BitLocker Drive Encryption Feature in Windows

Before you start

Objectives: Learn what is BitLocker feature, why it is used and how can it be configured on Windows systems.

Prerequisites: no prerequisites.

Key terms: bitlocker, key, tpm, recovery, drive, chip, computer, usb, set, use, way, windows, boot, files, BitLocker To Go


What is BitLocker

As IT professionals we should take care about additional protection for portable computers. We have to make sure that no one outside our organization can access confidential data on our computers. For this we can take advantage of the data protection features of BitLocker and BitLocker to Go. The main purpose of BitLocker is to protect data while the computer is offline. Offline means that someone takes the hard disk from our computer and installs it in another computer in order to access data on our disk.

BitLocker encrypts the entire Windows operating system volume. This includes operating system files, swap files, hibernation and user files. This way we protect offline access on lost or stolen computers since the attacker won’t be able to access protected files without a special BitLocker encryption key. The encryption key for the volume is stored in a separate safe location also known as the Trusted Platform Module (TPM) chip. The key is released for use only after BitLocker is able to verify the integrity of the boot environment. The TPM is a specialized hardware chip installed in the computer that authenticates the computer hardware instead of the user. The TPM also generates and stores cryptographic keys and stores passwords. The TPM stores the BitLocker key that is used to unlock the disk partitions, and stores information about the system to verify the integrity of the system hardware.
BitLocker checks the integrity of the drive content very early in the boot process. This is done to ensure that the drive is in the original computer and that the contents have not been altered. If any problems are found, BitLocker will leave drive content encrypted and the computer will enter BitLocker recovery mode, without booting into system. This way we prevent attackers to simply move the hard disk to another computer and try to read data from it (being accessed offline).

Prerequisites for BitLocker

BitLocker is not available in all versions and editions of Windows. For example, when it comes to Windows 7 and Windows Vista, BitLocker is available in Enterprise and Ultimate editions. We also have to use the NTFS file system on our drive, and we have to have a second, system partition. The system partition doesn’t have a drive letter so we won’t see in in Windows Explorer, and there is no chance of accessing or writing to it. This partition also has to use NTFS and must be active. System partition holds the boot files. The system partition is automatically created during Windows installation. It doesn’t have a drive letter so we won’t see in in Windows Explorer, and there is no chance of accessing or writing to it. In case we come across a computer that doesn’t have a system partition created, we can use the BitLocker Drive Preparation command line tool to create the system partition. Our computer must be set to boot from the hard drive first, and not a USB or CD drive (this is set up in BIOS). When using BitLocker, operating system volume will be encrypted by default but we can also protect additional volumes by using command line tools. We have to have administrative privileges to configure BitLocker. To fully take advantage of BitLocker, the computer needs to have a TPM of version 1.2 installed. Computers without a TPM 1.2 can still take advantage of BitLocker, but to do so we need to use a USB memory device. The USB memory device will store the startup key, and we will have to insert it every time we turn on the computer. We can also strengthen BitLocker when using a USB device by requiring a PIN to be entered before the computer turns on or resumes.

Have in mind, BitLocker will not protect files once we turn on the computer and log in. Remember that the main purpose of BitLocker is to prevent access to the information on the computer if the hard drive is used in a different computer or environment other than the one originally installed in. BitLocker is different from Encrypting File System (EFS). For example, while the BitLocker encrypts entire volumes, EFS encrypts individual files. BitLocker is not use dependent. Any user who has the PIN or startup key and who can successfully log on can access a BitLocker volume. When EFS is used, only the user who encrypted the file can access the file. Also, EFS protects against offline access as well as online access for unauthorized users.

Implementation

BitLocker can be set up in two ways, and this depends on how we store the key which will be used to unlock the encrypted volumes. One way is dependent on the Trusted Platform Module (TPM) chip, and the other way is set up without the TPM chip. TPM is a special hardware chip inside the computer which must be enabled in the BIOS if we plan to use it. TPM is used to generate and store cryptographic keys. When we use TPM chip together with BitLocker, the key is saved in the TPM chip on the motherboard. To use TPM with BitLocker, our motherboard has to have a TPM version 1.2 chip. Also, BIOS has to support Trusted Computing Group (TCG) specification. We can configure BitLocker with TPM chip in Windows by going to TPM MMC snap-in, or we can configure it by using BitLocker configuration Wizard. During configuration we will have to set up the TPM owner password. Configuring BitLocker with TPM is the recommended way of implementing BitLocker.

When configuring BitLocker with TPM, we can utilize different modes:

  • TPM – only – the least secure method. It doesn’t require additional authentication, like password startup keys or PIN to start the computer. We won’t even know the BitLocker is running unless the startup environment is altered or if we try to use the hard drive on another computer.
  • TPM with startup key – requires the USB device that will store a startup key and must be available when booting the computer. If the USB device is not available the computer will enter the recovery mode.
  • TPM with PIN – requires the user to enter the PIN before the computer boots. If the wrong PIN is entered, the computer will enter the recovery mode.
  • TPM with PIN & startup key – the most secure and recommended option. In this mode user must enter the PIN and have the USB device with the startup key in order for the computer to boot.

If we don’t have a TPM chip, we can save our BitLocker key on the USB flash drive and in that way still use BitLocker feature. However, the disadvantage of this is that we don’t have a boot environment protection. That means that if we take the protected hard drive and a USB memory stick containing the key to another computer, we will be able to boot that hard drive.

In order to use BitLocker without the TPM (using only USB memory device), we have to enable that setting in Group Policy. Of course, our computer must support reading USB devices during startup.

BitLocker Recovery

The last thing we want is to have a BitLocker enabled computer with a missing password or a USB device that stored the startup key. To prevent this from happening, and to be able to recover encrypted data, we can configure a Data Recovery Agent (DRA). DRAs can be used throughout the organization to recover data from BitLocker enabled volumes using a single account. DRAs are configured trough Group Policy settings, which allow us to choose which type of volumes can be recovered using a DRA. These volume types include the operating system, fixed drives, or removable drives. The policy also enables us to configure different password and recovery key for each of the volumes. If we have an Active Directory (AD) environment and our computer is a member of the domain, we can configure the recovery password and keys to be stored in AD.

If we lose the USB flash drive with the key, or if it becomes unreadable, we won’t be able to boot our system any more. Because of that we have to make sure that we have a copy of the recovery key. We should set up the recovery key in advance, so that we have the recovery option in the case we lose the original BitLocker key. The recovery key is automatically generated during BitLocker configuration and works only with the specific system for which it was generated. We should save the recovery key somewhere, and back it up. We can save it to a file, to USB drive, and also print it and store it on some secure location. It is recommended to store the recovery key to multiple secure locations. The recovery key is 48 digits long, and we have to enter those digits when our computer enters the BitLocker recovery mode by using the function keys (F10 for 0 and F1 – F9 for other numbers). We can also supply the key by inserting a USB device with the recovery key, if we have created one.

Recovery mode will appear if the TPM chip is disabled or cleared, if the USB drive with the key is not inserted, if our hard disk has been moved to another computer, or if the files on the volume have been altered. Once we boot into the Windows, we can reset the recovery key and we can also make a copy of the normal BitLocker key.

If we need to make boot environment changes, such as BIOS upgrade, that could trigger the BitLocker recovery mode. In order to avoid this, we can disable BitLocker temporarily while we make those changes, and then enable BitLocker again after changing the boot environment. This way we will avoid triggering the BitLocker recovery mode.

TPM Management

Most BitLocker modes will use the TPM chip to store the encryption and startup keys. To help in managing the TPM chip, we can use the TPM management console. We can use TPM console to store recovery information, clear the TPM content, and to enable or disable TPM. The TPM console is accessible from the BitLocker tool in the Control Panel.

Turning on BitLocker

To enable BitLocker, we can open the BitLocker tool in the Control Panel and turn on BitLocker for volume, fixed disk or removable drive. Have in mind only members of the local Administrators group can enable BitLocker. After we enable BitLocker and choose the mode, we will be asked to do a system check, which can take a while. If we don’t perform a system check, we risk loosing the data on our computer if there is some problem with the system. Once all tests are complete, the encryption process starts in the background. We can pause and resume the encryption process if necessary. The BitLocker will not be active until the encryption process is finished.

BitLocker To Go

Windows 7 introduced a new feature called BitLocker To Go, which allows USB devices and external hard disks to be encrypted using BitLocker. Not all editions of Windows will support BitLocker To Go. For example, for Windows 7 version. only Enterprise and Ultimate editions support BitLocker To Go configuration. Other editions only support reading and writing such BitLocker To Go USB. BitLocker To Go allows a BitLocker enabled removable storage device to be used on other computers as long as we have the right password. It doesn’t require that our computers have a TPM chip. BitLocker To Go requires a password or smart card to unlock an encrypted drive.

There are several Group Policy settings that we can use to configure BitLocker To Go:

  • Control use of BitLocker on removable drives – enables us to configure if users have the ability to apply BitLocker to removable drives, and if they can suspend and decrypt BitLocker on removable drives.
  • Configure use of smart cards on removable drives – enables us to configure if smart cards can or can’t be used to authenticate and gain access to removable drives protected by BitLocker.
  • Deny write access to removable drives not protected by BitLocker – enables us to require the use of BitLocker for write access on removable drives. Users will still be able to read the removable device.
  • Allow access to BitLocker-protected removable data drives from earlier version of Windows – enables us to allow or restrict removable drives that have been formatted with FAT file system and have BitLocker enabled, from being accessed on previous versions of Windows. To allow read access of such drives, we can install the BitLocker To Go Reader program which allows previous versions of Windows (Vista and XP) to read the BitLocker removable drives.
  • Configure use of password for removable data drives – enables us to configure a characteristics of a password (length, complexity, etc.) that is required to unlock a removable drive protected by BitLocker.
  • Choose how BitLocker-protected removable drives can be recovered – enables us to choose how BitLocker enabled drives can be recovered. Trough this setting, we can configure a recovery password and a recovery key, as well as specifying if we want recovery information to be stored in Active Directory.

By default, BitLocker To Go Reader is stored on an un-encrypted part of the BitLocker To Go drive. To access data on a BitLocker To Go drive, we can launch the BitLocker To Go Reader and unlock the drive using the correct password. Smart card authentication is not available when using the BitLocker To Go Reader. To use BitLocker To Go Reader on computers running Windows XP and Windows Vista, the BitLocker To Go drive must be formatted using the exFAT, FAT16, or FAT32 file system. If the BitLocker To Go drive is NTFS formatted, it can only be unlocked on computers running Windows 7.

After the removable drive has been configured to use BitLocker, we can manage it by either using Windows Explorer or the BitLocker Drive Encryption Control Panel option. In addition to GUI management tools, we can also manage BitLocker To Go from the command line using the manage-bde command line tool. The common options for this command line tool are:

  • -status – enables us to see the status of the BitLocker on a drive or removable drive.
  • -on / -off – enables us to turn on or off BitLocker.
  • -pause / -resume – enables us to pause or resume BitLocker encryption process.
  • -lock / -unlock – enables us to prevent access to BitLocker protected data.
  • -changepin – enables us to change the PIN.
  • -changepassword – enables us to change the password.
  • -changekey – enables us to change the startup key.

With the manage-bde command in batch files and automation process to stop and resume the encryption process, or even turn on or off BitLocker based on certain criteria that we can script.