|What is bitlocker|
Data on a lost or stolen computer can become vulnerable to unauthorized access when a user either runs a software attack tool against it or transfers the computer’s hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing Windows file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
BitLocker Drive Encryption performs two functions that provide both offline data protection and system integrity verification :
* Encrypts all data stored on the Windows operating system volume (and configured data volumes). This includes the Windows operating system, hibernation and paging files, applications, and data used by applications.
* BitLocker also provides an umbrella protection for non-Microsoft applications, which benefits the applications automatically when they are installed on the encrypted volume.
* Is configured by default to use a Trusted Platform Module (TPM) to help ensure the integrity of early startup components (components used in the earlier stages of the startup process), and “locks“ any BitLocker-protected volumes so that they remain protected even if the computer is tampered with when the operating system is not running.
System integrity verification
BitLocker uses the TPM to verify the integrity of the startup process by:
* Providing a method to check that early boot file integrity has been maintained, and to help ensure that there has been no adverse modification of those files, such as with boot sector viruses or root kits.
* Enhancing protection to mitigate offline software-based attacks. Any alternative software that might start the system does not have access to the decryption keys for the Windows operating system volume.
* Locking the system when tampered with. If any monitored files have been tampered with, the system does not start. This alerts the user to the tampering since the system fails to start as usual. In the event that system lockout occurs, BitLocker offers a simple recovery process.
In conjunction with the TPM, BitLocker verifies the integrity of early startup components, which helps prevent additional offline attacks, such as attempts to insert malicious code into those components. This functionality is important because the components in the earliest part of the startup process must be available unencrypted so that the computer can start.
As a result, an attacker can change the code in those early startup components and then gain access to the computer, even though the data on the disk was encrypted. Then, if the attacker gains access to confidential information such as the BitLocker keys or user passwords, BitLocker and other Windows security protections can be circumvented.
BitLocker in Windows 7
The core functionality in Windows 7 BitLocker has been enhanced to provide a better experience for IT professionals and for end users, from simple enhancements like the ability to right-click a drive to enable BitLocker protection to the automatic creation of the required hidden boot partition.
For customers who deployed Windows Vista, BitLocker required a two partition disk configuration. Repartitioning the operating system (OS) drive to enable BitLocker protection was more cumbersome than it needed to be. This problem has been addressed with two enhancements found in Windows 7. First, by default during Windows 7 setup, users will get a separate active system partition, which is required for BitLocker to work on OS drives. This eliminates a second step that was required in many environments. In addition, you can partition a drive for BitLocker as part of BitLocker setup if you do not already have a separate system partition.
Additionally, BitLocker Drive Encryption technology in Windows 7 is extended from operating system drives and fixed data drives to include removable storage devices such as portable hard drives and USB flash drives. This enables you to take your protected data with you when traveling and use it with any computer that is running Windows 7.
Using BitLocker to go with removable drives
When a Laptop is lost or stolen, the loss of data typically has more impact than the loss of the computer asset. As more people use removable storage devices, they can lose data without losing a PC. BitLocker To Go provides enhanced protection against data theft and exposure by extending BitLocker drive encryption support to removable storage devices such as USB flash drives, and is manageable through Group Policy.
In Windows 7, users can encrypt their removable media by opening Windows Explorer, right-clicking the drive, and clicking Turn On BitLocker. They will then be asked to choose a method to unlock the drive. These options include:
* Password : This is a combination of letters, symbols, and numbers the user will enter to unlock the drive.
* Smart card : In most cases, a smart card is issued by your organization and a user enters a smart card PIN to unlock the drive.
After choosing the unlock methods, users will be asked to print or save their recovery password. This is a 48-digit password that can also be stored in Active Directory Domain Services and used if other unlock methods fail (for example, when a password is forgotten). Finally, users will be asked to confirm their unlock selections and to begin encryption.
When you insert a BitLocker-protected drive into your computer, Windows will automatically detect that the drive is encrypted and prompt you to unlock it.
Comparing BitLocker and EFS
The following table compares BitLocker and EFS encryption functionality.
|Bit Locker Functionality||EFS Functionality|
|Encrypts volumes (the entire operating system volume, including Windows system files and the hibernation file)||Encrypts Files|
|Does not require user certificates||Requires user certificates|
|Protects the operating system from modification||Does not protect the operating system from modification|
Question: BitLocker provides full volume encryption. What does this mean?
Answer : Full volume encryption means:
1) the entire Windows operating system volume can be encrypted, and
2) fixed data volumes can be encrypted (with the requirement that the OS volume is also encrypted).