BitLocker Drive Encryption (BDE), or BitLocker, offers volume-level data encryption for data stored on Windows clients and servers. BitLocker protects the data when the Windows systems are offline (i.e. when the OS is shut down) and can prevent data breaches such as the theft of confidential data on laptop computers.
In the first version of BitLocker that shipped with Windows Vista, only a single volume, the OS drive, could be protected by BitLocker. Microsoft added support for BitLocker protection of different volumes, including local data volumes, in Vista SP1 and in the Windows Server 2008 release that had SP1 built in during the release to manufacturer (RTM). In Windows 7 and Windows Server 2008 R2, Microsoft added BitLocker support for removable data volumes, memory sticks, and external data drives. Microsoft refers to this feature as BitLocker To Go (BTG).
BitLocker is a great security add-on to the Windows OS as it helps organizations save money because they don’t need to invest in special third-party disk encryption software. But organizations are often reluctant to implement new security features, primarily because the features lack a proven track record. Also, new cryptographic solutions bring a certain administrative fear factor to administrators and operators.
To give you more BitLocker confidence, this article will highlight three critical steps that you must pay special attention to if you are considering deploying BitLocker in your Windows environment. BitLocker is available in the Ultimate and Enterprise editions of Vista and Windows 7 and in all Server 2008 and Server 2008 R2 editions with the exception of the Itanium edition.
Choose the Right Unlock Method
The strength of the protection BitLocker offers depends to a large extent on the authentication mechanism it uses for unlocking access to a BitLocker-protected drive. In BitLocker speak, this authentication mechanism is referred to as the unlock method.
Before a BitLocker drive is unlocked, BitLocker authenticates the drive based on identification data that the user or the OS provides and that authorizes BitLocker to unlock access to the drive. BitLocker supports different unlock methods based on user knowledge of a secret, presence of a hardware component, or software keys, or a combination of all three of these. You can select the unlock method when you set up BitLocker.
The available unlock methods differ for OS drives and for fixed or removable data drives. For example, only an OS drive can be protected using a Trusted Platform Module (TPM), a special security chip that is part of most of today’s PC motherboards. On an OS drive, you can choose one of the following unlock methods:
- TPM Only
- startup key only
- TPM + PIN code
- TPM + startup key
- TPM + PIN code + startup key
The last three of these unlock methods offer the best protection. Unlock methods involving a PIN require the user to provide a PIN code at system startup time. When a startup key is involved, at startup time the user must insert a USB token that holds the startup key.
On a fixed or removable data drive, you can choose the following three unlock methods: password, smart card + PIN, or automatic. For data drives, the smart card + PIN unlock method offers the strongest protection.
When you use a TPM-based unlock method to protect your OS drive, BitLocker provides integrity checks for critical system files, in addition to data encryption, at boot-up. On the other hand, using a TPM adds setup and management complexity and overhead. For example, the TPM must be enabled in BIOS. On most systems, this can only be done after you have defined a BIOS password. The TPM architecture also requires that an owner password be defined before the TPM can be used. The owner password allows for the clearing and disabling of a TPM and is typically owned by a system administrator.
When you consider deploying BitLocker with a TPM, you must make sure that your computers have a TPM version 1.2 chip and a BIOS that is compatible with TPM version 1.2 or later specifications. To check whether a computer includes an operational TPM chip that can be used for BitLocker, check the TPM Management snap-in (tpm.msc).
Because many organizations still have older computers that don't have a TPM and you cannot simply add a TPM to a computer, Microsoft included the startup key only unlock method for OS drives. To use this unlock method, you must make sure that your users have a USB drive and that the computer BIOS supports the reading of USB devices during computer startup. For more information on how to set up BitLocker without a TPM, read “Using BitLocker Without a Trusted Platform Module”.
When you plan to unlock your BitLocker-protected data drives with a smart card, you must make sure that your users have BitLocker-compatible certificates loaded on a smart card. To generate these certificates, you can use a certification authority (CA), create self-signed certificates, or configure an existing EFS certificate for use with BitLocker. When using smart cards, it is also recommended that you have a smart-card management software in place. You can for example use the smart card management functionality that is offered by Microsoft ForeFront Identity Manager (FIM). When you consider using smart cards, I would advise you to carefully read through the “Using certificates with BitLocker” and “Using smart card with BitLocker” articles on Microsoft TechNet.
Create a Solid Recovery Strategy
An encryption tool like BitLocker requires a solid recovery strategy, and BitLocker forces you to define a recovery method during setup. This will allow you to regain access to the data on an encrypted drive when the drive cannot be accessed. I.e. when the unlock methods that we discussed in the previous section fail.
On an OS drive, you will need a recovery method when a user forgets the PIN or loses the USB token that holds the startup key, or if the TPM registers integrity changes to the system files. For data drives, you will need a recovery method when a user forgets the password or loses the smart card. Also, if a protected data drive is configured for automatic unlocking, you will need a recovery method if the auto-unlock key stored on the computer is accidently lost, for example after a hard-disk failure or reinstallation.
BitLocker supports three recovery methods: a recovery password, a recovery key, and a data recovery agent (DRA).
A recovery password is a 48-bit numerical password that is generated during BitLocker setup. You can save the recovery password to a file, which you then preferably store on a removable drive. You can also print the password, or it can be automatically saved in Active Directory (AD). If you want to automatically store recovery passwords in AD, you must make sure that all computers can connect to your AD when they enable BitLocker. Storage of BitLocker recovery information in AD is based on an AD schema extension that creates extra attributes to attach BitLocker recovery information to AD computer objects. Server 2008 and Server 2008 R2 Domain Controllers (DCs) include this extension by default. On Windows Server 2003, you must install the BitLocker-specific schema extension.
To facilitate the viewing and retrieving of the BitLocker recovery passwords from AD, Microsoft provides an AD Users and Computers (ADUC) MMC snap-in extension. It adds a BitLocker Recovery tab to the properties of the AD computer object. The tab shows all BitLocker recovery passwords associated with a particular computer object. For Server 2008 R2, the BitLocker Active Directory Recovery Password Viewer tool is an optional feature included in the Remote Server Administration Toolkit (RSAT). For Server 2008, this extension can be downloaded here.
The second recovery method uses a 256-bit recovery key that you can save to a USB token or another location. Similar to a recovery password, a recovery key enables users to regain access to their protected drive without administrator intervention. When using a recovery key, users must insert a USB token or provide a pointer to another key location during recovery.
The third recovery method, based on a data recovery agent (DRA), always requires intervention of a member of the IT department. This method leverages a special certificate that is issued to a dedicated DRA administrator in your organization. The DRA certificate’s thumbprint is distributed to all BitLocker-protected devices using GPO settings to ensure that only the administrator with a matching DRA certificate and private key can recover the information.
Administrators can use GPO settings to configure what recovery methods are required, disallowed, or made optional. For example, administrators can use GPOs to require that the recovery password for the OS drive is stored in AD. And administrators can also use GPO settings to determine whether a recovery password can be saved to a file on disk, printed, or viewed as text.
Select an Easy Deployment Method
In larger IT environments, you can automate BitLocker deployment and configuration using a script that Microsoft provides. The script is named EnableBitLocker.vbs, and it calls on the Windows Management Instrumentation (WMI) providers for BitLocker and TPM administration. You can use the script as is, or you can customize it to better meet your organization’s needs.
To run the script, you can leverage a startup script that is applied using GPO settings or a software distribution tool, such as Microsoft Systems Management Server (SMS) or System Center Configuration Manager (SCCM).The EnableBitLocker.vbs sample WMI deployment script can be downloaded from the BitLocker Deployment Sample Resources page on MSDN.
Prior to deploying BitLocker protection for an OS drive, you may need to check the disk partitioning on the target systems. On an OS drive, BitLocker requires a separate and active system partition. This is an unencrypted partition that contains the files needed to start the OS. In Windows 7, a separate active system partition is created automatically as part of the Windows installation process. On systems that were upgraded from a previous Windows version or on systems that come preconfigured with a single partition, the BitLocker setup wizard will automatically reconfigure the target drive for BitLocker by creating the separate and active system partition.
But you don’t want to use the BitLocker setup wizard for preparing hundreds or even thousands of your systems with a single partition configuration for BitLocker. In those cases, you will want to use the Microsoft WMI script to enable BitLocker. Before you get there, you can also use a special tool called the BitLocker Drive Preparation command-line tool (BdeHdCfg), provided by Microsoft, to prepare the systems’ drives for BitLocker. You can find more information on this tool in the BdeHdCfg Parameter Reference.
For smaller BitLocker deployments, I advise you to use the BitLocker command-line tool Manage-bde.exe to configure BitLocker. This tool is designed to enable BitLocker on one computer at a time and to assist with the administration after BitLocker is enabled. Again, before you use Manage-bde.exe to enable BitLocker on an OS drive, you may need to prepare the hard disk for BitLocker by running the BitLocker Drive Preparation command-line tool.
Get It Done the Right Way
BitLocker is a very powerful security technology that has reached a good level of maturity in Windows 7 and Server 2008 R2. It requires careful planning and a design that pays special attention to selecting the right unlock method, defining a solid recovery strategy, and choosing an easy deployment method. With these three steps in mind, you’re well on your way to BitLocker confidence.