• Illustration: BitLocker Volumes
• Chart: BitLocker With and Without a TPM

BitLocker Drive Encryption, one of the truly new features of Windows Vista, reduces the threat of data theft or exposure from lost, stolen, or recycled computers. With supporting hardware, BitLocker and the Encrypting File System can fully encrypt all of the data on the computer and prevent booting of key operating system components if they have been compromised by hackers. But configuring a computer to use BitLocker is complicated, and Microsoft will offer BitLocker only on the Vista Enterprise and Ultimate editions, which could complicate licensing for organizations that want the feature.

The Need for BitLocker

More than 700,000 laptops are stolen in the United States each year, and those thefts often compromise an organization's internal or customer data. Organizations also face problems when they retire computers: a study of disposed or recycled computers found that more than half of the hard drives that were supposedly erased still contained corporate or personally identifiable information.

Previous versions of Windows, such as Windows XP, include the Encrypting File System (EFS), which automatically encrypts files for logged-on users. However, EFS has a weakness: files marked with the System attribute and files in the Windows system directory, including the EFS keys, cannot be encrypted. This means an attacker can access the system files by booting with another OS to read the volume offline and discovering the administrator's log-on password using brute force techniques. If this attack is successful, the attacker can boot Windows normally and get the EFS keys.

Furthermore, even if a hacker is not interested in the data on a stolen laptop or lacks the resources to exploit it, the owner must assume that data on a stolen laptop could be exposed, and the organization must take steps to mitigate any damage, whether or not it actually occurs.

In contrast, Windows Vista with BitLocker enabled protects against a variety of attacks, including the following:

• Starting a computer with another OS or changing the software in the boot sequence in order to reset or bypass the administrator password
• Accessing the computer's hard disk directly with a different OS to bypass file permissions
• Targeting system files, such as the page file or files used to store the computer's state when the computer is put into hibernation.

In addition, Microsoft claims that to recycle a PC safely, all an administrator has to do is destroy the BitLocker encryption keys; this ensures that no one can decrypt any files, including system files as well as user data, on the drive.

BitLocker Services

BitLocker, which evolved from Microsoft's Next Generation Secure Computing Base (NGSCB), or "Palladium," project, provides its two main security services on computers with a version 1.2 Trusted Platform Module (TPM). The TPM, an optional component which is typically a microcontroller installed on the motherboard of a computer, provides a variety of cryptographic services. When used with a TPM, BitLocker checks the integrity of key Windows files before starting the OS and fully encrypts all of the files on the OS volume (the logical volume on the disk that contains the Windows OS).

Boot file integrity. BitLocker uses the TPM to collect and store measurements from multiple sources, including the computer's ROM and boot-related components, such as the hard drive's Master Boot Record. This creates a unique "fingerprint" for the computer that will not change unless the drive is moved to a different computer or the boot record is tampered with when Windows is not running—for example, if an attacker moves a hard drive to a different system or removes the TPM module. The TPM will provide BitLocker with access to the encryption keys it contains only if the measurements or fingerprint are unchanged. Once the integrity of the boot process is ensured, BitLocker uses the TPM to unlock the key required to mount the encrypted volume and allow the system to boot Windows as normal.

Once the system is running, protection becomes the responsibility of Windows—good security practices, such as strong passwords, are still required.

OS volume encryption. BitLocker can encrypt the entire OS volume (in contrast to EFS, which cannot be used to encrypt system files). The OS volume is the logical volume that contains the Windows OS (including the \Windows directory) and its support files, including the page and hibernation files—all of which can be encrypted by BitLocker.

In addition to the OS volume, BitLocker requires a special system volume with a capacity of at least 50MB to hold the Windows boot files, such as bootmgr and ntldr, that are needed to load and start executing Windows. This volume must be a different logical volume from the OS volume, must be formatted for NTFS, must be the active partition, and must not be encrypted. All data on this volume, including any additional user data, is not protected by BitLocker, but the fingerprint stored in the TPM can tell if these files have been modified in any way.

Other data volumes or physical drives in the computer besides the special BitLocker system volume and the OS volume cannot currently be encrypted with BitLocker. However these drives can be encrypted with EFS, and because the keys for EFS-based encryption are stored on the BitLocker-encrypted OS volume, they cannot be easily compromised by an attack. (For an illustration, see "BitLocker Volumes".)

On computers that do not have a version 1.2 TPM, users can still use full-volume encryption for the OS volume by inserting a USB flash drive containing a startup key each time the computer starts or resumes from hibernation.

Additional Authentication Modes

Along with ensuring OS boot integrity and OS volume encryption, BitLocker can provide an additional level of data protection by requiring either a personal identification number (PIN) or a startup key before a user can access a BitLocker-protected computer. These authentication options are mutually exclusive; users can choose either a PIN or a startup key, but not both.

PIN. A PIN that must be entered by the user provides a second level of authentication—both the TPM and the PIN are needed to start and access the computer. While a PIN provides an increased level of security, it also makes using the computer more complex: the PIN must be entered each time the computer is started or resumes from hibernation. If the PIN is forgotten or lost, then the BitLocker keys must be recovered using the built-in recovery console and the recovery key previously stored in the Active Directory or another safe location.

Startup key. As with a PIN, a startup key provides a second level of authentication. A startup key is a long string of numeric characters that is unique for each computer and can be stored on a USB flash drive (but not a smartcard), which must be inserted each time the computer starts or resumes from hibernation. The device holding the startup key must be plugged into the computer when it initially starts (the computer's BIOS must be able to detect the device before the OS loads) from power up through startup. However, it should be removed after Windows log-on is completed and stored separately from the computer. This is particularly important when a user is traveling, because if someone does steal the laptop they will not have the necessary startup key.

(For a summary of these authentication modes, see "BitLocker With and Without a TPM".)

Recovery

Several scenarios can render BitLocker-protected data inaccessible. For example, if the hard drive is moved to another machine, the motherboard upgraded, boot files changed, or the PIN or startup key lost, protected data will not be accessible. BitLocker provides a recovery key and procedures for recovering the encrypted data. The TPM is not involved in any recovery methods, so recovery is possible even if the TPM malfunctions, disappears, or fails boot component validation.

Recovery involves using a 48-digit recovery key, randomly generated during BitLocker setup, to decrypt a copy of the BitLocker keys. This recovery key can be stored on a USB flash drive, stored in a file, printed, or stored in Active Directory, and administrators can use Group Policy to configure recovery methods.

Restrictions and Limitations

Although BitLocker provides additional security, it has several restrictions and limitations, including when it provides protection, what volumes it can encrypt, and the absolute necessity of recovery keys.

Offline protection. BitLocker protects the computer only when it is offline, that is, when Windows is not running. Therefore, BitLocker complements rather than replaces existing security services and practices. Antivirus and antispyware programs are still required to protect against malicious software. BitLocker cannot protect against a malicious user who has permission to log on to the computer, and the security of Windows Vista still relies on users choosing and maintaining strong passwords. BitLocker also cannot protect against certain hardware attacks, but such attacks require significant expertise and installation of a hardware debugger in the computer.

Only OS volume encrypted. BitLocker currently encrypts only the OS volume; EFS must be used to encrypt other disks or volumes.

Lost recovery key, lost data. In recovery mode, the user needs the recovery key to unlock the encrypted volume. Without the recovery key, the data cannot be decrypted.

Availability and Resources

BitLocker will be available only with Windows Vista Enterprise, which is available only to business customers through an Enterprise Agreement (EA) or with Software Assurance (SA), and with Windows Vista Ultimate, which includes consumer functions (such as the Media Center interface) that corporations might not want. Thus, organizations that are definitely interested in BitLocker must understand their current licensing plan for the Windows desktop OS and adjust it accordingly to ensure they can get this feature.

To use BitLocker to check the integrity of the OS boot components and full volume encryption, the computer must have the following features:

• A Trusted Platform Module (TPM) version 1.2 and a BIOS compliant with version 1.2 of the TCG (Trusted Computing Group) standard to establish the chain of trust for pre-OS boot
• Support for TCG-specified Static Root Trust Measurement (SRTM)
• BIOS support for Class 2 USB mass-storage devices, including both reading and writing small files on a USB flash drive in the pre-OS environment
• Partitioning into at least two volumes, one for OS files and another for booting the system.

To use BitLocker for full volume encryption in a computer without a TPM, the computer must have the following:

• BIOS support for Class 2 USB mass-storage devices, including both reading and writing small files on a USB flash drive in the pre-OS environment
• Be partitioned to include at least two volumes, one for OS files and another for booting the system.

A technical description of BitLocker is available at www.microsoft.com/technet/windowsvista/security/bittech.mspx.

Step-by-step instructions for preparing a computer to use BitLocker are located at www.microsoft.com/technet/windowsvista/library/c61f2a12-8ae6-4957-b031-97b4d762cf31.mspx.

Information on the TPM and the Trusted Processing Group is available at https://www.trustedcomputinggroup.org/home.