BitLocker Drive Encryption

From Wikipedia, the free encyclopedia

BitLocker Drive Encryption is a data protection feature integrated into Microsoft's Windows Vista operating system that provides encryption for the entire OS volume. BitLocker is included in the Enterprise and Ultimate editions of Vista.^[1]

Contents 1 Overview 2 References 3 See also 4 External links

[edit] Overview

BitLocker provides three modes of operation^[2]. The first two modes require a cryptographic hardware chip called a Trusted Platform Module (version 1.2 or later) and a compatible BIOS:

• Transparent operation mode: This mode leverages the capabilities of the TPM 1.2 hardware to provide for a transparent user experience – the user logs onto Windows Vista as normal. The key used for the disk encryption is sealed (encrypted) by the TPM chip and will only be released to the OS loader code if the early boot files appear to be unmodified. The pre-O/S components of BitLocker achieve this by implementing a Static Root of Trust Measurement – a methodology specified by the Trusted Computing Group.
• User authentication mode: This mode requires that the user provide some authentication to the pre-boot environment in order to be able to boot the O/S. Two authentication modes are supported – a pre-boot PIN entered by the user or a USB device inserted that contains the required startup key.

The final mode does not require a TPM chip:

• USB-Key: The user must insert a USB device that contains a startup key into the computer to be able to boot the protected O/S. Note that this mode requires that the BIOS on the protected machine supports the reading of USB devices in the pre-O/S environment.

In order for BitLocker to operate, the hard disk requires at least two NTFS-formatted volumes: a "system volume" with a minimum size of 1.5GB, and the "boot volume" which contains Windows Vista. Unlike previous versions of Windows, Vista's diskpart command-line tool includes the ability to shrink the size of an NTFS volume so that the system volume for BitLocker can be created.

On client versions of Vista, only the operating system volume can be encrypted with BitLocker. Encrypting File System continues to be the recommended solution for real-time encryption of data on an NTFS partition. At WinHEC 2006, Microsoft demonstrated "Longhorn" Server which contained support for BitLocker protected data volumes in addition to the operating system volume protection.

In domain environments, BitLocker supports key escrow to Active Directory, as well as a WMI interface for remote administration of the feature. An example of how to use the WMI interface is the script manage-bde.wsf, that can be used to setup and manage BitLocker from the command line.

According to Microsoft sources ^[3], BitLocker does not contain a backdoor; there is no way for law enforcement to have a guaranteed passage to the data on your drives. This has been one of the main concerns among power-users since the announcement of built-in encryption in Vista.

[edit] References

1. ^ BitLocker Drive Encryption: Executive Overview. Microsoft (2006-04-05). Retrieved on 2006-07-01.
2. ^ Windows Vista Beta 2 BitLocker Drive Encryption Step-by-Step Guide. Microsoft TechNet. Microsoft. Retrieved on 2006-04-29.
3. ^ Back-door nonsense. System Integrity Team Blog. Microsoft. Retrieved on 2006-06-19.

[edit] See also

• Disk encryption
• Full disk encryption
• Disk encryption software
• Features new to Windows Vista
• List of Microsoft Windows components
• Vista IO technologies

[edit] External links

• AES-CBC + Elephant diffuser   Specifications of the encryption algorithm used in BitLocker Drive Encryption