Windows 7 and Server 2008 R2 volume-level data encryption
In Windows Vista and Windows Server 2008 Microsoft introduced BitLocker Drive Encryption (BDE), which offers volume-level data encryption for data stored on Windows clients and servers. BDE protects the data when the systems are offline (when the OS is shut down).
BDE also makes the OS itself more resilient in the face of attacks. When BDE is applied to the system volume, it provides a file integrity checking feature that automatically assesses the status of boot files such as the BIOS, Master Boot Records (MBRs), and the NTFS boot sector when the system boots and before the OS starts. If a hacker has inserted malicious code in one of the boot files or has modified one of them, BDE will detect it and block the OS from starting. This feature is available only on computer systems that have a Trusted Platform Module (TPM) 1.2 chip—a special security chip that is part of most of today’s PC motherboards.
BDE can also offer pre-OS-boot multifactor authentication. Before Windows starts, BDE can prompt users to authenticate by providing a secret key that’s stored on a USB token or by entering a PIN.
Pre-OS-boot authentication protects Windows from attacks that attempt to bypass OS–level access checks and get to the data on a Windows-protected volume by booting from a Linux CD-ROM or floppy disk. For a broader introduction to BDE, see “Vista’s BitLocker Drive Encryption”.
The Vista release of BitLocker included some important shortcomings that hindered its widespread adoption. Let’s look at how these shortcomings are addressed and the resulting BDE features in Windows 7 and Windows Server 2008 R2. (All references to BDE features in Windows 7 in this article also apply to Windows Server 2008 R2.)
Note that BDE isn’t available in all Windows 7 versions. As in Vista, BitLocker is included only in the Windows 7 Enterprise and Ultimate editions—the two versions that target high-end home and business users. However, BitLocker support is included in all Windows Server 2008 R2 editions.
Vista’s BDE Shortcomings vs. Windows 7’s BDE Features
In the Vista BDE release, only a single volume, the system boot volume, can be BDE–protected. In Vista SP1 and Server 2008, Microsoft added support for BDE protection of different volumes—including local data volumes. In Windows 7, Microsoft adds BDE support for removable data drives—memory sticks and external data drives—in a feature that Microsoft refers to as BitLocker To Go (BTG), which I discuss later.
In the Vista BDE release, IT departments wanting to deploy BDE on their organization’s Windows desktops were forced to consider the disk partitioning of their systems during Vista deployment. This is because BDE 1.0 requires an active and dedicated volume. This volume is referred to as the BDE system volume and is labeled as the S drive. On Vista and Server 2008, Microsoft recommends that you reserve at least 1.5GB of disk space for the BDE system volume.
To ease the drive configuration when the OS is already installed, Microsoft released the BitLocker Driver Preparation Tool, which automates BDE system drive preparation. The tool automatically shrinks the C drive, creates a 1.5GB S drive, moves boot files to it, and marks the drive as active.
The tool can be downloaded from the Microsoft download website. In Windows 7, Microsoft integrated this tool in the BDE setup.
To make using BDE easier and to completely get rid of the repartitioning, users of a newly installed Windows 7 system (not an upgrade) will notice that Windows automatically creates the separate active system partition that’s required for BDE. (This partition is also leveraged by the Windows Recovery Environment—WinRE.) Microsoft has also worked with OEMs to ensure that new computer hardware preinstalled with Windows 7 ships with drives that are already correctly partitioned for BDE.
It’s also worth pointing out that in Windows 7, the BDE partition size has been reduced to 400MB when WinRE is enabled and to 200MB without WinRE. Also, the BDE system partition is now hidden to users—it’s no longer allocated to the S drive letter.
Finally, BDE in Vista includes only a limited set of recovery features. These features let users access their data on a BDE–protected volume after a PIN loss, TPM error, or boot file modification. All recovery mechanisms are rooted on a recovery password that can be stored on a USB token, or BDE users can simply write it down or remember it.
Administrators can also use Active Directory (AD) to centrally store the BitLocker recovery information of the machines in their domain. This recovery information is attached to the AD computer account and includes the password for each BitLocker-enabled drive, the TPM owner password (if a TPM is present and used for BitLocker), and information that links the recovery information to its corresponding volume.
Windows 7 includes new Group Policy Object (GPO)–based mechanisms for BDE data recovery, which give organizations more centralized BDE data recovery management capabilities. The new GPO settings let administrators maintain access to all BitLocker-protected data located on computers in their AD domain, even if the AD computer accounts holding BitLocker recovery information are accidentally deleted.
BitLocker to Go
BitLocker To Go (BTG) is Windows 7’s most visible new BitLocker feature. You can use BTG to encrypt data on removable hard disks and USB sticks. These devices often contain confidential information and can easily be lost or stolen.
Just like BDE, BTG by default uses the AES 128-bit with Diffuser algorithm to encrypt the volume. This can be changed to AES 256-bit using a GPO setting.
As opposed to BDE, which works only with NTFS–formatted drives, BTG also works with the exFAT, FAT16, and FAT32 file systems. If you want to protect a device or drive with BTG, it must have at least 64MB of available memory. The ability to encrypt a drive with BTG and to read and write data to it is available only in the Windows 7 Enterprise and Ultimate editions.
From other Windows 7 editions you can unlock a BTG-protected drive and read the data on it. I will discuss this in more detail in the section on the BTG Reader further on.
You can start the BTG encryption process of a removable drive by going to the System and Security Control Panel applet in the BitLocker Drive Encryption item and finding the BitLocker To Go section, which Figure 1 shows, that lists all USB sticks and external hard disks connected to your system that can be secured using BTG.
When you click Turn On BitLocker, Windows starts the BitLocker Drive Encryption wizard. The wizard first initializes the drive, then prompts you for an unlock mechanism.
You can unlock a BTG–encrypted drive by using a password, by using a secret key that’s stored on a smart card, or by using a combination of both. Then the wizard asks you to save or print the 48-digit BTG recovery key. (Note that recovery information can also be stored in AD if you enable this option in the BDE GPO settings.)
Finally, the wizard prompts you with Are you ready to encrypt this drive? Clicking Start Encrypting begins the encryption process. This is a time-consuming process: It might take hours to complete depending on the disk size and computer speed.
The good news is that, just like BDE, BTG decrypts instantly when you access a file on a protected disk or volume. When you insert a BTG–protected memory stick or attach the removable hard disk, Windows 7 prompts you to type your password or insert your smart card.
You can also configure Windows 7 to automatically unlock a BTG–protected drive through the Manage BitLocker option in the drive’s context menu or in the Control Panel. From the Manage BitLocker dialog box, you can also remove or change the BTG unlock password, save or change the recovery key, or add a smart card for unlocking the BTG–protected drive.
When you use BTG to encrypt a removable device, Windows 7 copies a utility called BitLockerToGo.exe to the device. This utility is the BTG Reader, which lets you access the protected data on the device from a Vista or XP system.
When you insert a BTG–protected USB token or attach a BTG–protected disk drive to a Vista or XP system, the BitLocker To Go Reader pops up and prompts you for the unlock password. Unlocking a BTG–protected drive using a smart card isn’t possible when using the BTG Reader from Vista or XP.
After you provide your password, the BTG Reader decrypts all content and displays it in the BTG Reader dialog box that Figure 2 shows. An important restriction is that the BTG Reader permits you only to drag files from the protected media and drop them on another location on the Vista or XP system, for example on the user desktop.
On the desktop, the files and folders are no longer encrypted and protected. Also, you can’t copy objects back to BTG–encrypted drives after you change them. Writing to BTG-protected drives is possible only from a system that runs Windows 7 Ultimate or Enterprise editions or Windows Server 2008 R2.
Microsoft put some clever software engineering behind the BTG Reader: It basically reengineered part of the BitLocker architecture to make it work with FAT volumes (FAT is the file system typically used on USB tokens). Microsoft modified the BitLocker architecture to overlay what it calls a "discovery volume" onto the original physical volume.
In the BTG reader this volume shows up as C_Drive. The discovery volume is automatically created when a FAT drive is encrypted; it contains the BitLocker To Go Reader and a readme file. If you want to see these files and how the encrypted information is really stored on the BTG–protected volume, look at the content of the volume from the command line using the dir /AS command (the AS switch displays hidden system files).
Better Centralized Management
Windows 7 includes an extended set of BitLocker GPO configuration settings. To find them, open gpedit.msc to open the Local Group Policy Editor. They are located in the GPO Administrative Templates\Windows Settings\Windows Components\BitLocker Drive Encryption container. This GPO location now holds three subcontainers for storing the BDE configuration settings for fixed data drives, OS drives and removable data drives.
The new GPO settings can control many different BDE and BTG parameters, including the use of unlock passwords and smart cards on fixed and removable data drives, whether the BTG Reader is installed on removable data drives or not.
An interesting GPO setting is Deny write access to removable drives not protected by BitLocker. This setting lets organizations configure removable drives as Read Only unless they are secured with BTG.
You can use this setting to ensure that sensitive or confidential corporate data is write-protected when an employee inserts a USB token accidentally on the wrong machine.
Windows 7 BDE also includes a new data recovery agent feature that allows centralized recovery of the BDE-protected data in an organization. It can be centrally configured using a Group Policy Object (GPO) setting that can be set from the Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption GPO container.
You can define a BitLocker data recovery agent by right-clicking this container and selecting Add Data Recovery Agent, which starts the Add Recovery Agent Wizard.
The BitLocker data recovery agent GPO setting is used to distribute a data recovery agent’s public key certificate to all BitLocker-enabled Windows machines in the organization’s AD domain. To unlock access to a BitLocker (BDE or BTG)–protected volume, the data recovery agent can use the data recovery private key. This is the private key that’s linked to the recovery agent certificate and is securely stored in the recovery agent’s user profile.
This feature ensures that an organization always can get access to BitLocker-protected data even if the BitLocker recovery information stored in an AD computer account is deleted. The BitLocker data recovery agent feature is inspired by the data recovery agent feature that Microsoft has been providing for the Encrypting File System (EFS) since its release in Windows 2000.
Before you can use BDE data recovery agents, you need to ensure that the following BitLocker GPO settings are configured:
• Enable data recovery and the use of a data recovery agent, which Figure 3 shows. The GPO setting you use to do this depends on the volume type you want to secure with BDE/BTG: your options include Choose how BitLocker-protected operating system drives can be recovered; Choose how BitLocker-protected removable data drives can be recovered; or Choose how BitLocker-protected fixed data drives can be recovered.
• Define a BitLocker identification field in the GPO setting titled Provide the unique identifiers for your organization GPO. This setting associates a unique identifier to a new drive that’s protected with BitLocker. These identifiers are required for the management of data recovery agents on BDE/BTG–protected drives.
In addition to the GPO and GUI management changes I mentioned, Microsoft also extended the capabilities of the manage-bde command-line utility and the Windows Management and Instrumentation (WMI) provider for BitLocker. Both the command-line and WMI management interfaces now offer more complete BDE management options than in previous Windows versions.
A Better BitLocker Experience
The new BitLocker features in Windows 7 and Windows Server 2008 R2 focus on providing a better user and administration experience than in the Vista version.
Microsoft adds some important features that were missing in the Vista release of BitLocker 1.0 and that make it more useful, such as removable drive support and better management and recovery support. If you are considering upgrading to Windows 7, I strongly advise you to leverage BitLocker from day one.