BitLocker™ Drive Encryption and Disk Sanitation
By Russ Humphries, Senior Product Manager, Windows Vista Security
See other Security Tip of the Month columns
What happens to the data on a hard disk when a PC reaches its end of life?
This is a very important question for many organizations and is a growing concern among security experts and corporate executives. The data stored on the PC asset is often significantly more valuable to a corporation than the asset itself, and the loss, theft, or unwanted disclosure of that data can be very damaging.
Recent government regulations have emerged that focus on data protection and privacy. This legislation has a strong impact on organizational PC asset decommissioning policies. Some of the more important U.S. regulations include the following:
Health Information Portability and Accountability Act
Personal Information Protection and Electronic Documents Act
California Senate Bill 1386
SEC Rule 17a
These laws are complex and difficult to interpret, and there are serious consequences for the unregulated disclosure of the data that each law or policy covers. Some of the regulations call for stiff fines and the potential for custodial sentences for offending executives.
"Letters, resumes, spreadsheets, phone numbers, and e-mail addresses were all found on storage hardware bought and analyzed by forensics firm Disklabs." 1
Disk Sanitation Methods
So how are organizations dealing with the problems of more securely decommissioning a PC asset and, specifically, with the sanitation of hard disks? Two common methods are physical destruction and the overwriting of data on the disk.
Physical destruction involves treating the disk so that it cannot be easily read. Methods include acid-washes, strong magnetizing, and drilling holes through the disk. This method is very secure, but the disk cannot be recycled or used again and the method is costly.
Overwriting is changing some or all of the bits to something different. Commercial programs exist to overwrite existing data and free space with pseudo-random bits. However, it has been claimed that an individual can recover “deleted” data by detecting the magnetic traces of the original bits. The more times a disk is overwritten, the harder it is to recover the data. The Department of Defense recommends overwriting a disk at least seven times. Of course, this is time-consuming and, again, expensive.
Leasing is another method that some companies consider for PC asset management. They use the asset return process as a disposal strategy. However, an organization is still responsible and liable for the data residing on the returned equipment.
BitLocker Drive Encryption Offers an Alternative
BitLocker Drive Encryption is a data protection feature available in Windows Vista Enterprise and Windows Vista Ultimate for client computers and in Windows Server “Longhorn.”
BitLocker helps prevent a thief who boots another operating system or runs a software hacking tool from breaking Windows Vista file and system protections or performing offline viewing of the files stored on the protected drive. It does this by encrypting the entire contents of the protected volume. With BitLocker, all user and system files are encrypted, including the swap and hibernation files. A key is required to access the encrypted contents of the disk.
BitLocker uses the Advanced Encryption Standard, with 128-bit and 256-bit key lengths, as its encryption algorithm. It also provides the option of using an additional algorithm -- called Elephant -- that increases the security attributes such that the data on the disk is securely encrypted. This is a recommended practice.
So what has this to do with disk sanitation?
If BitLocker deletes the keys required to access the encrypted data on the disk, the cipher-text still on the disk should be inaccessible except to someone with access to the previously escrowed recovery key. BitLocker has several escrow options, including the option of escrowing a recovery key in the Active Directory service.
BitLocker provides Windows Management Instrumentation (WMI) calls as well as a command-line application that an administrator can use to delete the key material noted above -- thus helping to quickly and efficiently sanitize the disk. This method of disk sanitation requires administrative access and should be approached with caution. One example of the steps required using the command-line tool is given below.
The command-line tool is called Manage-bde.
The command listed below places the machine into a “recovery mode,” in which the material required to access the disk is removed from the disk but the recovery blobs still remain. On the next reboot, the BitLocker recovery console will be displayed and the user prompted to provide the recovery password. The protected volume is inaccessible unless the recovery key is supplied.
Manage-bde –forcerecovery C:
This same command can be used on a remote machine by utilizing the ComputerName (or cn) parameter.
Manage-bde –ComputerName OldPayrollPC –forcerecovery C:
The Format command has been modified in Windows Vista so that it is BitLocker-aware. If a PC that is protected by BitLocker is formatted, then Format also specifically destroys the key data -- providing a much more secure data deletion method.
There are also WMI methods that allow for similar functionality for developers. For example:
DeleteKeyProtector Method of the Win32_EncryptableVolume Class
The DeleteKeyProtector method deletes a given key protector for the volume.
For further details on using WMI, please see the BitLocker WMI documentation.
This document does not provide legal advice or guidance on meeting legal requirements about data protection or the proper disposal of sensitive information. Indeed, readers should discuss their own unique needs with legal counsel before proceeding with such compliance efforts. However, decision makers are encouraged to use information provided in this paper to consider and implement appropriate solutions that help meet their enterprise’s assurance requirements.
|1||Source: BBC News article http://news.bbc.co.uk/1/hi/technology/4229550.stm|