BitLocker Securely Encrypts Windows Volume

BitLocker Drive Encryption reduces the threat of data theft or exposure from lost, stolen, or recycled computers. With supporting hardware, BitLocker and the Encrypting File System can fully encrypt all of the data on a computer and prevent the computer from booting if key OS components have been compromised by hackers. But configuring a computer to use BitLocker is complicated, and Microsoft will offer BitLocker only on Vista Enterprise and Vista Ultimate, which could complicate licensing for organizations that want the feature.

The Need for BitLocker

More than 600,000 laptops are lost or stolen in the United States each year, and these losses or thefts often compromise an organization’s internal or customer data. Organizations also face problems when they retire computers: a study of disposed or recycled computers found that more than half of the hard drives that were supposedly erased still contained corporate or personally identifiable information.

Previous versions of Windows, such as Windows XP, include the Encrypting File System (EFS), which automatically encrypts files for logged-on users. However, EFS has a weakness: files marked with the System attribute and files in the Windows system directory, including the EFS keys, cannot be encrypted. This means an attacker can access the system files by booting with another OS to read the volume offline and discover the administrator’s login password using brute force techniques. If this attack is successful, the attacker can boot Windows normally and get the EFS keys.