BitLocker Drive Encryption Glossary
This glossary provides an authoritative definition of the words that are used in the Microsoft® BitLocker™ Drive Encryption documentation. Its primary aim is to standardize the language of BitLocker documents to reduce confusion and offer assistance.
This information applies for Windows Vista® and Windows Server® 2008.
The first volume that is accessed when a computer starts up. This volume contains the hardware-specific files that are required to load Windows and includes the computer's boot manager (for loading multiple operating systems). Generally, the system volume can be, but is not required to be, the same volume as the operating system volume. For BitLocker Drive Encryption to function, the system volume must differ from the operating system volume. It also must not be encrypted. The active volume is the partition that initiates the hardware system startup process. In Windows Vista and Windows Server 2008, this partition contains the active boot manager. Any given computer should have only one system volume.
A partition from which a computer starts up. The active partition must be a primary partition on a basic disk. If you use Windows exclusively, the active partition can be the same as the system volume.
The type of software or hardware methods that increase the difficulty and cost of a key search attack on a PIN or password. In BitLocker Drive Encryption, the Trusted Platform Module (TPM) is used to prevent hammering.
A combination of one or more of the following elements, identified by a globally unique identifier (GUID): personal identification number (PIN), recovery password, recovery key, USB flash drive key, and Trusted Platform Module (TPM).
See definition for: Boot Configuration Data (BCD).
binary large object (BLOB)
A discrete packet of binary data that has an exceptionally large size, such as pictures or audio tracks stored as digital data, or any variable or table column that is large enough to hold such values. The designation "binary large object" typically refers to a packet of data that is stored in a database and is treated as a sequence of uninterpreted bytes. For BitLocker Drive Encryption, any cryptographically-protected piece of data. For example, the TPM seals the volume master key, and the TPM_Seal operation returns a BLOB that is stored on the hard disk. Similarly, the volume master key can be encrypted by a clear key, by an external key, or by a recovery password, and stored on disk as a BLOB.
BIOS boot order
A list of all potential bootable devices listed in booting order. If the boot on the first device on the list does not yield a valid boot sector, the BIOS proceeds with the next device in the list.
BitLocker Drive Encryption
A Windows Vista or Windows Server 2008 feature that provides full-volume encryption and integrity checking of boot components.
BitLocker disabled mode
A mode in which the disk volume is encrypted by BitLocker Drive Encryption, but security is effectively disabled because the full-volume encryption key that is used to encrypt the operating system volume is accessible by using a clear key to access the volume master key. This mode is used to upgrade system hardware or to perform other actions that might trigger recovery mode.
BitLocker enabled mode
A mode in which BitLocker Drive Encryption is turned on and the data on the volume is encrypted by BitLocker as it is written and decrypted as it is read. When the computer starts, one of the following conditions is required to decrypt the volume master key and access the volume: successful validation of critical early boot components by the Trusted Platform Module (TPM), if a TPM is implemented; successful validation of critical early boot components by the TPM (in conjunction with a startup key or PIN, if configured); input of a recovery password; or insertion of a USB flash drive that contains a recovery key.
BitLocker off mode
A mode in which BitLocker Drive Encryption protection is turned off on a disk volume and the disk volume is not encrypted. This is a disk volume with a standard clear text file format.
See definition for: binary large object (BLOB).
Boot Configuration Data (BCD)
A store that contains boot configuration parameters and controls how the operating system is started in Windows Vista or Windows Server 2008. The objects and elements in the store replace Boot.ini in Windows XP and Windows Server 2003.
See definition for: partition.
The first 512 bytes of sector 0 of a partitioned data storage device.
brute force attack
See definition for: key search attack.
The key that is stored unencrypted on the disk volume. This key is used to access the volume master key freely and, in turn, to access the full-volume encryption key when BitLocker Drive Encryption protection is disabled but the disk volume remains encrypted. See definition for: BitLocker disabled mode.
A mathematical function that is used for encryption and decryption. Most cryptographic algorithms are based on a substitution cipher, a transposition cipher, or a combination.
To convert encrypted content back into its original form.
The property of a cryptographic algorithm that ensures that a change in a few input bits leads to changes in many of the output bits. Diffusion is an option in BitLocker Drive Encryption and is enabled by default to help prevent attacks on encrypted data.
The forced recovery of a BitLocker-protected volume through the removal of all the key binary large objects (BLOBs) that could have decrypted the disk.
See definition for: Encrypting File System.
To disguise content programmatically in order to hide its substance.
Encrypting File System (EFS)
A Microsoft file-based encryption technology that enables users to encrypt files and folders on NTFS volumes. EFS helps protect the confidentiality of data by ensuring that only authorized users can decrypt the encrypted files or folders.
A file that contains information to access cryptographically locked data and that is stored away from the system, such as on a USB flash drive.
external key file
A file that contains the external key and that is stored on an external media device. The name and contents of the file are internal to Microsoft and can change from version to version.
full volume encryption key
The algorithm-specific key that is used to encrypt (and, optionally, to diffuse) data on disk sectors. Currently, this key can be either 128-bit or 256-bit advanced encryption standard (AES). The default encryption algorithm that BitLocker Drive Encryption uses is AES 128-bit with diffuser.
global system key
A Windows key that is used to derive other keys to help guard global system secrets. The system secrets refer to any user or system data that is private or hidden for security purposes. Also known as SYSKEY.
globally unique identifier (GUID)
A 16-byte value generated from the unique identifier on a device, the current date and time, and a sequence number. It is used to identify a particular device, component, user, or session. BitLocker Drive Encryption uses a GUID to identify system components, including key protectors, uniquely.
See definition for: globally unique identifier (GUID).
A key search attack in which an unauthorized user guesses at a PIN or password many times.
A power-saving mode that allows a quicker resumption of operation than fully turning the computer off and then back on. When a user activates hibernation mode, all current applications that are running in memory are saved to disk, and the computer is turned off. After the user presses a button or clicks the mouse to resume full operation, the applications are read from disk and appear in the same state as before the user activated hibernation mode.
A file created during hibernation that contains all central processing unit (CPU) memory and registers information. BitLocker Drive Encryption encrypts the hibernation file and blocks unauthorized access to the contents of the hibernation file.
A task that the Trusted Platform Module (TPM) performs by confirming that the SHA-1 computed hash of each system component that runs during boot matches the values that are stored in platform configuration registers (PCRs) at the time BitLocker Drive Encryption was turned on. If the state of early boot components is different from the static root of trust measurement, BitLocker boots to recovery mode until the authorized user enters the recovery password.
A BLOB (binary large object) that is used to restrict access to a BitLocker-protected disk. Examples of key protectors in BitLocker Drive Encryption include Trusted Platform Module (TPM) + personal identification number (PIN), startup key, recovery password, and recovery key.
key search attack
An attack to find a secret password or a symmetric encryption key by trying all possible passwords or keys until the correct password or key is discovered. Also called a brute force attack.
A subsection of a hard drive that is defined by software. The boot sector of each logical drive contains only a partition table. Only the first two entries in this partition table are used; the other two are empty. The first entry holds the definitions for the logical drive in the following sectors. The first sector to which the entry points contains the specific boot sector of the file system that was used in this logical drive. The second entry in the logical drive partition table holds the parameters for the subsequent logical drive. The second entry of the last logical drive is also empty. Logical drives cannot be used to boot the computer, because the boot sectors of logical drives do not contain boot data.
See definition for: Message Authentication Code (MAC).
Master Boot Record (MBR)
A record that might be located in the boot sector of a disk drive. It allows the disk to be partitioned. It contains the partition table and code that parses this table during the boot process. The MBR is also referred to as partition 0 on a disk. A disk does not need an MBR. The NTFS boot sector, for example, can be written directly into the boot sector of a disk. Such a disk is always handled as a whole and cannot be partitioned.
See definition for: Master Boot Record (MBR).
Message Authentication Code (MAC)
A keyed hashing algorithm that uses a symmetric session key to help ensure that a block of data has retained its integrity from the time it was sent until the time it was received. When using this type of algorithm, the receiving application must also possess the session key to recompute the hash value, so that it can verify that the base data has not changed.
operating system volume
A volume that contains an operating system (for example, Windows Vista) that can be loaded by a boot manager. The operating system volume must be a simple volume, and must contain all operating system files. A given system can have multiple operating system volumes. The operating system on this volume can be started only if it has an entry in the Boot Configuration Data (BCD).
A password that the user sets when the Trusted Platform Module (TPM) is enabled. An owner password is required to turn the TPM on or off, and to use certain TPM functions.
Related terms: Trusted Platform Module (TPM)
A sequence of contiguous sectors on a physical disk that holds a file system. The start sector and length are specified in a partition table.
A partition that does not directly contain a file system. It allows the definitions of multiple logical drives within the sectors that are assigned to the extended partition. The extended partition does not have a boot sector. Instead, sector 0 of an extended partition has the definition of the first logical drive.
A contiguous set of sectors on a disk that are defined in the partition table in the Master Boot Record (MBR). The system can be booted from this partition. The first sector of this partition contains the specific boot sector of the file system that is used in this partition.
On a hard disk, the data structure that stores the offset (location) and size of each primary partition on the disk. On MBR disks, the partition table is located in the master boot record. On GPT disks, the partition table is located in the GUID partition entry array.
See definition for: platform configuration register (PCR).
personal identification number (PIN)
A user-specified secret value that must be entered each time a computer starts (or resumes from hibernation). You can choose to add PIN protection to a Trusted Platform Module (TPM)-based configuration. The PIN can have between 4 and 20 digits and internally is stored as a 256-bit hash of the entered Unicode characters. This value never appears back to the user in any form or for any reason. The PIN is used to provide another factor of protection in conjunction with TPM authentication.
See definition for: personal identification number (PIN).
platform configuration register (PCR)
A register of a Trusted Platform Module (TPM). This register is sufficiently large to contain a hash (currently only SHA-1). A register can normally only be extended, which means that its content is a running hash of all values that are loaded to it.
A numerical password that consists of 48 digits divided into 8 groups. Each group of 6 digits is reduced to modulo 11 (a numerical calculation) before being compressed into 16 corresponding bits of passphrase data. A copy of the passphrase data is stored on disk, encrypted by the volume master key. Therefore, an administrator can retrieve the recovery password after Windows has loaded. The recovery password must be entered by using the function keys on the keyboard.
recovery password file
A BitLocker Drive Encryption file that uses the naming convention: <GUID>.bek (including the BitLocker .fve file name extension), which contains the recovery key that is required to unseal the volume.
A key that is used for recovering data that is encrypted on a BitLocker volume. This key is cryptographically equivalent to a startup key. If available, the recovery key decrypts the volume master key, which in turn decrypts the full-volume encryption key. The recovery key is stored on a USB flash drive. To use the recovery key, a user inserts the USB flash drive and then restarts the computer.
recovery mode, locked mode
A mode in which BitLocker Drive Encryption prevents users from logging on to the computer, either because the system components have changed, or because it needs an authentication key. In this circumstance, the user enters the recovery password and investigates why BitLocker triggered recovery mode.
The process that BitLocker Drive Encryption uses to encrypt the volume master key and to create a binary large object (BLOB).
A cryptographically strong hash algorithm that creates a 160-bit hash.
The unused area outside of the boot sector in sector 0 of a partitioned data storage device.
A key that is stored on a USB flash drive that must be inserted each time the computer starts. The startup key is used to provide another factor of protection in conjunction with Trusted Platform Module (TPM) authentication. This is stored by the computer as an external key. A startup key is required to start a computer that has BitLocker Drive Encryption enabled but does not have a TPM.
global system key
system (active) volume
The first volume that is accessed when a computer starts up. This volume contains the hardware-specific files that are required to load Windows and includes the computer’s boot manager (for loading multiple operating systems). The system volume generally is, but is not required to be, the same volume as the operating system volume. However, for BitLocker Drive Encryption to function, the system volume must differ from the operating system volume and also must not be encrypted. This is the partition that initiates the hardware system startup process. In Windows Vista and Windows Server 2008, this partition contains the active boot manager. Any given computer should have only one system volume.
See definition for: Trusted Computing Group (TCG)
See definition for: Trusted Platform Module (TPM)
Trusted Computing Group (TCG)
The organization that sets standards for Trusted Platform Module (TPM) use and interface (http://go.microsoft.com/fwlink/?LinkID=67440).
Trusted Platform Module (TPM)
Security hardware that provides a hardware-based root of trust and that can be leveraged to provide a variety of cryptographic services, such as early-boot component checking. BitLocker Drive Encryption uses a TPM version 1.2 with a Trusted Computing Group (TCG)-compatible BIOS for integrity checking of the early boot components' capabilities to validate the integrity of critical early boot components and provide a transparent startup experience.
For BitLocker Drive Encryption, the process that Trusted Platform Module (TPM) uses to decrypt data in a sealed binary large object (BLOB) to reveal the original secret. This BLOB can be unsealed only when the platform configuration registers (PCRs) in the TPM are identical to the PCRs in the BLOB. If any of the PCR values are different, the TPM refuses to unseal the data and instead returns an error.
An area of storage on a hard disk. A volume is formatted by using a file system, such as NTFS, and has a drive letter assigned to it. For BitLocker Drive Encryption, the system volume and the operating system volume must be simple volumes. Data volumes can be of a more complex type.
volume master key
An advanced encryption standard (AES) 256-bit key that is used to encrypt the full-volume encryption key. There is only one volume master key per volume.