Best-Practice Recommendations for Using BitLocker
Published: May 14, 2010
Author: Dan Griffin - Microsoft MVP, Enterprise/Developer/Consumer Security
Do a Bing search for "stolen hard drive" and you'll get a reminder of how at-risk your data is, and how visible and embarrassing the loss or theft of sensitive data can be, especially if the event is covered by the press. The loss of corporate data can also cause damage to your brand and confer an advantage to your competitors if trade secrets are revealed.
In many cases, encryption of customer data is required by law. For example, the PCI Data Security Standard for the credit card industry and the Health Insurance Portability and Accountability Act (HIPAA) for the healthcare industry both require encryption of certain end user data (for example, personally identifiable information, or PII, credit card numbers, and patient records). Corporate risk officers should also be aware that regulations like the California data breach notification law require disclosure only if the lost data is not encrypted.
With BitLocker you can help protect your company from these threats. In this article, I'll discuss:
How BitLocker Works
BitLocker Drive Encryption (BitLocker for short) encrypts an entire disk volume. Under the hood, the encrypted volume is protected by the volume master key, which is, in turn, encrypted by an administrator selected key protector. (I won't go into all of the keys and how encryption works, so please read the BitLocker Technical Overview for information.)
Note that, while the volume master key must be available in order for the encrypted drive to be used, the security of the encryption is only as strong as the protection that you apply to the volume master key. To put it another way, the volume master key must be encrypted in such a way that good guys can decrypt it but bad guys can't. Meeting this interesting challenge is the purpose of key protectors, which I discuss next.
There are several key protectors that an administrator can select, and a well-planned deployment will use specific combinations of key protectors depending on whether the host is mobile (a laptop) or stationary (a server).
From a security perspective, the most important key protectors are the ones that make use of the Trusted Platform Module (TPM). The TPM is a tamper-resistant chip embedded in the motherboard of most modern enterprise-class PCs. (The qualifiers in the previous sentence are inevitably a source of complexity for a BitLocker deployment. For example, what policies should you set for older PCs that don't have a TPM? This is still a hard problem to solve, and requires custom scripting. For additional references, see the Policy Enforcement and Compliance Reporting sections below.)
The TPM is critical for BitLocker since it allows the volume master key to be bound to a specific PC. If data theft is the goal, removal of a hard drive (for example, from a server room) is the most common way to accomplish it; the attacker can then attach the drive to another PC and copy the data. However, if the encrypted volumes on the drive are using a TPM as the key protector, the attacker can't decrypt the volumes without having physical access to the original PC. If the original PC is still in the server room, the good guys win: there's no way for the attacker to compromise the data without a brute-force attack.
Not all machines are difficult to steal, though. Laptops are increasingly popular in the workplace, and sensitive data is often stored on them. To ensure that the bad guys don’t get that data on the encrypted drive it's important to use the TPM plus a boot PIN. The boot PIN must be entered each time that the system boots. (Yes, your users will complain, but the extra security is worth it.) This key protector combination reduces the threat of Direct Memory Access (DMA) attacks. The Microsoft BitLocker team wrote a good blog post on DMA and other related attacks, which I highly recommend that you read. To summarize the attack, some PC peripherals allow DMA for performance reasons, but this configuration could allow an attacker to use a DMA device to read the contents of the PC memory without having to log in. If those memory contents happen to include sensitive information, then BitLocker has effectively been bypassed. However, with a boot PIN, the attacker cannot even boot the machine in the first place (i.e. without knowing the PIN). Still, it's important to recognize that, if a laptop is already booted when it's stolen, or if the target is a running server, DMA attacks are still a threat. To mitigate this threat, as described in the blog post mentioned above, DMA-capable devices (including 1394 and PCI bus-attached) can be disabled.
From a data recovery perspective, the most important key protector is the Numeric Password, which allows the volume master key to be archived in Active Directory. There are two situations that can necessitate key recovery: a forgotten boot PIN and a change in hardware.
First, as any system administrator knows, it is inevitable that a user will forget the boot PIN. And while BitLocker allows a recovery key to be saved to a USB token, it can certainly be lost as well. Therefore, since the data doesn't do you much good if you can't decrypt it, centrally managed archival of recovery keys is important for preventing data loss.
Second, using the strong protection afforded by the TPM is a tradeoff. While the TPM does a great job of detecting the types of hardware changes that might indicate that it was removed or is under attack, those same features make it sensitive to some hardware changes that are otherwise benign. A change to the boot device on the host PC is an example. This is another scenario in which Active Directory-based recovery key storage can save you.
Configuring Mobile Assets for BitLocker
There are two classes of mobile assets that you should consider when planning your data protection scheme. The first class is portable USB keys and drives. I recommend that you protect those using BitLocker To Go, which is available in the Enterprise and Ultimate editions of Windows 7 and Windows Server 2008 R2.
The second class of mobile assets is laptops. I recommend that you use the following BitLocker configuration on your organization's laptops:
Configuring Non-Mobile Assets for BitLocker
The recommended BitLocker configuration for servers and workstations is similar to that of laptops. The difference is that you generally don't want to require a boot PIN for these non-mobile assets. A boot PIN can still be used if you desire, but the tradeoff is that every time the machine reboots, someone must be present at the console to type in the PIN. For servers, that’s generally an unacceptable tradeoff. Therefore I recommend the following BitLocker configuration for servers and workstations:
The full reference on BitLocker Group Policy settings can be found here. The primary shortcoming to be aware of when rolling out BitLocker is that there's currently no way to enforce the drive encryption process, which means that you'll need to write a script for encrypting the drive. When writing a script, you can use either the BitLocker WMI provider or the manage-bde command-line tool.
Similar to policy enforcement, compliance reporting is an important aspect of a BitLocker deployment, but is unfortunately not directly supported out-of-the-box, which means that you’ll have to write scripts to get compliance reporting working properly. When writing your script, consider using a logon script to check the BitLocker status and then write the results to a file share or Web service.
About the Author
Dan Griffin is the founder of
JW Secure, Inc., a Microsoft Gold Certified Partner and provider of custom development services to software companies with security-related products, and Restorify, LLC, a disaster preparedness solution for managed service providers running line of business servers in Hyper-V.