Working with trusted platforms
Introducing BitLocker Drive Encryption
Using hardware encryption, secure boot, and Network Unlock
Deploying BitLocker Drive Encryption
Setting up and managing BitLocker Drive Encryption
Many of the security features built into the Microsoft Windows operating system are designed to protect a computer from attacks by individuals accessing the computer over the network or from the Internet. But what about when individuals have direct physical access to a computer? Then, many of Windows security safeguards don’t apply. For example, if someone can boot a computer—even if it is to another operating system that person has installed—he or she could gain access to any data stored on the computer, perhaps even your organization’s most sensitive data. To protect a computer from individuals who have direct access to it, current Windows and Windows Server operating systems include the Trusted Platform Module Services architecture and BitLocker Drive Encryption. Together, these features help protect a computer from many types of attacks by individuals who have direct access to it.
Current Windows and Windows Server operating systems include the Encrypting File System (EFS) for encrypting files and folders. Using EFS, users can protect sensitive data so that it can be accessed only by using their public key certificate. Encryption certificates are stored as part of the data in a user’s profile. As long as users have access to their profiles and the encryption keys they contain, they can access their encrypted files.
Although EFS offers excellent protection for your data, it doesn’t necessarily safeguard the computer from attack by someone who has direct physical access. When a user loses a computer, a computer has been stolen, or the attacker is logging on to a computer, EFS might not protect the data because the attacker might be able to gain access to the computer before it boots. He could then access the computer from another operating system and change the computer’s configuration. He might then be able to hack into a logon account on the original operating system so that he can log on as the user or configure the computer so that he can log on as a local administrator. If he can do this without having to reset the password of the user or the administrator who encrypted the files, the attacker could eventually gain full access to a computer and its encrypted data.
To seal a computer from physical attack and wrap it in an additional layer of protection, current Windows and Windows Server operating systems include the Trusted Platform Module (TPM) Services architecture. TPM Services protect a computer by using a dedicated hardware component called a TPM, a microchip that is usually installed on the motherboard of a computer where it communicates with the rest of the system using a hardware bus. Computers can use a TPM to provide enhanced protection for data, to ensure early validation of the boot file’s integrity, and to guarantee that a disk has not been tampered with while the operating system was offline.
A TPM can create cryptographic keys and encrypt them so that they can be decrypted only by the TPM. This process, referred to as wrapping or binding, protects the key from disclosure. A TPM has a master wrapping key called the Storage Root Key (SRK); it’s stored within the TPM itself to ensure that the private portion of the key is secure.
Computers that have a TPM can create a key that has been not only wrapped but also sealed. The process of sealing the key ensures that the key is tied to specific platform measurements and can be unwrapped only when those platform measurements have the same values they had when the key was created. This is what gives TPM-equipped computers increased resistance to attack.
Because TPM stores private portions of key pairs separately from memory controlled by the operating system, keys can be sealed to the TPM to provide absolute assurances about the state of a system and its trustworthiness. TPM keys are unsealed only when the integrity of the system is intact. Further, because the TPM uses its own internal firmware and logical circuits for processing instructions, it does not rely on the operating system and is not subject to external software vulnerabilities.
The TPM can also be used to seal and unseal data that is generated outside the TPM, and this is where the true power of the TPM lies. In current Windows and Windows Server operating systems, the feature that accesses the TPM and uses it to seal a computer is called BitLocker Drive Encryption. Although BitLocker Drive Encryption can be used in both TPM and non-TPM configurations, the most secure method is to use TPM.
When you use BitLocker Drive Encryption and a TPM to seal the boot manager and boot files of a computer, the boot manager and boot files can be unsealed only if they are unchanged since they were last sealed. This means you can use the TPM to validate a computer’s boot files in the pre-operating system environment. When you seal a hard disk by using a TPM, the hard disk can be unsealed only if the data on the disk is unchanged since it was last sealed. This guarantees that a disk has not been tampered with while the operating system was offline.
When you use BitLocker Drive Encryption and do not use a TPM to seal the boot manager and boot files of a computer, the TPM cannot be used to validate a computer’s boot files in the pre-operating system environment. This means there is no way to guarantee the integrity of the boot manager and boot files of a computer.
A computer must be equipped with a compatible TPM and compatible firmware to take advantage of the TPM. Current Windows and Windows Server operating systems support TPM version 1.2 and require Trusted Computing Group (TCG)–compliant firmware. Firmware that is TCG-compliant supports the Static Root of Trust Measurement as defined by the Trusted Computing Group. In some configurations of TPM and BitLocker Drive Encryption, you also need to make sure the firmware supports reading USB flash drives at startup.
The TPM Services architecture provides the basic features required to configure and deploy TPM-equipped computers. This architecture can be extended with a feature called BitLocker Drive Encryption, which is discussed in “Introducing BitLocker Drive Encryption” later in this chapter.
Before you can use TPM, you must turn the TPM on in firmware and initialize the TPM for first use in software. As part of the initialization process, you set the owner password on the TPM. After it is enabled, you can manage the TPM configuration.
In some cases, computers that have a TPM might ship with it turned off. If so, you must turn the TPM on in firmware. With one of my computers, I needed to do the following:
Start the computer and then press F2 during startup to access the firmware. In the firmware, I opened the Advanced screen and then the Peripheral Configuration screen.
On the Peripheral Configuration screen, Trusted Platform Module was listed as an option. After scrolling down to highlight this option, I pressed Enter to display an options menu. From the menu, I chose Enable and then pressed Enter.
To save the changes to the setting and exit the firmware, I pressed F10. When prompted to confirm that I wanted to exit, I pressed Y, and the computer then rebooted.
Next, you need to initialize and prepare the TPM for first use in software. As part of this process, you take ownership of the TPM, which sets the owner password on the TPM. After the TPM is enabled, you can manage its configuration. Several tools for working with the TPM are available:
Trusted Platform Module Management. An MMC console for configuring and managing the TPM. You can access this tool by typing tpm.msc in the Apps Search box and then pressing Enter.
Manage The TPM Security Hardware. A wizard for creating the required TPM owner password. You can access this tool by typing tpminit in the Apps Search box and then pressing Enter.
When you are working with Trusted Platform Module Management, you can determine the exact state of the TPM. If you try to start Trusted Platform Module Management without turning the TPM on, you see an error like the one shown in Figure 14-1.
Figure 14-1. An error occurs when you start Trusted Platform Module Management without turning the TPM on.
Similarly, if you try to run Manage The TPM Security Hardware without turning the TPM on, you see an error like the one shown in Figure 14-2.
Figure 14-2. An error occurs when you try to run the Manage The TPM Security Hardware Wizard without turning the TPM on.
Important
To perform TPM management tasks on a local computer, you must be a member of the local computer’s Administrators group or be logged on as the local computer administrator. In addition, access to the Trusted Platform Module Management console can be restricted in Group Policy. If you are unable to open the console, check whether a Group Policy Object (GPO) being processed includes Management Console restrictions. Related policies are found in the Administrative Templates for User Configuration under Windows ComponentsMicrosoft Management Console.
Only when you’ve turned on the TPM in firmware can you access and work with the TPM tools. When you are working with the Trusted Platform Module Management console, shown in Figure 14-3, you should note the TPM status and the TPM manufacturer information. The TPM status indicates the state of the TPM. The TPM manufacturer information shows whether the TPM supports specification version 1.2 or 2.0. Support for TPM version 1.2 or later is required.
Although earlier releases of Windows showed the exact TPM state as listed in Table 14-1, Windows 8.1 and Windows Server 2012 R2 normally show a status of either “The TPM is ready for use” or “The TPM is not ready for use.” If the TPM is ready for use, the TPM is on, and ownership has been taken.
Table 14-1. TPM status indicators and their meaning
Status Indicator | Meaning |
|---|---|
The TPM is turned on in firmware, but it hasn’t been initialized yet. | |
The TPM is on, and ownership has been taken. | The TPM is turned on in firmware, and it has been initialized. |
The TPM is off, and ownership has not been taken. | The TPM is turned off in software, and it hasn’t been initialized yet. |
Windows 8.1 and Windows Server 2012 R2 include fundamental changes in the way the TPM is used. One of these changes is the ability to set the level of authorization information stored in the registry as any of the following:
Full. The full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob are stored in the registry. This setting allows a TPM to be used without requiring remote or external storage of the TPM owner authorization. Note that TPM-based applications that were designed for earlier versions of Windows or that rely on TPM anti-hammering logic might not support full TPM owner authorization in the registry.
Delegated. Only the TPM administrative delegation blob and the TPM user delegation blob are stored in the registry. This level is appropriate for TPM-based applications that rely on TPM anti-hammering logic. When you use this setting, Microsoft recommends storing the TPM owner authorization remotely or externally.
None. No TPM owner authorization information is stored in the registry. Use this setting for compatibility with earlier releases of Windows and for applications that require external or remote storage of the TPM owner authorization. When you use this setting, remote or external storage of the TPM owner authorization is required, just as it was in earlier releases of Windows.
You set the level of authorization information stored in the registry by using the Configure The Level Of TPM Owner Authorization Information Available To The Operating System policy. You can find this policy in the Administrative Templates policies for Computer Configuration under SystemTrusted Platform Module Services. Keep in mind that if you change the policy setting from Full to Delegated or vice versa, the full TPM owner authorization value is regenerated, and any copies of the original TPM value become invalid. Note also that when this policy is set to Delegated or None, you are prompted for the TPM owner password before you can perform most TPM administration tasks. Figure 14-4 shows an example.
With earlier releases of Windows, Microsoft recommended remotely storing the TPM owner authorization in Active Directory for domain-joined computers, which could be accomplished by enabling the Turn On TPM Backup To Active Directory Domain Services policy, extending the schema for the directory, and setting the appropriate access controls.
Enabling backup to Active Directory changes the default way TPM owner information is stored. Specifically, when Turn On TPM Backup To Active Directory Domain Services is enabled and Configure The Level Of TPM Owner Authorization Information Available To The Operating System is disabled or not configured, only the TPM administrative delegation blob and the TPM user delegation blob are stored in the registry. Here, to store the full TPM owner information, you must use the Enabled setting of Full (or disable the Active Directory backup of the TPM owner authorization).
You find the following related policies under SystemTrusted Platform Module Services:
Ignore The Default List Of Blocked TPM Commands
Ignore The Local List Of Blocked TPM Commands
Standard User Lockout Duration
Standard User Individual Lockout Threshold
Standard User Total Lockout Threshold
Configure the List of Blocked TPM Commands
These policies control the way command block lists are used and when lockout is triggered after multiple failed authorization attempts. An administrator can fully reset all lockout-related parameters in the Trusted Platform Module Management console. On the Action menu, tap or click Reset TPM Lockout. When the full TPM owner authorization is stored in the registry, you don’t need to provide the TPM owner password. Otherwise, follow the prompts to provide the owner password or select the file containing the TPM owner password.
Initializing a TPM prepares it for use on a computer so that you can use the TPM to secure volumes on the computer’s hard drives. The initialization process involves turning on the TPM and then setting ownership of it. By setting ownership, you are assigning a password that helps ensure that only the authorized TPM owner can access and manage the TPM. The full TPM owner authorization and password are stored in the registry. In an Active Directory domain, you can configure Group Policy to save TPM passwords.
To initialize the TPM and create the owner password, complete the following steps:
Open the Trusted Platform Module Management console. On the Action menu, choose Prepare The TPM to start the Manage The TPM Security Hardware Wizard (tpminit). If a TPM was previously initialized and then cleared, you are prompted to restart the computer and follow on-screen instructions during startup to reset the TPM in firmware.
Here, when I clicked Restart, I needed to enter firmware by pressing F2 during startup. I then needed to disable TPM, save the changes, and exit firmware. This triggered an automatic reset. After this, I needed to enter firmware by pressing F2 so I could enable the TPM, save changes, and then exit firmware. This triggered another automatic reset. When the operating system loaded, I logged on and then needed to restart the Manage The TPM Security Hardware Wizard.
Note
You must have administrator privileges to manage the TPM configuration. In addition, if the Manage The TPM Security Hardware Wizard detects firmware that does not meet Windows requirements or if no TPM is found, you will not be able to continue and should ensure that the TPM has been turned on in firmware. Otherwise, you see the Create The TPM Owner Password page.
When the wizard finishes its initial tasks, you see a prompt similar to the one shown in Figure 14-5. Tap or click Restart to restart the computer.
Typically, hardware designed for Windows 8.1 and Windows Server 2012 R2 can automatically complete the initialization process. On other hardware, you need physical access to the computer to respond to the manufacturer’s firmware confirmation prompt. Figure 14-6 shows an example.
You must press F10 to enable and activate the TPM and allow a user to take ownership of the TPM.
Figure 14-6. Confirm that you want to enable and activate the TPM and allow a user to take ownership of it.
When Windows starts and you log on, the Manage The TPM Security Hardware Wizard continues running. Windows takes ownership of the TPM. Setting ownership on the TPM prepares it for use with the operating system. After ownership is set, TPM is ready for use and you see confirmation of this, as shown in Figure 14-7.
Before tapping or clicking Close, save the TPM owner password. Tap or click Remember My TPM Owner Password. In the Save As dialog box, select a location to save the password backup file and then tap or click Save. By default, the password backup file is saved as ComputerName.tpm.
In the TPM Management console, the status should be listed as “The TPM is ready for use.”
Computers that have a TPM might ship with the TPM turned on. If you decide not to use it, you should take ownership of the TPM and then turn it off. This ensures that the operating system owns the TPM but the TPM is in an inactive state. If you want to reconfigure or recycle a computer, you should clear the TPM. Clearing the TPM invalidates any stored keys, and data encrypted by these keys can no longer be accessed.
You must have administrator privileges to manage the TPM state. Turn the TPM off by opening the Trusted Platform Module Management console and then tapping or clicking Turn TPM Off on the Action menu.
When the full TPM owner authorization is stored in the registry, you don’t need to provide the TPM owner password. Otherwise, follow the prompts to provide the owner password or select the file containing the TPM owner password.
After you follow the previous procedure to turn off the TPM in software, you can turn it on in software at any time by following the steps in the Preparing and initializing a TPM for first use section earlier in this chapter.
Clearing the TPM erases information stored on the TPM and cancels the related ownership of the TPM. You should clear the TPM when a TPM-equipped computer is to be recycled. Clearing the TPM invalidates any stored keys, and data encrypted by these keys can no longer be accessed.
After clearing the TPM, you should take ownership of it. This writes new information to the TPM. You might then want to turn off the TPM so that it isn’t available for use.
You must have administrator privileges to clear the TPM. Clear the TPM, take ownership, and then turn off the TPM by completing the following steps:
Start the Trusted Platform Module Management console. On the Action menu, tap or click Clear TPM. This starts the Manage The TPM Security Hardware Wizard.
Read the warning on the Clear The TPM Security Hardware page, shown in Figure 14-8, and then tap or click Restart. Tap or click Cancel to exit without clearing the TPM.
Typically, hardware designed for Windows 8.1 and Windows Server 2012 R2 can automatically complete the re-initialization process. On other hardware, you need physical access to the computer to respond to the manufacturer’s firmware confirmation prompt. Figure 14-9 shows an example.
Here, you must press F12 to clear, enable, and activate the TPM or press Esc to cancel and continue loading the operating system.
When Windows starts and you log on, the Manage The TPM Security Hardware Wizard continues running. Windows takes ownership of the TPM. Setting ownership on the TPM prepares it for use with the operating system. After ownership is set, the status should be listed as “The TPM is ready for use.”
You can change the TPM owner password at any time. Generally, you do this if you suspect that the TPM owner password has been compromised. Your company’s security policy also might require TPM owner password changes in certain situations.
You must have administrator privileges to change the TPM owner password. To change the TPM owner password, complete the following steps:
Start the Trusted Platform Module Management console. On the Action menu, tap or click Change Owner Password. This starts the Manage The TPM Security Hardware Wizard.
When the full TPM owner authorization is stored in the registry, you don’t need to provide the TPM owner password. Otherwise, follow the prompts to provide the owner password or select the file containing the TPM owner password.
On the Create The TPM Owner Password page, shown in Figure 14-10, you can elect to create the password automatically or manually:
If you want the wizard to create the password for you, select Automatically Create The Password (Recommended). The new TPM owner password is displayed. Tap or click Change Password.
If you want to create the password, select Manually Create The Password. Type and confirm a password of at least eight characters and then tap or click Change Password.
Before tapping or clicking Close, you might want to save the TPM owner password. Tap or click Remember My TPM Owner Password. In the Save As dialog box, select a location to save the password backup file and then tap or click Save.
BitLocker Drive Encryption is designed to protect the data on lost, stolen, or inappropriately decommissioned computers. Without BitLocker Drive Encryption, a user with direct physical access to a computer has many ways to gain full control and then access the computer’s data whether that data was encrypted with EFS or not. For example, a user could use a boot disk to boot the computer and reset the administrator password. A user could also install and then boot to a different operating system and then use this operating system to unlock the other installation.
BitLocker Drive Encryption prevents all access to a computer’s drives except by authorized personnel by wrapping entire drives or only the used portions of volumes in tamper-proof encryption. If a user tries to access a BitLocker-encrypted drive, the encryption prevents the user from viewing or manipulating the data in any way. This dramatically reduces the risk of an unauthorized person gaining access to confidential data by using offline attacks.
Caution
BitLocker Drive Encryption reduces disk throughput. Because of this, you might want to use this technology on an enterprise server only if the server is not in a physically secure location and requires additional protection.
BitLocker Drive Encryption can use a TPM to validate the integrity of a computer’s boot manager and boot files at startup and to guarantee that a computer’s hard disk has not been tampered with while the operating system was offline. BitLocker Drive Encryption also stores measurements of core operating system files in the TPM.
Every time the computer is started, Windows validates the boot files, the operating system files, and any encrypted volumes to ensure that they have not been modified while the computer is offline. If the files have been modified, Windows alerts the user and refuses to release the key required to access Windows. The computer then goes into Recovery mode, prompting the user to provide a recovery key before allowing access to the boot volume. Recovery mode is also used if a BitLocker-encrypted disk drive is transferred to another system.
BitLocker Drive Encryption can be used in both TPM and non-TPM computers. If a computer has a TPM, BitLocker Drive Encryption uses the TPM to provide enhanced protection for your data and to ensure early boot file integrity. These features together help prevent unauthorized viewing and accessing of data by encrypting the entire Windows volume and by safeguarding the boot files from tampering. If a computer doesn’t have a TPM or its TPM isn’t compatible with Windows, BitLocker Drive Encryption can be used to encrypt entire volumes and, in this way, protect the volumes from being tampered with. This configuration, however, doesn’t allow the added security of early boot file integrity validation.
On computers with a compatible TPM that is initialized, BitLocker Drive Encryption typically uses one of the following TPM modes:
TPM-Only. In this mode, only the TPM is used for validation. When the computer boots, the TPM validates the boot files, the operating system files, and any encrypted volumes. Because the user doesn’t need to provide an additional startup key, this mode is transparent to the user and the user logon experience is unchanged. However, if the TPM is missing or the integrity of files or volumes has changed, BitLocker enters Recovery mode and requires a recovery key or password to regain access to the boot volume.
TPM and PIN. In this mode, both the TPM and a user-entered numeric key are used for validation. When the computer boots, the TPM validates the boot files, the operating system files, and any encrypted volumes. The user must enter a PIN when prompted to continue startup. If the user doesn’t have the PIN or is unable to provide the correct PIN, BitLocker enters Recovery mode instead of booting to the operating system. As before, BitLocker also enters Recovery mode if the TPM is missing or the integrity of boot files or encrypted volumes has changed.
TPM and Startup Key. In this mode, both the TPM and a startup key are used for validation. When the computer boots, the TPM validates the boot files, the operating system files, and any encrypted volumes. The user must have a USB flash drive with a startup key to log on to the computer. If the user doesn’t have the startup key or is unable to provide the correct startup key, BitLocker enters Recovery mode. As before, BitLocker also enters Recovery mode if the TPM is missing or the integrity of boot files or encrypted volumes has changed.
TPM and Smart Card Certificate. In this mode, both the TPM and a smart card certificate are used for validation. When the computer boots, the TPM validates the boot files, the operating system files, and any encrypted volumes. The user must have a smart card with a valid certificate to log on to the computer. If the user doesn’t have a smart card with a valid certificate and can’t provide one, BitLocker enters Recovery mode. As before, BitLocker also enters Recovery mode if the TPM is missing or the integrity of boot files or encrypted volumes has changed.
When working with BitLocker Drive Encryption and a TPM, don’t overlook the importance of Network Unlock. The Network Unlock feature allows the system volume on a computer with a TPM to be automatically unlocked on startup as long as the computer is joined and connected to a domain. When the computer is not joined and connected to a domain, other means of validation can be used, such as a startup PIN.
On computers without a TPM or on computers that have incompatible TPMs, the operating system can be configured to use an unlock password for the system drive. To configure this, you must enable the Configure Use Of Passwords For Operating System Drives policy in the Administrative Templates policies for Computer Configuration under Windows ComponentsBitLocker Drive EncryptionOperating System Drives. As with logon passwords, the unlock password can be configured with minimum length and complexity requirements. The default minimum password length is eight characters, meaning the password must be at least eight characters long. Complexity requirements can be any of the following:
Always validated, using the Require Password Complexity setting
Not validated, using the Do Not Allow Password Complexity setting
Validated if possible, using the Allow Password Complexity setting
The unlock password is validated when you enable BitLocker Drive Encryption and set the password and whenever a user changes the password. With required complexity, you can only set a password (and enable encryption) when the computer can connect to a domain controller and validate the complexity of the password. With allowed complexity, the computer attempts to validate the complexity of the password when you set it but will allow you to continue and enable encryption if no domain controllers are available.
On computers without a TPM or on computers that have incompatible TPMs, BitLocker Drive Encryption also can use:
Startup Key Only mode. This mode requires a USB flash drive containing a startup key. The user inserts the USB flash drive in the computer before turning it on. The key stored on the flash drive unlocks the computer.
Smart Card Certificate Only mode. This mode requires a smart card with a valid certificate. The user validates the smart card certificate after turning on the computer. The certificate unlocks the computer.
Important
Standard users can reset the BitLocker PIN and password on operating system drives, fixed data drives, and removable data drives. This is an important change for Windows 8, Windows Server 2012, and later versions of Windows. If you don’t want standard users to be able to perform these tasks, enable the Disallow Standard Users From Changing The PIN Or Password policy. This Computer Configuration policy is found under Windows ComponentsBitLocker Drive EncryptionOperating System Drives.
BitLocker Drive Encryption has changed substantially since it was first implemented on Windows Vista and Windows Server 2008. With subsequent releases of Windows, you can:
Allow a data-recovery agent to be used with BitLocker Drive Encryption. This option is configured through Group Policy. The data-recovery agent allows an encrypted volume to be unlocked and recovered by using a recovery agent’s personal certificate or a 48-digit recovery password. You can optionally save the recovery information in Active Directory. In the Administrative Templates policies for Computer Configuration, there are separate policies for operating-system volumes, other fixed drives, and removable drives.
Deny write access to removable data drives not protected with BitLocker. This option is configured through Group Policy. If you enable this option, users have read-only access to unencrypted removable data drives and read/write access to encrypted removable data drives.
Encrypt file allocation table (FAT) volumes and NTFS and Resilient File System (ReFS) volumes. When you encrypt FAT volumes, you can specify whether encrypted volumes can be unlocked and viewed on computers running Windows Vista or later. This option is configured through Group Policy and is enabled when you turn on BitLocker. In the Administrative Templates policies for Computer Configuration under Windows ComponentsBitLocker Drive Encryption, separate policies for earlier versions of Windows allow FAT-formatted fixed drives and FAT-formatted removable drives to be unlocked and viewed.
In a domain, domain administrators are the default data-recovery agents. A homegroup or workgroup has no default data-recovery agent, but you can designate one. Any user you want to designate as a data-recovery agent needs a personal encryption certificate. You can generate a certificate by using the Cipher utility and then using the certificate to assign the data-recovery agent in Local Security Policy under Public Key PoliciesBitLocker Drive Encryption.
Although earlier implementations of BitLocker Drive Encryption supported Advanced Encryption Standard (AES) encryption with a diffuser, Windows 8.1 and Windows Server 2012 R2 move away from this approach to support standard AES with 128-bit encryption by default. Furthermore, if you enable the Choose Drive Encryption Method And Cipher Strength policy, you can set the AES cipher strength to 256-bit encryption. Keep in mind that the cipher strength must be set prior to turning on BitLocker Drive Encryption. Changing the cipher strength has no effect if a drive is already encrypted or encryption is in progress.
BitLocker Drive Encryption has additional enhancements for Windows 8.1 and Windows Server 2012 R2. You can manage most of these enhancements by using the Administrative Templates policies for Computer Configuration under Windows ComponentsBitLocker Drive Encryption.
Windows 8.1 and Windows Server 2012 R2 add support for disk drives with hardware encryption (referred to as encrypted hard drives). Encryption in hardware is faster and moves the processing burden from the computer’s processor to the hardware processor on the hard disk. By default, if a computer has hardware encryption, Windows 8.1 uses it with BitLocker. To use encrypted hard drives with Windows Server 2012 R2, you must add the Enhanced Storage feature.
When the operating system initializes an encrypted hard drive, it activates a security mode that allows the drive controller to generate a media key for every volume created on the encrypted hard drive. This media key set is used to encrypt every byte of data written to the drive and decrypt every byte of data read from the drive. The key set consists of the following:
An encrypted drive is locked and inaccessible when it is in a powered-off state. When the drive is powered on (as part of the computer startup), the drive remains locked until the authentication key decrypts the data-encryption key. All data read from or written to the drive passes through the encryption engine. If the data-encryption key needs to be changed or erased, the drive doesn’t need to be re-encrypted. Instead, the encryption engine creates a new authentication key and then re-encrypts the data-encryption key. Afterward, the data-encryption key can be unlocked with the new authentication key, and data can be read from and written to the drive as before.
Before you enable hardware encryption, consider some important caveats. With data drives, the drive must be in an uninitialized state and in a security-inactive state. With system drives, the drive must be in an uninitialized state and in a security-inactive state, and the computer must always boot natively from Unified Extensible Firmware Interface (UEFI). Further, neither data drives nor system drives can be attached to RAID controllers. Although future updates or service packs could change or remove these restrictions, these are the restrictions as of the time I write this.
Important
System drives must boot natively from UEFI 2.3.1 or later and have a defined EFI_STORAGE_SECURITY_COMMAND_PROTOCOL. System drives must also have the Compatibility Support Module (CSM) disabled in UEFI.
Like Windows Server 2012, Windows Server 2012 R2 is designed to be run on computers with UEFI. As discussed in Chapter 3, in the Boot environment essentials section, UEFI doesn’t replace all the functionality in either basic input/output system (BIOS) or Extensible Firmware Interface (EFI) and can, in fact, be wrapped around BIOS or EFI. When a computer has UEFI and is running Windows 8.1, UEFI is the first link in the chain of trust for secure boot. UEFI 2.3.1 and later can run internal integrity checks that verify the firmware’s digital signature before running it. If the firmware’s digital signature has been modified or replaced (for example, by a firmware rootkit), the firmware will not load.
With Secure Boot, firmware also verifies the digital signature on the Windows bootloader as part of initialization. If a rootkit is installed and the Windows bootloader has been modified, the computer will be prevented from starting. After Secure Boot, the bootloader verifies the digital signature of the operating system kernel as part of Trusted Boot. Also as part of Trusted Boot, the kernel in turn verifies all remaining boot components, including boot drivers and startup files. Finally, Measured Boot also allows third-party software running on a remote server to verify the security of every startup component.
In Group Policy, you can precisely control whether to permit software-based encryption when hardware encryption is not available and whether to restrict encryption to those algorithms and cipher strengths supported by hardware. To do this, use Group Policy to enable hardware-based encryption for system drives, data drives, or both.
You can enable hardware-based encryption for data drives by using the Configure Use Of Hardware-Based Encryption For Fixed Data Drives policy, shown in Figure 14-11. When the policy is enabled, you must specifically allow software-based encryption when hardware-based encryption isn’t available. You can also restrict the encryption algorithms used to a specific subset. Keep in mind that the encryption algorithm is set when a drive is partitioned and that the Choose Drive Encryption Method And Cipher Strength policy doesn’t apply to hardware-based encryption.
You can enable hardware-based encryption for system drives by using the Configure Use Of Hardware-Based Encryption For Operating System Drives policy, shown in Figure 14-12. As with data drives, when the policy is enabled, you must keep in mind the following:
Finally, as necessary, use the Configure Use Of Hardware-Based Encryption For Removable Data Drives policy to control whether software-based encryption is permitted when hardware encryption is not available and whether to restrict encryption to those algorithms and cipher strengths the hardware supports.
Windows Server enables users to encrypt full volumes or used space only. Encrypting full volumes takes longer, but it is more secure because the entire volume is protected. Encrypting used space protects only the portion of the drive used to store data. By default, either option can be used. To allow only one type or the other, you can enable and configure the related Enforce Drive Encryption Type policy for BitLocker. There are separate Enforce Drive Encryption Type policies for the operating system, fixed data, and removable data drives. Figure 14-13 shows the policy for operating system drives. Here, after you select Enabled to enable the policy, you set the encryption type to either Full Encryption or Used Space Only Encryption.
Important
In high-security environments, you will want to encrypt entire volumes. At the time of this writing, and unless fixed with a future update or service pack, deleted files appear as free space when you encrypt used space only. As a result, until the files are wiped or overwritten, information in the files could be recovered with certain tools.
Windows allows you to pre-provision BitLocker so that you can turn on encryption prior to installation. Windows also can be configured to do the following:
Require additional authentication at startup. If you enable and configure the related policy, Require Additional Authentication At Startup, user input is required, even if the platform lacks a preboot input capability. To allow a USB keyboard to be used on such a platform in the preboot environment, you should set the Enable Use Of BitLocker Authentication Requiring Preboot Keyboard Input On Slates policy to Enabled.
Allow secure boot for integrity validation. Secure boot is used by default to verify boot configuration data (BCD) settings according to the TPM validation profile settings (also referred to as Secure Boot policy). When you use secure boot, the settings of the Use Enhanced Boot Configuration Data Validation Profile policy are ignored (unless you specifically disable secure boot support by setting Allow Secure Boot For Integrity Validation to Disabled).
You set TPM validation profile settings by platform. For BIOS-based firmware, you use the Configure TPM Platform Validation Profile For BIOS-Based Firmware Configurations policy. For UEFI-based firmware, you use the Configure TPM Platform Validation Profile For Native UEFI Firmware Configurations policy. When you enable these policies, you specify exactly which platform configuration registers to validate during boot.
For BIOS-based firmware, Microsoft recommends validating Platform Configuration Registers (PCRs) 0, 2, 4, 8, 9, 10, and 11. For UEFI firmware, Microsoft recommends validating PCRs 0, 2, 4, 7, and 11. In both instances, PCR 11 validation is required for BitLocker protection to be enforced. PCR 7 validation is required to support secure boot with UEFI (and you need to enable this by selecting the related option). Figure 14-14 shows an example platform validation profile configuration.
When you protect a computer with BitLocker, you can require additional authentication at startup. Normally, this means a user is required to have a startup key on a USB flash drive, a startup PIN, or both. The Network Unlock feature provides this additional layer of protection without requiring the startup key, startup PIN, or both by automatically unlocking the operating system drive when a computer is started. It does this as long as the following conditions are met:
Because the computer must be joined to and connected to the domain for Network Unlock to work, user authentication is still required when a computer is not connected to the domain. When connected to the domain, the client computer (whether it’s a Windows desktop or a Windows server) connects to a Network Unlock server to unlock the system drive. You allow Network Unlock to be used by enabling the Allow Network Unlock At Startup policy, as shown in Figure 14-15.
Typically, the Network Unlock server is a domain controller configured to use and distribute Network Unlock certificates to clients. The Network Unlock certificates, in turn, are used to create the Network Unlock keys.
You can configure a domain controller to distribute this certificate to clients. To do this, create an X.509 certificate for the server—for example, by using Certmsg.mc and then using the BitLocker Driver Encryption Network Unlock Certificate setting to add this certificate to a GPO applied to the domain controller. You can find this Computer Configuration setting under Windows SettingsSecurity SettingsPublic Key Policies.
Windows allows you to provision BitLocker during operating system deployment. You can do this from the Windows Pre-Installation Environment (WinPE). It’s important to point out that Windows PowerShell includes a Deployment Image Servicing and Management (DISM) module that you can import. Because this module doesn’t support wildcards when searching for feature names, you can use the Get-WindowsOptionalFeatures cmdlet to list feature names, as shown in this example:
get-windowsoptionalfeature -online | ft
To install BitLocker and related management tools completely, use the following command:
enable-windowsoptionalfeature -online -featurename bitlocker, bitlocker-utilities, bitlocker-networkunlock -all
Deploying BitLocker Drive Encryption in an enterprise changes the way both administrators and users work with computers. A computer with BitLocker Drive Encryption normally requires user intervention to boot to the operating system—a user must enter a PIN, insert a USB flash drive containing a startup key, or use a smart card with a valid certificate. Because of this, after you deploy BitLocker Drive Encryption, you can no longer be sure that you can perform remote administration that requires a computer to be restarted without having physical access to the computer—someone must be available to type in the required PIN, insert the USB flash drive with the startup key, or use a smart card with a valid certificate.
To work around this issue, you can configure Network Unlock on your trusted, wired networks. Before you use BitLocker Drive Encryption, you should perform a thorough evaluation of your organization’s computers. You need to develop plans and procedures for the following:
Evaluating the various BitLocker authentication methods and applying them as appropriate
Determining whether computers support TPM and, thus, whether you must use TPM or non-TPM BitLocker configurations
Storing, using, and periodically changing encryption keys, recovery passwords, and other validators used with BitLocker
You also need to develop procedures for the following activities:
Working with BitLocker-encrypted drives
Supporting BitLocker-encrypted drives
Recovering computers with BitLocker-encrypted drives
When developing these procedures, you need to take into account the way BitLocker encryption works and the requirements to have PINs, startup keys, and recovery keys available whenever you work with BitLocker-encrypted computers. After you evaluate your organization’s computers and develop basic plans and procedures, you need to develop a configuration plan for implementing BitLocker Drive Encryption.
BitLocker Drive Encryption requires a specific disk configuration. To turn on BitLocker Drive Encryption on the drive containing the Windows operating system, the drive must have at least two partitions:
The first partition is for BitLocker Drive Encryption. This partition, designated as the active partition, holds the files required to start the operating system and is not encrypted.
The second is the primary partition for the operating system and your data. This partition is encrypted when you turn on BitLocker.
With implementations of BitLocker prior to Windows 7 and Windows Server 2008, you need to create the partitions in a certain way to ensure compatibility. This is no longer the case. When you install Windows 7 and later or Windows Server 2008 and later, an additional partition is created automatically during setup. By default, the Windows Recovery Environment (Windows RE) uses this additional partition. However, if you enable BitLocker on the system volume, Windows usually moves Windows RE to the system volume and then uses the additional partition for BitLocker.
Using BitLocker on a hard disk is easy. On a computer with a compatible TPM, you must create or make available a BitLocker Drive Encryption partition on your hard drive and then initialize the TPM as discussed under “Preparing and initializing a TPM for first use” earlier in this chapter. On a computer without a compatible TPM, you only need to create or make available a BitLocker Drive Encryption partition on your hard drive.
You can use local Group Policy and Active Directory–based Group Policy to help manage and maintain TPM and BitLocker configurations. Group Policy settings for TPM Services are found in Administrative Templates policies for Computer Configuration under SystemTrusted Platform Module Services. Group Policy settings for BitLocker are found in Administrative Templates policies for Computer Configuration under Windows ComponentsBitLocker Drive Encryption. There are separate subfolders for fixed data drives, operating system drives, and removable data drives.
Policies you might want to configure include the following:
Trusted Platform Module Services policies
Configure The Level Of TPM Owner Authorization Information Available To The Operating System
Configure The List Of Blocked TPM Commands
Ignore The Default List Of Blocked TPM Commands
Ignore The Local List Of Blocked TPM Commands
Standard User Individual Lockout Threshold
Standard User Lockout Duration
Standard User Total Lockout Threshold
Turn On TPM Backup To Active Directory Domain Services
BitLocker Drive Encryption policies
Choose Default Folder For Recovery Password
Choose Drive Encryption Method And Cipher Strength
Prevent Memory Overwrite On Restart
Provide The Unique Identifiers For Your Organization
Validate Smart Card Certificate Usage Rule Compliance
Fixed Data Drives policies
Allow Access To BitLocker-Protected Fixed Data Drives From Earlier Versions Of Windows
Choose How BitLocker-Protected Fixed Drives Can Be Recovered
Configure Use Of Hardware-Based Encryption For Fixed Data Drives
Configure Use Of Passwords For Fixed Data Drives
Configure Use Of Smart Cards On Fixed Data Drives
Deny Write Access To Fixed Drives Not Protected By BitLocker
Enforce Drive Encryption Type On Fixed Data Drives
Operating System Drives policies
Allow Enhanced PINs For Startup
Allow Network Unlock At Startup
Allow Secure Boot For Integrity Validation
Choose How BitLocker-Protected Operating System Drives Can Be Recovered
Configure Minimum PIN Length For Startup
Configure TPM Platform Validation Profile For BIOS-Based Firmware Configurations
Configure TPM Platform Validation Profile For Native UEFI Firmware Configurations
Configure TPM Platform Validation Profile (Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2)
Configure Use Of Hardware-Based Encryption For Operating System Drives
Configure Use Of Passwords For Operating System Drives
Disallow Standard Users From Changing The PIN Or Password
Enable User Of BitLocker Authentication Requiring Preboot Keyboard Input On Slates
Enforce Drive Encryption Type On Operating System Drives
Require Additional Authentication At Startup
Reset Platform Validation Data After BitLocker Recovery
Use Enhanced Boot Configuration Data Validation Profile
Removable Data Drives policies
Allow Access To BitLocker-Protected Removable Data Drives From Earlier Versions Of Windows
Choose How BitLocker-Protected Removable Drives Can Be Recovered
Configure Use Of Hardware-Based Encryption For Removable Data Drives
Configure Use Of Passwords For Removable Data Drives
Control Use Of BitLocker On Removable Drives
Deny Write Access To Removable Drives Not Protected By BitLocker
Enforce Drive Encryption Type On Removable Data Drives
Active Directory includes TPM and BitLocker recovery extensions for Computer objects. For a TPM, the extensions define a single property of the Computer object, called ms-TPM-OwnerInformation. When the TPM is initialized or when the owner password is changed, the hash of the TPM owner password can be stored as a value of the ms-TPM-OwnerInformation attribute on the related Computer object. For BitLocker, these extensions define Recovery objects as child objects of Computer objects and are used to store recovery passwords and associate them with specific BitLocker-encrypted volumes.
By default, Windows stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation in the registry. Because of this change, you no longer have to save this information separately to Active Directory for backup and recovery purposes. For more information, see the Managing TPM owner authorization information section earlier in this chapter.
Generally, you want to ensure that BitLocker recovery information is always available if it’s needed. You can configure Group Policy to save recovery information in Active Directory by using the following techniques:
With Choose How BitLocker-Protected Fixed Drives Can Be Recovered, enable the policy, accept the default options to allow data-recovery agents, and then save the recovery information in Active Directory.
With Choose How BitLocker-Protected Operating System Drives Can Be Recovered, enable the policy, accept the default options to allow data-recovery agents, and then save the recovery information in Active Directory.
With Choose How BitLocker-Protected Removable Drives Can Be Recovered, enable the policy, accept the default options to allow data-recovery agents, and then save the recovery information in Active Directory.
You can configure and enable BitLocker Drive Encryption on both system volumes and data volumes. When you encrypt system volumes, you must unlock the computer at startup, typically by using a TPM and Network Unlock when connected to the domain as well as a TPM, a startup key, a startup PIN, or any required or optional combination of these. To enforce the strictest and highest security possible, use all three authentication methods.
In the current implementation of BitLocker, you do not have to encrypt a computer’s system volume prior to encrypting a computer’s data volumes. When you use encrypted data volumes, the operating system mounts BitLocker data volumes as it would any other volume, but it requires either a password or a smart card with a valid certificate to unlock the drive.
The encryption key for a protected data volume is created and stored independently from the system volume and all other protected data volumes. To allow the operating system to mount encrypted volumes, the key chain protecting the data volume is stored in an encrypted state on the operating-system volume. If the operating system enters Recovery mode, the data volumes are not unlocked until the operating system is out of Recovery mode.
Setting up BitLocker Drive Encryption is a multistep process that involves the following:
Partitioning a computer’s hard disks appropriately and installing the operating system (if you are configuring a new computer). Windows Setup partitions the drives for you automatically. However, the volume where BitLocker data is stored must always be the active, system volume.
Initializing and configuring a computer’s TPM (if applicable).
Turning on the BitLocker Drive Encryption feature (as necessary).
Checking firmware to ensure that the computer is set to start first from the disk containing the active, system partition and the boot partition, not from USB or CD/DVD drives (which is applicable only when you encrypt system volumes).
Turning on and configuring BitLocker Drive Encryption.
After you turn on and configure BitLocker encryption, you can use several techniques to maintain the environment and perform recovery. When you are using a Microsoft account on a non-domain-joined computer, you have an additional save option. You can save the recovery key to the Windows Live SkyDrive. The user’s SkyDrive account then contains a BitLocker folder with a separate file for each saved recovery key.
As discussed previously, BitLocker Drive Encryption can be used in a TPM or non-TPM configuration. Both configurations require some preliminary work before you can turn on and configure BitLocker Drive Encryption.
With Windows Vista, Windows 7, Windows 8, and later editions designed for business, BitLocker Drive Encryption and BitLocker Network Unlock should be installed by default.
With Windows Server 2008 and later, you can install BitLocker Drive Encryption, BitLocker Network Unlock, or both as features by using the Add Roles And Features Wizard. Alternatively, on a server, you can install BitLocker Drive Encryption by entering the following command at an elevated Windows PowerShell prompt:
add-windowsfeature -name bitlocker, bitlocker-networkunlock -includemanagementtools
With either approach, you need to restart the computer to complete the installation process.
After you install BitLocker, you can determine the readiness status of a computer by accessing the BitLocker Drive Encryption console. In Control Panel, tap or click System And Security and then tap or click BitLocker Drive Encryption. If the system isn’t properly configured yet, you see an error message either when you open BitLocker Drive Encryption or when you try to encrypt a drive.
If you see this message on a computer with a compatible TPM, refer to “Understanding TPM states and tools” earlier in this chapter to learn more about TPM states and enabling TPM in firmware. If you see this message on a computer with an incompatible TPM or no TPM, you need to change the computer’s Group Policy settings so that you can turn on BitLocker Drive Encryption without a TPM.
You can configure policy settings for BitLocker encryption in Local Group Policy or in Active Directory Group Policy. For local policy, you apply the desired settings to the computer’s Local Group Policy Object. For domain policy, you apply the desired settings to a Group Policy Object processed by the computer. While you are working with domain policy, you can also specify requirements for computers with a TPM.
To configure the way BitLocker can be used with or without a TPM, follow these steps:
Open the appropriate Group Policy Object for editing in the Group Policy Management Editor.
Double-tap or double-click the Require Additional Authentication At Startup setting in the Administrative Templates for Computer Configuration under Windows ComponentsBitLocker Drive Encryption folderOperating System Drives.
In the Require Additional Authentication At Startup dialog box, shown in Figure 14-16, define the policy setting by selecting Enabled. Note that there are several versions of this policy and they are operating-system specific. Configure the version or versions of this policy that are appropriate for your working environment and the computers to which the policy will be applied. The options for each related policy are slightly different because the supported TPM features are slightly different for each operating system.
Do one of the following:
If you want to allow BitLocker to be used without a compatible TPM, select the Allow BitLocker Without A Compatible TPM check box. This changes the policy setting so that you can use BitLocker encryption with a startup key on a computer without a TPM.
If you want to require BitLocker to be used with a TPM, clear the Allow BitLocker Without A Compatible TPM check box. This changes the policy setting so that you can use BitLocker encryption on a computer with a TPM by using a startup PIN, a startup key, or both.
For computers with compatible TPMs, several authentication methods can be used at startup to provide added protection for encrypted data. These authentication methods can be not allowed, allowed, or required. The methods available depend on the specific operating-system version of the policy you are working with.
Tap or click OK to save your settings. This policy is enforced the next time Group Policy is applied.
Close the Group Policy Object Editor. To force Group Policy to apply immediately to this computer, tap or click Start, type gpupdate.exe /force in the Search box, and then press Enter.
Computers that have a startup key or a startup PIN also have a recovery password or certificate. The recovery password or certificate is required in the following circumstances:
The recovery password or certificate should be managed and stored separately from the startup key or startup PIN. Although users are given the startup key or startup PIN, administrators should be the only ones with the recovery password or certificate. As the administrator, you need the recovery password or certificate to unlock the encrypted data on the volume if BitLocker enters a locked state. Generally, unless you use a common data-recovery agent, the recovery password or certificate is unique to this particular BitLocker encryption. You cannot use it to recover encrypted data from any other BitLocker-encrypted volume—even from other BitLocker-encrypted volumes on the same computer. To increase security, you should store startup keys and recovery data apart from the computer.
When you install BitLocker Drive Encryption and configure policy (if necessary), the BitLocker Drive Encryption console becomes available in Control Panel. When you are configuring BitLocker encryption, the configuration options you have depend on whether the computer has a TPM and on how you configured Group Policy.
You can determine whether a computer has BitLocker-encrypted volumes by using Disk Management. In Disk Management, any such encrypted volume is listed as BitLocker Encrypted, as shown in Figure 14-17.
Encrypting a fixed data drive protects the data stored on the drive. Any drive formatted with FAT, FAT32, exFAT, NTFS, or ReFS can be encrypted with BitLocker. The length of time it takes to encrypt a drive depends on the amount of data to encrypt, the processing power of the computer, and the level of activity on the computer.
Before you enable BitLocker, you should configure the appropriate Fixed Data Drive policies and settings in Group Policy and then either wait for Group Policy to be refreshed or refresh Group Policy manually. If you don’t do this and you enable BitLocker, you might need to turn off BitLocker and then turn it back on because certain state and management flags are set when you turn on BitLocker.
If you dual-boot a computer or move drives between computers, you can use the Allow Access To BitLocker-Protected Fixed Data Drives From Earlier Versions Of Windows setting in Group Policy to ensure that you have access to the volume on other operating systems and computers. Unlocked drives are read-only. To ensure that you can recover an encrypted volume, you should allow data-recovery agents and store recovery information in Active Directory.
You can enable BitLocker encryption on a fixed data drive by following these steps:
Open the BitLocker Drive Encryption console. In Control Panel, tap or click System And Security and then tap or click BitLocker Drive Encryption.
In the BitLocker Drive Encryption console, available drives are listed by category. Under the Fixed Data Drives heading, tap or click Turn On BitLocker for the fixed data drive you want to encrypt. BitLocker verifies that your computer meets its requirements and then initializes the drive. If BitLocker is already enabled on the drive, you have management options instead.
On the Choose How You Want To Unlock This Drive page, shown in Figure 14-18, choose one or more of the following options and then tap or click Next:
Use A Password To Unlock The Drive. Select this option if you want the user to be prompted for a password to unlock the drive. Passwords allow a drive to be unlocked in any location and to be shared with other people.
Use My Smart Card To Unlock The Drive. Select this option if you want the user to use a smart card and enter the smart card PIN to unlock the drive. Because this feature requires a smart card reader, it is normally used to unlock a drive in the workplace and not for drives that might be used outside the workplace.
Important
When you tap or click Next, the wizard generates a recovery key. You can use the key to unlock the drive if BitLocker detects a condition that prevents it from unlocking the drive during boot. Note that you should save the key on removable media or on a network share. You can’t store the key on the encrypted volume or the root directory of a fixed drive.
On the How Do You Want To Back Up Your Recovery Key? page, choose a save location for the recovery key—preferably, a USB flash drive or other removable media.
You can now optionally save the recovery key to another folder, print the recovery key, or both. For each option, tap or click the option and then follow the wizard’s steps to set the location for saving or printing the recovery key. When you finish, tap or click Next.
If it is allowed in Group Policy, you can elect to encrypt used disk space only or the entire drive and then tap or click Next. Encrypting the used disk space only is faster than encrypting an entire volume. It is also the recommended option for newer computers and drives (except in high-security environments).
On the Are You Ready To Encrypt This Drive? page, tap or click Start Encrypting. How long the encryption process takes depends on the amount of data being encrypted and other factors.
Because the encryption process can be paused and resumed, you can shut down the computer before the drive is completely encrypted and the encryption of the drive will resume when you restart the computer. The encryption state is maintained in the event of a power loss as well.
Encrypting removable data drives protects the data stored on the volume. Any removable data drive formatted with FAT, FAT32, exFAT, NTFS, or ReFS can be encrypted with BitLocker. The length of time it takes to encrypt a drive depends on the size of the drive, the processing power of the computer, and the level of activity on the computer.
Before you enable BitLocker, you should configure the appropriate Removable Data Drives policies and settings in Group Policy and then wait for Group Policy to be refreshed. If you don’t do this and you enable BitLocker, you might need to turn off BitLocker and then turn it back on because certain state and management flags are set when you turn on BitLocker.
To be sure that you can recover an encrypted volume, you should allow data-recovery agents and store recovery information in Active Directory. If you use a flash drive with earlier versions of Windows, you can use the Allow Access To BitLocker-Protected Removable Data Drives From Earlier Versions Of Windows policy to ensure that you have access to the removable data drive on other operating systems and computers. Unlocked drives are read-only.
You can enable BitLocker encryption on a removable data drive by following these steps:
After you connect the removable data drive, open the BitLocker Drive Encryption console. In Control Panel, tap or click System And Security and then tap or click BitLocker Drive Encryption.
In the BitLocker Drive Encryption console, available drives are listed by category. Under the Removable Data Drives heading, tap or click Turn On BitLocker for the removable data drive you want to encrypt. BitLocker verifies that your computer meets its requirements and then initializes the drive. If BitLocker is already enabled on the drive, you have management options instead.
On the Choose How You Want To Unlock This Drive page, choose one or more of the following options and then tap or click Next:
Use A Password To Unlock The Drive. Select this option if you want the user to be prompted for a password to unlock the drive. Passwords allow a drive to be unlocked in any location and to be shared with other people.
Use My Smart Card To Unlock The Drive. Select this option if you want the user to use a smart card and enter the smart card PIN to unlock the drive. Because this feature requires a smart card reader, it is normally used to unlock a drive in the workplace and not for drives that might be used outside the workplace.
On the How Do You Want To Back Up Your Recovery Key? page, tap or click Save The Recovery Key To A File.
In the Save BitLocker Recovery Key As dialog box, choose a save location and then tap or click Save.
You can now print the recovery key if you want to. When you finish, tap or click Next.
If it is allowed in Group Policy, you can elect to encrypt used disk space only or the entire drive and then tap or click Next. Encrypting the used disk space only is faster than encrypting an entire volume. It is also the recommended option for newer computers and drives (except in high-security environments).
On the Are You Ready To Encrypt This Drive? page, tap or click Start Encrypting. Be sure to pause encryption before removing the drive and then resume the process to complete the encryption. Do not otherwise remove the USB flash drive until the encryption process is complete. How long the encryption process takes depends on the amount of data to encrypt and other factors.
The encryption process does the following:
It adds an Autorun.inf file, the BitLocker To Go reader, and a Read Me.txt file to the removable data drive.
It creates a virtual volume with the encrypted contents of the drive.
It encrypts the virtual volume to protect it. Removable data drive encryption takes approximately 6 to 10 minutes per gigabyte to complete. The encryption process can be paused and resumed as long as you don’t remove the drive.
When you connect an encrypted drive, Windows displays a notification on the secure desktop, as shown in Figure 14-19. If the notification disappears before you can tap or click it, just remove and then reinsert the encrypted drive.
Then unlock the encrypted drive by completing the following steps:
Tap or click the notification to open the BitLocker dialog box. This dialog box also is displayed on the secure desktop.
When you are prompted, enter the password. Optionally, tap or click More Options to expand the dialog box so that you select Automatically Unlock On This Computer to save the password in an encrypted file on the computer’s system volume. Finally, tap or click Unlock to unlock the drive so that you can use it.
If you forget or lose the password for the drive but have the recovery key, tap or click More Options and then tap or click Enter Recovery Key. Enter the 48-digit recovery key and then tap or click Unlock. This key is stored in the XML-formatted recovery key file as plain text.
Before you can encrypt a system volume, you must remove all bootable media from a computer’s CD/DVD drives and from all USB flash drives. You can then enable BitLocker encryption on the system volume by completing the following steps:
Open the BitLocker Drive Encryption console. In Control Panel, tap or click System And Security and then tap or click BitLocker Drive Encryption.
In the BitLocker Drive Encryption console, available drives are listed by category. Under the Operating System Drives heading, tap or click Turn On BitLocker for the operating-system drive you want to encrypt. BitLocker verifies that your computer meets its requirements and then initializes the drive. If BitLocker is already enabled on the drive, you have management options instead.
Note
As part of the setup, Windows prepares the required BitLocker partition if necessary. If Windows RE is in this partition, Windows moves Windows RE to the system volume and then uses this additional partition for BitLocker.
Note also that if the computer doesn’t have a TPM, the Allow BitLocker Without A Compatible TPM option must be enabled for operating-system volumes in the Require Additional Authentication At Startup policy.
As Figure 14-20 shows, you can now configure BitLocker startup preferences. Continue as discussed in the separate procedures that follow. If the computer doesn’t have a TPM, your options will be different. You can create a password to unlock the drive, or you can insert a USB flash drive and store the startup key on the flash drive.
When a computer has a TPM, you can use BitLocker to provide basic integrity checks of the volume without requiring any additional keys. In this configuration, BitLocker protects the system volume by encrypting it. This configuration does the following:
Grants access to the volume to users who can log on to the operating system
Prevents those who have physical access to the computer from booting to an alternative operating system to gain access to the data on the volume
Allows the computer to be used with or without a TPM for additional boot security
Does not require a password or a smart card with a PIN
To use BitLocker without any additional keys, follow these steps:
On the Choose How To Unlock Your Drive At Startup page, tap or click Let BitLocker Automatically Unlock My Drive.
On the How Do You Want To Back Up Your Recovery Key page, tap or click Save To A File.
In the Save BitLocker Recovery Key As dialog box, choose the location of your USB flash drive or an appropriate network share and then tap or click Save. Do not use a USB flash drive that is BitLocker-encrypted.
You can now optionally save the recovery key to another location, print the recovery key, or both. Tap or click an option and then follow the wizard’s steps to set the location for saving or printing the recovery key. When you finish, tap or click Next.
If it is allowed in Group Policy, you can elect to encrypt used disk space only or the entire drive and then tap or click Next. Encrypting the used disk space only is faster than encrypting an entire volume. It is also the recommended option for newer computers and drives (except in high-security environments).
On the Encrypt The Drive page, tap or click Start Encrypting. How long the encryption process takes depends on the amount of data to encrypt and other factors.
To enhance security, you can require additional authentication at startup. This configuration does the following:
Grants access to the volume only to users who can provide a valid key
Prevents those who have physical access to the computer from booting to an alternative operating system to gain access to the data on the volume
Allows the computer to be used with or without a TPM for additional boot security
Optionally, uses Network Unlock to unlock the volume when the computer is joined to and connected to the domain
A startup key is different from a recovery key. If you create a startup key, this key is required to start the computer. The recovery key is required to unlock the computer if BitLocker enters Recovery mode, which might happen if BitLocker suspects the computer has been tampered with while the computer was offline.
You can enable BitLocker encryption for use with a startup key by following these steps:
Insert a USB flash drive in the computer (if one is not already there). Do not use a USB flash drive that is BitLocker-encrypted.
On the Choose How To Unlock Your Drive At Startup page, tap or click Insert A USB Flash Drive.
On the Back Up Your Startup Key page, tap or click the USB flash drive and then tap or click Save. Next, you need to save the recovery key. Because you should not store the recovery key and the startup key on the same medium, remove the USB flash drive and insert a second USB flash drive.
On the How Do You Want To Back Up Your Recovery Key page, tap or click Save To A File. In the Save BitLocker Recovery Key As dialog box, choose the location of your USB flash drive and then tap or click Save. Do not remove the USB flash drive with the recovery key.
You can now optionally save the recovery key to a network folder, print the recovery key, or both. Tap or click an option and then follow the wizard’s steps to set the location for saving or printing the recovery key. When you finish, tap or click Next.
If it is allowed in Group Policy, you can elect to encrypt used disk space only or the entire drive and then tap or click Next. Encrypting the used disk space only is faster than encrypting an entire volume. It is also the recommended option for newer computers and drives (except in high-security environments).
On the Encrypt The Volume page, confirm that Run BitLocker System Check is selected and then tap or click Continue. Confirm that you want to restart the computer by tapping or clicking Restart Now.
The computer restarts, and BitLocker ensures that the computer is BitLocker-compatible and ready for encryption. If the computer is not ready for encryption, you see an error and need to resolve the error status before you can complete this procedure. If the computer is ready for encryption, the Encryption In Progress status bar appears. You can monitor the status of the disk-volume encryption by pointing to the BitLocker Drive Encryption icon in the notification area. By double-tapping or double-clicking this icon, you can open the Encrypting dialog box and either monitor the encryption process more closely or pause the encryption process. Volume encryption takes approximately one minute per gigabyte to complete.
By completing this procedure, you encrypt the operating-system volume and create a recovery key unique to that volume. The next time you turn on your computer, either the USB flash drive with the startup key must be plugged into a USB port on the computer or the computer must be connected to the domain network and using Network Unlock. If the USB flash drive is required for startup and you do not have the USB flash drive containing your startup key, you need to use Recovery mode and supply the recovery key to gain access to the data.
You can enable BitLocker encryption for use with a startup PIN by following these steps:
On the Choose How To Unlock Your Drive At Startup page, select Enter A PIN.
On the Enter A PIN page, type and confirm the PIN. The PIN can be any number you choose and must be 4 to 20 digits in length. The PIN is stored on the computer.
Insert the USB flash drive on which you want to save the recovery key and then tap or click Set PIN. Do not use a USB flash drive that is BitLocker-encrypted.
Continue with steps 4 through 7 in the previous procedure.
When the encryption process is complete, you have encrypted the entire volume and created a recovery key unique to this volume. If you created a PIN or a startup key, you are required to use the PIN or startup key to start the computer (or the computer must be connected to the domain network and using Network Unlock). Otherwise, you will see no change to the computer unless the TPM changes, the TPM cannot be accessed, or someone tries to modify the disk while the operating system is offline. In these cases, the computer enters Recovery mode, and you need to enter the recovery key to unlock the computer.
You can determine whether a system volume, data volume, or inserted removable drive uses BitLocker by tapping or clicking System And Security in Control Panel and then double-tapping or double-clicking BitLocker Drive Encryption. You see the status of BitLocker on each volume, as shown in Figure 14-21.
The BitLocker Drive Encryption service must be started for BitLocker to work properly. Normally, this service is configured for manual startup and runs under the LocalSystem account.
To use smart cards with BitLocker, the Smart Card service must be started. Normally, this service is configured for manual startup and runs under the LocalService account.
After you create a startup key or PIN and a recovery key for a computer, you can create duplicates of the startup key, startup PIN, or recovery key as necessary for backup or replacement purposes, using the options on the BitLocker Drive Encryption page in Control Panel.
With fixed data drives and operating-system drives, another way to access this page is to press and hold or right-click the volume in File Explorer and then tap or click Manage BitLocker. If BitLocker is turned off, Turn On BitLocker appears instead.
The management options provided depend on the type of volume you are working with and the encryption settings you choose. The available options include the following:
Back Up Recovery Key. Allows you to save or print the recovery key. Tap or click this option and then follow the prompts.
Change Password. Allows you to change the encryption password. Tap or click this option, enter the old password, and then type and confirm the new password. Tap or click Change Password.
Remove Password. Tap or click this option to remove the encryption password requirement for unlocking the drive. You can do this only if another unlocking method is configured first.
Add Smart Card. Allows you to add a smart card for unlocking the drive. Tap or click this option and then follow the prompts.
Remove Smart Card. Tap or click this option to remove the smart card requirement for unlocking the drive.
Change Smart Card. Allows you to change the smart card used to unlock the drive. Tap or click this option and then follow the prompts.
Turn On Auto-Unlock. Tap or click this option to turn on automatic unlocking of the drive.
Turn Off Auto-Unlock. Tap or click this option to turn off automatic unlocking of the drive.
Turn Off BitLocker. Tap or click this option to turn off BitLocker and decrypt the drive.
If you configure BitLocker Drive Encryption and the computer enters Recovery mode, you need to unlock the computer. To unlock the computer by using a recovery key stored on a USB flash drive, follow these steps:
Turn on the computer. If the computer is locked, the computer opens the BitLocker Drive Encryption Recovery console.
When you are prompted, insert the USB flash drive that contains the recovery key and then press Enter.
The computer unlocks and reboots automatically. You do not need to enter the recovery key manually.
If you saved the recovery key file in a folder on another computer or on removable media, you can use another computer to open and validate the recovery key file. To locate the correct file, find Password ID on the recovery console displayed on the locked computer and write down this number. The file containing the recovery key uses this Password ID as the file name. Open the file and locate the recovery key.
To unlock the computer by typing the recovery key, follow these steps:
Turn on the computer. If the computer is locked, the computer opens the BitLocker Drive Encryption Recovery console.
Type the recovery key and then press Enter. The computer unlocks and reboots automatically.
A computer can become locked if a user tries to enter the recovery key but is repeatedly unsuccessful. In the recovery console, you can press Esc twice to exit the recovery prompt and turn off the computer. A computer might also become locked if an error related to the TPM occurs or boot data is modified. In this case, the computer halts very early in the boot process, before the operating system starts. At this point, the locked computer might not be able to accept standard keyboard numbers. If that is the case, you must use the function keys to enter the recovery password. Here, the function keys F1–F9 represent the digits 1 through 9, and the F10 function key represents 0.
When you need to make changes to the TPM or make other changes to the system, you might first need to turn off BitLocker encryption temporarily on the system volume. You cannot turn off BitLocker encryption temporarily on data volumes; you can only decrypt data volumes.
To turn off BitLocker encryption temporarily on the system volume, follow these steps:
In Control Panel, tap or click System And Security and then double-tap or double-click BitLocker Drive Encryption.
For the system volume, tap or click Turn Off BitLocker Drive Encryption.
In the What Level Of Decryption Do You Want? dialog box, tap or click Disable BitLocker Drive Encryption.
By completing this procedure, you temporarily disable BitLocker on the operating-system volume.
To turn off BitLocker Drive Encryption and decrypt a data volume, follow these steps:
In Control Panel, tap or click System And Security and then double-tap or double-click BitLocker Drive Encryption.
For the appropriate volume, tap or click Turn Off BitLocker Drive Encryption.
In the What Level Of Decryption Do You Want? dialog box, tap or click Decrypt The Volume.
To turn off BitLocker Drive Encryption and decrypt a USB flash drive, follow these steps:
In Control Panel, tap or click System And Security and then double-tap or double-click BitLocker Drive Encryption.
For the appropriate volume, tap or click Turn Off BitLocker Drive Encryption.
In the What Level Of Decryption Do You Want? dialog box, tap or click Decrypt The Volume.