BitLocker: Is It Really Secure?

BitLocker addresses a previously long history of vulnerability, such as data theft by inappropriately booting a computer through stolen credentials, using external attack tools such as b

Is It Really Secure?

Expert Reference Series of White Papers

Introduction: What Is It?

BitLocker, whose full name is Windows BitLocker Full Drive Encryption, is a new technology available in

Windows Vista Enterprise and Windows Vista Ultimate and also available in Windows Server 2008 It is one of the new security features for both Business and Personal Users designed to address the threat of unauthorized access to data as well as illegitimate booting of the operating system BitLocker addresses a previously long history of vulnerability, such as data theft by inappropriately booting a computer through stolen credentials, using external attack tools such as bootable operating systems on CD-ROM or USB boot devices, or transfer-ring a computer’s hard drive and reading it in a foreign system Another security concern is obtaining unautho-rized access into a stolen laptop or mainstream computer, and accessing a recycled or decommissioned com-puter BitLocker effectively encrypts the volume that runs the operating system, while Windows Server 2008 can additionally encrypt other volumes

By design, BitLocker encrypts the entire Windows operating system volume on the hard-drive, including the operating system files, user data, hibernation files, page file, and temporary files Any applications installed on the system volume will benefit from this form of protection BitLocker verifies the integrity of the early stages

of the boot components and boot configuration data so that any alteration of the boot process will prevent the operating system from starting It is as valuable for servers as it is for laptops and desktops, especially those machines that are off-site at remote or branch offices where these machines are less physically

protect-ed The possibility exists that BitLocker-protected machines might be physically compromised and possibly stolen The result will be that access of data on the system disk will be protected These features are extremely important to owners and users of laptops, who benefit from the safety and comfort of knowing that the infor-mation cannot be accessed This is extremely reassuring

What Is Needed

Not all versions of Windows Vista have the BitLocker feature The only Windows Vista versions that come with BitLocker are the higher priced versions of Windows Vista Enterprise and Windows Vista Ultimate Upgrade paths are in place that will allow owners of other versions of Windows Vista to easily upgrade to either

Enterprise or Ultimate

The most secure way to implement BitLocker is to have a computer with a cryptographic hardware microchip called the Trusted Platform Module (TPM) version 1.2 or later, along with a Trusted Computing Group (TCG) compliant BIOS The TPM is a hardware component pre-installed on newer computers to protect data and ensure that the computer has not been tampered with while the system was offline or shutdown This compo-nent allows the option to lock the normal startup process until the user supplies a personal identification num-ber (PIN)

Mark Mizrahi, Global Knowledge Instructor, MCSE, MCT, CEH

BitLocker: Is It Really Secure?

It should be noted that the availability of computers with the TPM hardware components preinstalled are hard

to find, probably due to the manufacturer’s desire to keep costs low It is a fact that since the majority of sales are versions of Windows Vista that do not support BitLocker, hardware is pre-built without the TPM compo-nents and TCG compliant BIOS

Another, although less secure, way to use BitLocker on computers that do not have the TPM hardware is insert

a removable USB device, such as a flash drive, that contains a startup key This implementation does not pro-vide the pre-startup system integrity verification offered by BitLocker working with TPM hardware

Optionally, in a domain environment, BitLocker supports the remote escrow of Keys to the Active Directory Domain Services (AD DS) as well as a Windows Management Instrumentation (WMI) interface with scripting support for remote administration of this feature BitLocker can also be configured with Group Policy Objects (GPO)

Either method does provide multi-factor authentication and insures that the computer will not start or even resume from hibernation until the correct PIN or startup key is used

For BitLocker to function, the hard disk requires at least two (NTFS) formatted volumes One volume that sup-ports the boot files that boot the operating system, known as the system volume and having a minimum of size of 1.5 GB, and another volume that supports operating system, known as the boot partition In the event that two volumes are not available, Windows Vista has “diskpart” command line tool that gives you the ability

to shrink the size of an NTFS volume so that the system volume for BitLocker can be created

How It Works

BitLocker provides three modes of operation: Transparent Operation Mode, User Authentication Mode, and USB Key Mode The first two modes require the TPM (version 1.2 or later) and TCG-compliant BIOS The third mode does not require a TPM chip

Transparent operation mode: This mode exploits the capabilities of the TPM 1.2 hardware to provide

transparency of the BitLocker technology to the user then they logon to Windows Vista as normal The key used for the disk encryption is sealed (encrypted) by the TPM chip and will only be released to the OS loader code if the early boot files appear to be unmodified The pre-OS components of BitLocker achieve this by implementing a Static Root of Trust Measurement, which is a methodology specified by the Trusted Computing Group (http://en.wikipedia.org/wiki/Trusted_Computing_Group)

User authentication mode: This mode requires that the user provide some authentication to the pre-boot

environment in order to be able to boot the OS Two authentication modes are supported, a pre-boot PIN entered by the user or a Universal Serial Bus USB (http://en.wikipedia.org/wiki/Universal_Serial_Busdevice) inserted that contains the required startup key The USB device does not require a TPM chip

USB Key: The user must insert a USB device that contains a startup key into the computer to be able to boot

the protected OS This mode requires that the BIOS on the protected machine support the reading of USB devices in the pre-OS environment

BitLocker encrypts data using the Advanced Encryption Standard (AES) with key lengths of 128 or 256 bits, plus an optional diffuser The Default encryption setting is AES 128 bit with the Elephant Diffuser AES algo-rithm was chosen in-part because of its fast performance According to Microsoft BitLocker imposes a single

digit percentage of overhead All BitLocker encryption is done in the background and all decryption is done as blocks as requested

BitLocker uses the TPM to verify the integrity of early boot components and boot configuration data This helps ensure that BitLocker makes the encrypted volume accessible only if those components have not been tam-pered with and the encrypted drive is located in the original computer

BitLocker helps ensure the integrity of the startup process by:

• Providing a method to check that early boot file integrity has been maintained, and help ensure that there has been no adversarial modification of those files, such as with boot sector viruses or rootkits

• Enhancing protection to mitigate offline software-based attacks Any alternative software that might start the system does not have access to the decryption keys for the Windows operating system volume

TPM-only scenario

• Locking the system when tampered with If any monitored files have been tampered with, the system-does not start This alerts the user to the tampering, since the system fails to start as usual In the event that system lockout occurs, BitLocker offers a simple recovery process

Authentication modes in the boot sequence

BitLocker supports four different authentication modes, depending on the computer's hardware capabilities and the desired level of security:

• BitLocker with a TPM (no additional authentication factors)

• BitLocker with a TPM and a PIN

• BitLocker with a TPM and a USB startup key

• BitLocker without a TPM (USB startup key required)

Each time Windows Vista starts up with BitLocker enabled, the boot code performs a sequence of steps based

on the volume protections set These steps can include system integrity checks and other authentication steps (PIN or USB startup key) that must be verified before the protected volume is unlocked

For recovery purposes, BitLocker uses a recovery key (stored on a USB device) or a recovery password (numeri-cal password), as shown in the Bitlocker Architecture section below You create the recovery key or recovery password during BitLocker initialization Inserting the recovery key or typing the recovery password enables an authorized user to regain access to the encrypted volume in the event of an attempted security breach or sys-tem failure

BitLocker searches for keys in the following sequence:

1 Clear key: System integrity verification has been disabled and the BitLocker volume master key is

freely accessible No authentication is necessary

2 Recovery key or startup key (if present): If a recovery key or startup key is present, BitLocker will

use that key immediately and will not attempt other means of unlocking the volume

3 Authentication

1 TPM: The TPM successfully validates early boot components to unseal the volume master key

2 TPM + startup key: The TPM successfully validates early boot components and a USB flash drive containing the correct startup key has been inserted

3 TPM + PIN: The TPM successfully validates that early boot components and the user enters the cor-rect PIN

4 Recovery

1 Recovery password: The user must enter the correct recovery password

2 Recovery key: If none of the above steps successfully unlocks the drive, the user is prompted to insert the USB flash drive that holds the recovery key, and then restart the computer

In this scenario, BitLocker is enabled on a computer that has a TPM, but no additional authentication factors have been enabled The hard disk is partitioned with two volumes:

• The system volume that contains the files that boot the operating system

• The Windows Vista operating system volume known as the boot volume

As shown in Figure 1, BitLocker encrypts the operating system volume with a full volume encryption key This key is itself encrypted with the volume master key, which, in turn, is encrypted by the TPM

Figure 1 Accessing a BitLocker-enabled volume with TPM protection

This scenario can be enabled or disabled by the local administrator using the BitLockers’ Control Panel Applets’ Security items in Control Panel in Windows Vista Turning BitLocker off decrypts the volume and removes all keys New keys are created once BitLocker is turned back on at a later time

Enhanced Authentication Scenarios

These scenarios add additional authentication factors to the basic scenario described previously As shown in Figure 2, using BitLocker on a computer that has a TPM offers two multifactor authentication options:

Figure 2 Accessing a BitLocker-enabled volume with enhanced protection

• The TPM plus a PIN (system integrity check plus something the user knows)

• The TPM plus a startup key stored on a USB flash drive (system integrity check plus something the user has) The advantage of these scenarios is that not all key material is stored on the local computer

PIN authentication

In this scenario, the administrator sets up a numeric PIN during BitLocker initialization BitLocker hashes the PIN using SHA-256 and the first 160 bits of the hash are used as authorization data sent to the TPM to seal the volume master key The volume master key is now protected by both the TPM and the PIN To unseal the volume master key, the user will be required to enter the PIN each time the computer starts up or resumes from hibernation

Startup key-only scenario (no TPM)

In this scenario, the administrator enables BitLocker on a computer that does not contain a TPM The computer user must insert the USB flash drive containing a startup key each time the computer starts or resumes from hibernation

The startup key for a non-TPM computer must be created during BitLocker initialization, either through the BitLocker setup wizard or through scripting BitLocker generates the startup key, the user inserts a USB flash drive, and the system stores the startup key on that device

Using the BitLocker Control Panel item, the user can create a backup copy of the startup key The startup key is saved unencrypted, in a “.bek” file as raw binary data In the case of a lost startup key, the volume must be recovered by using the recovery key or the recovery password and a new startup key must be generated (this process will revoke the original startup key) All other volumes also using the lost startup key must go through

a similar procedure, to ensure that the lost startup key is not used by an unauthorized user

BitLocker Architecture

BitLocker helps protect the operating system volume of the hard disk from unauthorized access while the com-puter is offline To achieve this, BitLocker uses full-volume encryption and the security enhancements offered by the TPM On computers that have a TPM, BitLocker also supports multifactor authentication

BitLocker uses the TPM to perform system integrity checks on critical early boot components The TPM collects and stores measurements from multiple early boot components and boot configuration data to create a system identifier for that computer, much like a fingerprint If the early boot components are changed or tampered with, such as by changing the BIOS, changing the master boot record (MBR), or moving the hard disk to a dif-ferent computer, the TPM prevents BitLocker from unlocking the encrypted volume and the computer enters recovery mode If the TPM verifies system integrity, BitLocker unlocks the protected volume The operating sys-tem then starts and syssys-tem protection becomes the responsibility of the user and the operating syssys-tem Figure 3 shows how the BitLocker-protected volume is encrypted with a full volume encryption key, which in turn is encrypted with a volume master key Securing the volume master key is an indirect way of protecting data on the volume The addition of the volume master key allows the system to be re-keyed easily when keys upstream in the trust chain are lost or compromised This ability to re-key the system saves the expense of decrypting and encrypting the entire volume again

Figure 3 Relationship between different encryption keys in BitLocker.

Once BitLocker authenticates access to the protected operating system volume, a filter driver in the Windows Vista file system stack encrypts and decrypts disk sectors transparently as data is written to and read from the protected volume When the computer hibernates, the hibernation file is saved encrypted to the protected vol-ume When the computer resumes from hibernation, the encrypted hibernation file is decrypted After BitLocker encrypts the protected volume during setup, the impact on day-to-day system performance for encryption and decryption is typically minimal

If you temporarily disable BitLocker (for example, to update the BIOS), the operating system volume remains encrypted, but the volume master key will be encrypted with a "clear key" stored unencrypted on the hard disk The availability of this unencrypted key disables the data protection offered by BitLocker When BitLocker

is re-enabled, the unencrypted key is removed from the disk, the volume master key is keyed and encrypted again, and BitLocker protection resumes

IT administrators can configure BitLocker locally through the BitLocker setup wizard, or both locally and remotely with the interfaces exposed by the Win32_EncryptableVolume WMI provider of the Windows Vista operating system Interfaces include management functionality to begin, pause, and resume encryption of the volume and to configure how the volume is protected

Architectural Diagram

Figure 4 Overall BitLocker Architecture

Figure 4 shows the overall BitLocker architecture, including its various subcomponents It displays the user mode and the kernel mode components of BitLocker, including the TPM, and the way they integrate with the different layers of the operating system

Computer Updates and Upgrades Disabling BitLocker Protection

An administrator may want to temporarily disable BitLocker in certain scenarios, such as:

• Restarting the computer for maintenance without requiring user input (for example, a PIN or startup key)

•Updating the BIOS

• Upgrading critical early boot components without triggering BitLocker recovery Such as:

- Installing a different version of the operating system or another operating system, which might change the master boot record (MBR)

- Repartitioning the disk, which might change the partition table

- Performing other system tasks that change the boot components validated by the TPM

• Upgrading the motherboard to replace or remove the TPM without triggering BitLocker recovery

• Turning off (disabling) or clearing the TPM without triggering BitLocker recovery

• Moving a BitLocker-protected disk volume to another computer without triggering BitLocker recovery These scenarios are collectively referred to as the computer upgrade scenario BitLocker can be enabled or

dis-abled through the BitLocker item in Control Panel in Windows.

The following steps are necessary to upgrade a BitLocker-enabled computer

1 Temporarily turn off BitLocker by placing it into disabled mode

2 Upgrade the system or the BIOS

3 Turn BitLocker back on

Forcing BitLocker into disabled mode will keep the volume encrypted, but the volume master key will be encrypted with a symmetric key stored unencrypted on the hard disk The availability of this unencrypted key disables the data protection offered by BitLocker, but ensures that subsequent computer startups succeed with-out further user input When BitLocker is re-enabled, the unencrypted key is removed from the disk and

BitLocker protection is turned back on Additionally, the volume master key is keyed and encrypted again Moving the encrypted volume (that is, the physical disk) to another BitLocker-enabled computer does not require any additional steps because the key protecting the volume master key is stored unencrypted on the disk

System Recovery

A number of scenarios can trigger a recovery process, for example:

• Moving the BitLocker-protected drive into a new computer

• Installing a new motherboard with a new TPM

• Turning off, disabling, or clearing the TPM

• Updating the BIOS

• Upgrading critical early boot components that cause system integrity validation to fail

• Forgetting the PIN when PIN authentication has been enabled.

• Losing the USB flash drive containing the startup key when startup key authentication has been

enabled

An administrator can also trigger recovery as an access control mechanism (for example, during computer redeployment) An administrator may decide to lock down an encrypted drive and require that users obtain BitLocker recovery information to unlock the drive

If BitLocker enters recovery mode, the data in the encrypted volume can be recovered through a process that requires minimal setup For detailed information, see Windows BitLocker Drive Encryption Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=53779)

Recovery setup

Using Group Policy, an IT administrator can choose what recovery methods to require, deny, or make optional for users who enable BitLocker The recovery password can be stored in Active Directory Domain Services (AD DS), and the administrator can make this option mandatory, prohibited, or optional for each user of the com-puter Additionally, the recovery data can be stored on a USB flash drive

Recovery scenarios

In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored

on a USB flash drive or a cryptographic key derived from a recovery password The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed

Recovery password

The recovery password is a 48-digit, randomly-generated number that can be created during BitLocker setup If the computer enters recovery mode, the user will be prompted to type this password using the function keys (F0 through F9) The recovery password can be managed and copied after BitLocker is enabled Using the BitLocker control panel, the recovery password can be printed or saved to a file for future use

A domain administrator can configure Group Policy to generate recovery passwords automatically and trans-parently back them up to AD DS as soon as BitLocker is enabled The domain administrator can also choose to prevent BitLocker from encrypting a drive unless the computer is connected to the network and AD DS backup

of the recovery password is successful

Recovery key

The recovery key can be created and saved to a USB flash drive during BitLocker setup It can also be managed and copied after BitLocker is enabled If the computer enters recovery mode, the user will be prompted to insert the recovery key into the computer

Summary

Microsoft’s BitLocker Full Drive Encryption technology debuted in Windows Vista as a way to protect the sys-tem volume on notebook computers The idea was that, while notebook loss or theft was inherently expensive, the real expense often came when the data on the drive was exploited by thieves With full drive encryption, you can’t simply pop out a hard drive and access the data using a different computer