This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
BitLocker helps protect the operating system volume of the hard disk from unauthorized access while the computer is offline. To achieve this, BitLocker uses full-volume encryption and the security enhancements offered by the TPM. On computers that have a TPM, BitLocker also supports multifactor authentication.
BitLocker uses the TPM to perform system integrity checks on critical early boot components. The TPM collects and stores measurements from multiple early boot components and boot configuration data to create a system identifier for that computer, much like a fingerprint. If the early boot components are changed or tampered with, such as by changing the BIOS, changing the master boot record (MBR), or moving the hard disk to a different computer, the TPM prevents BitLocker from unlocking the encrypted volume and the computer enters recovery mode. If the TPM verifies system integrity, BitLocker unlocks the protected volume. The operating system then starts and system protection becomes the responsibility of the user and the operating system.
Figure 1 shows how the BitLocker-protected volume is encrypted with a full volume encryption key, which in turn is encrypted with a volume master key. Securing the volume master key is an indirect way of protecting data on the volume: the addition of the volume master key allows the system to be re-keyed easily when keys upstream in the trust chain are lost or compromised. This ability to re-key the system saves the expense of decrypting and encrypting the entire volume again.
Once BitLocker authenticates access to the protected operating system volume, a filter driver in the Windows Vista file system stack encrypts and decrypts disk sectors transparently as data is written to and read from the protected volume. When the computer hibernates, the hibernation file is saved encrypted to the protected volume. When the computer resumes from hibernation, the encrypted hibernation file is decrypted. After BitLocker encrypts the protected volume during setup, the impact on day-to-day system performance for encryption and decryption is typically minimal.
If you temporarily disable BitLocker (for example, to update the BIOS), the operating system volume remains encrypted, but the volume master key will be encrypted with a "clear key" stored unencrypted on the hard disk. The availability of this unencrypted key disables the data protection offered by BitLocker. When BitLocker is re-enabled, the unencrypted key is removed from the disk, the volume master key is keyed and encrypted again, and BitLocker protection resumes.
IT administrators can configure BitLocker locally through the BitLocker setup wizard, or both locally and remotely with the interfaces exposed by the Win32_EncryptableVolume WMI provider of the Windows Vista operating system. Interfaces include management functionality to begin, pause, and resume encryption of the volume and to configure how the volume is protected.
A management script (manage-bde.wsf), which is available with Windows Vista and Windows Server 2008, provides IT administrators with a simple command-line interface to manage and check BitLocker status. This script is written based on the available WMI providers, and can be modified to help build custom solutions for different enterprise administrative needs. For more information about the BitLocker Drive Encryption Provider, see http://go.microsoft.com/fwlink/?LinkId=80600.
Figure 2 shows the overall BitLocker architecture, including its various subcomponents. It displays the user mode and the kernel mode components of BitLocker, including the TPM, and the way they integrate with the different layers of the operating system.
Authentication modes in the boot sequence
BitLocker supports different authentication modes, depending on the computer's hardware capabilities and the desired level of security:
BitLocker with a TPM (no additional authentication factors) â€¨
BitLocker with a TPM and a PINâ€¨
BitLocker with a TPM and a USB startup keyâ€¨
BitLocker without a TPM (USB startup key required)â€¨
BitLocker with a TPM, a USB startup key, and a PINâ€¨
Each time Windows Vista starts up with BitLocker enabled, the boot code performs a sequence of steps based on the volume protections set. These steps can include system integrity checks and other authentication steps (PIN or USB startup key) that must be verified before the protected volume is unlocked.
For recovery purposes, BitLocker uses a recovery key (stored on a USB device) or a recovery password (numerical password), as shown in Figure 1. You create the recovery key or recovery password during BitLocker initialization. Inserting the recovery key or typing the recovery password enables an authorized user to regain access to the encrypted volume in the event of an attempted security breach or system failure.
BitLocker searches for keys in the following sequence:
Clear key: System integrity verification has been disabled and the BitLocker volume master key is freely accessible. No authentication is necessary.â€¨
Recovery key or startup key (if present): If a recovery key or startup key is present, BitLocker will use that key immediately and will not attempt other means of unlocking the volume.â€¨
TPM: The TPM successfully validates early boot components to unseal the volume master key.â€¨
TPM + startup key: The TPM successfully validates early boot components and a USB flash drive containing the correct startup key has been inserted.â€¨
TPM + PIN: The TPM successfully validates early boot components and the user enters the correct PIN.â€¨
TPM + PIN + startup key: The TPM successfully validates early boot components, the user enters the correct PIN, and a USB flash drive containing the correct startup key has been inserted. â€¨
Recovery password: The user must enter the correct recovery password.â€¨
Recovery key: If none of the above steps successfully unlocks the drive, the user is prompted to insert the USB flash drive that holds the recovery key, and then restart the computer.â€¨
Foreign volumes are operating system volumes that were BitLocker-enabled on another computer and have been transferred to a different Windows Vista computer. Transferring a foreign volume to another Windows Vista computer is a quick and straightforward procedure to recover BitLocker-protected data from a broken computer. The only authentication operation available on such a volume is recovery, which requires a recovery key or recovery password. For more information about recovery, see System Recovery.
BitLocker Life Cycle
There are four major stages in the BitLocker life cycle, as shown in Figure 3. Those stages include installation, initialization, daily use, and computer decommissioning or recycling.
Installation: BitLocker is installed as part of Windows Vista or added as an option for Windows Server 2008.â€¨
Initialization: BitLocker is initialized and enabled.â€¨
Daily use: The computer is used in everyday scenarios. BitLocker provides a level of protection based on the authentication option selected during initialization.â€¨
Computer decommissioning and recycling: A BitLocker-enabled computer needs to be decommissioned or recycled.â€¨
The following sections describe each of these stages. For a detailed architectural diagram, see the architectural diagram.
For Windows Vista Enterprise and Windows Vista Ultimate, BitLocker is installed automatically as part of the operating system installation. However, BitLocker is not enabled until it is turned on using the BitLocker control panel.
At any time after installation and initial operating system setup, the system administrator can use the Control Panel in Windows Vista to initialize BitLocker. There are two steps in the initialization process:
On computers that have a TPM, initialize the TPM by using the TPM Initialization Wizard, the BitLocker control panel, or by running a script designed to initialize it. The TPM Initialization Wizard is accessible through the TPM Management Console Wizard, which is started from a link in the BitLocker control panel. Opening the BitLocker control panel will automatically start TPM initialization, if necessary. Remote initialization of the TPM is also supported. Although physical presence is generally required to initialize a computer's TPM, if a computer is shipped with the TPM already turned on, then physical presence is not required. The TPM services component of BitLocker includes a management API that allows scripting the initialization procedures - including setting an owner and creating the TPM administration password.â€¨
Set up BitLocker. Access the BitLocker setup wizard from the Windows Vista Control Panel, which guides you through setup and presents advanced authentication options.â€¨
When a local administrator initializes BitLocker, the administrator should also create a recovery password or a recovery key. Without a recovery key or recovery password, all data on the encrypted drive may be inaccessible and unrecoverable if there is a problem with the operating system volume.
BitLocker and TPM initialization must be performed by a member of the local Administrators group on the computer. A non-administrator user benefits from BitLocker data protection, but cannot enable or disable it.
For detailed information about configuring and deploying BitLocker on Windows Vista, see Windows BitLocker Drive Encryption Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=53779).
Once BitLocker has been initialized and the volume encrypted, a user encounters it only during authentication and occasional administrative tasks.
BitLocker supports four different authentication modes, depending on the computer's hardware capabilities and the desired level of security:
BitLocker with a TPMâ€¨
BitLocker with a TPM and a PINâ€¨
BitLocker with a TPM and a USB startup keyâ€¨
BitLocker without a TPM (USB startup key required)â€¨
BitLocker-enabled computers that rely solely on a TPM for authentication, with no additional BitLocker authentication factors, can be used just like any other computer. Users start Windows and are prompted for their user name and password, which is a normal logon experience. Unless informed about BitLocker, users are likely unaware that their computers include an extra level of data protection.
If BitLocker is configured for enhanced security, the user is required to enter a PIN or insert a USB startup key in order to start Windows Vista. In this case, the normal startup flow or resume flow is modified to prompt for the additional authentication factor.
For detailed information about BitLocker authentication modes, see Windows BitLocker Drive Encryption Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=53779).
In this scenario, BitLocker is enabled on a computer that has a TPM, but no additional authentication factors have been enabled. The hard disk is partitioned with two volumes:
The system volumeâ€¨
The Windows Vista operating system volumeâ€¨
As shown in Figure 4, BitLocker encrypts the operating system volume with a full volume encryption key. This key is itself encrypted with the volume master key, which, in turn, is encrypted by the TPM.
When a local administrator turns on BitLocker, the administrator should also create a recovery password or a recovery key. Without a recovery key or recovery password, all data on the encrypted drive might be inaccessible and unrecoverable if there is a problem with the operating system volume.
This scenario can be enabled or disabled by the local administrator using the Security item in Control Panel in Windows Vista. Turning BitLocker off decrypts the volume and removes all keys. New keys are created once BitLocker is turned back on at a later time.
Enhanced authentication scenarios
These scenarios add additional authentication factors to the basic scenario described previously. As shown in Figure 5, using BitLocker on a computer that has a TPM offers two multifactor authentication options:
The TPM plus a PIN (system integrity check plus something the user knows)â€¨
The TPM plus a startup key stored on a USB flash drive (system integrity check plus something the user has)â€¨
The advantage of these scenarios is that not all key material is stored on the local computer.
In this scenario, the administrator sets up a numeric PIN during BitLocker initialization. BitLocker hashes the PIN using SHA-256 and the first 160 bits of the hash are used as authorization data sent to the TPM to seal the volume master key. The volume master key is now protected by both the TPM and the PIN. To unseal the volume master key, the user will be required to enter the PIN each time the computer starts up or resumes from hibernation.
For server implementations, it might not be desirable to enable PIN authentication where startup speed is a factor or where human intervention in case of a restart is not possible.
Startup key authentication
In this scenario, the administrator creates a startup key during BitLocker initialization. The key is stored on any BIOS-enumerated storage device such as a pluggable USB flash drive, and the user must insert that device in the computer each time the computer starts up or resumes from hibernation. While the USB flash drive holding the startup key must be plugged into the computer from power up through startup, it should be removed after Windows is loaded.
Startup key-only scenario (no TPM)
In this scenario, the administrator enables BitLocker on a computer that does not contain a TPM. The computer user must insert the USB flash drive containing a startup key each time the computer starts or resumes from hibernation.
The security profile of a system using a startup key-only scenario will be different from the security profile of a system using a TPM; the integrity of the early boot components will not be validated on the non-TPM system.
The startup key for a non-TPM computer must be created during BitLocker initialization, either through the BitLocker setup wizard or through scripting. BitLocker generates the startup key, the user inserts a USB flash drive, and the system stores the startup key on that device.
Using the BitLocker Control Panel item, the user can create a backup copy of the startup key. The startup key is saved unencrypted, in a ".bek" file as raw binary data. In the case of a lost startup key, the volume must be recovered by using the recovery key or the recovery password and a new startup key must be generated (this process will revoke the original startup key). All other volumes also using the lost startup key must go through a similar procedure, to ensure that the lost startup key is not used by an unauthorized user.