logical volumes and differentiates from Microsoft's Encrypting File System by encrypting the entire system, where EFS only encrypts certain files or locations and works only while the system is running.
History of BitLocker
The initial version of BitLocker, released in 2007, encrypted only the Windows Vista boot volume. For larger hard drives with multiple volumes, this left a significant amount of data unprotected. With the release of Windows Server 2008 and Windows Vista Service Pack 1, Microsoft expanded the scope of BitLocker so it could encrypt any volume of data. Windows 7 broadened the reach of BitLocker further with the ability to encrypt data on removable media, such as USB flash drives. Windows 8 also enabled PowerShell to manage BitLocker.
BitLocker stands out from competing commercial disk encryption products as it is built into business versions of the Windows OS. BitLocker is preinstalled on Pro, Enterprise and Education versions of Windows 10 and is free. This enables businesses, both large and small, to utilize the capabilities of BitLocker to address not only security, but also compliance given the safe harbor benefits of encrypted data.
Newer versions of Windows 10 require at least a TPM version 1.2 chip and Unified Extensible Firmware Interface Secure Boot. This helps ensure modern devices pass Hardware Security Test Interface validation and are secure from the beginning.
How does BitLocker work?
BitLocker requires admins create a small unencrypted partition that contains core OS files that Windows needs to start the boot process. Microsoft created BitLocker Drive Preparation Tool to automate the creation of the second partition and the migration of the files necessary to create the split-load configuration that BitLocker relies on to boot the OS.
Once the drive is properly partitioned and the data is encrypted with BitLocker, there is a process the system follows to boot the system and decrypt the data for use. As with any encryption process, it relies on keys.
The sectors of data on the drive are encrypted using the full-volume encryption key (FVEK). However, the FVEK is stored locally in encrypted form, and the user never interacts with or uses the FVEK directly. The key that users work with is the volume master key (VMK). The VMK can encrypt and decrypt the FVEK, which, in turn, encrypts and decrypts the actual data sectors.
By default, BitLocker relies on a TPM chip. The TPM is wired to the motherboard and can create a unique hash signature related to the hardware configuration of the system and securely store the encryption key. The TPM provides a virtually incorruptible method of authenticating the system hardware.
By itself, the TPM would not prevent an unauthorized user from accessing a BitLocker-encrypted volume. In TPM-only mode, an attacker can still cold boot the system, and as long as the TPM could validate the hardware signature hash, BitLocker would decrypt the data and allow the system to boot. For that reason, an additional authentication factor should be used along with the TPM. The available options for BitLocker include the following:
- TPM plus a PIN
- TPM plus a USB key
- TPM plus a PIN and a USB key
- USB key-only
The USB key-only option is typically only available when BitLocker implementation occurs on a system unequipped with TPM. Administrators must configure the option to enable BitLocker without a TPM by modifying the security policy settings.
The USB key-only and the TPM plus a PIN and USB key options require additional cost and administrative overhead in order to provide and maintain USB keys. They are also easy to lose or misplace, which could lead to an increase in support desk calls to retrieve lost encryption keys and gain access to BitLocker-encrypted systems.
How to manage BitLocker keys
One of the most important considerations for enterprises before encrypting data with BitLocker is how to store and manage recovery keys. In the event that users forget a PIN, lose a USB key or are unable to access their BitLocker-encrypted system for any reason, the support desk must have the ability to help them recover their data and gain access to their system.
Users can obtain a USB key containing the BitLocker recovery key to use as a backup when the need arises. For deployments that already use a USB key for BitLocker authentication, it would be an additional or backup USB key to use in the event of the primary USB key being lost or stolen. The downfall of this system is that the backup USB key would most likely be stored with the laptop, and a thief that steals the laptop will also have the keys.
An alternate option is to configure BitLocker to store a recovery key locally in Active Directory or in Azure AD in conjunction with PowerShell. Administrators can configure Group Policy to automatically generate recovery keys and store them in AD when BitLocker is enabled. It is also possible to prevent BitLocker from encrypting any data until the recovery key is successfully backed up to AD.
Extended support for the original enterprise BitLocker management tool, Microsoft BitLocker Administration and Monitoring, is available until 2024. Microsoft System Center Configuration Management can also function for imaged computers. Commercial endpoint security products from vendors such as McAfee and Symantec also offer native BitLocker management services.
BitLocker security concerns
Microsoft claims there is no built-in backdoor in BitLocker for governments to access data if needed. However, in the past, there have been flaws in TPM firmware, which could have enabled attackers to bypass BitLocker encryption. Once aware of the issues, Microsoft provided TPM firmware updates via Windows Update to patch the vulnerabilities.
In September 2019, Microsoft released an update changing the default BitLocker encryption setting for self-encrypting hard drives (SEDs). The problem was that BitLocker deferred data encryption to the hardware and did not encrypt the data on SEDs at the software level by default. The new default ensures software encryption is used by default for newly encrypted drives.