Windows BitLocker Drive Encryption Frequently Asked Questions

Applies To: Windows Vista

Windows® BitLocker™ Drive Encryption is a data protection feature available in Windows Vista® Enterprise and Windows Vista® Ultimate and in Windows Server® 2008.

Overview and Requirements

  • What is BitLocker? How does it work?

  • Does BitLocker support multifactor authentication?

  • What are the BitLocker hardware and software requirements?

  • Why are two partitions required? Why does the system partition have to be so large?

  • Which TPMs does BitLocker support?

  • How can I tell whether my computer has a TPM 1.2?

  • Can I use BitLocker on a computer without a TPM 1.2?

  • How do I obtain BIOS support for the TPM on my computer?

Upgrading

  • What versions of Windows Vista include BitLocker? Can I use BitLocker on a Windows XP–based computer?

  • How do I upgrade my Windows XP–based computer to Windows Vista with the necessary disk configuration for BitLocker?

  • What is the difference between disabling and decrypting when I turn off BitLocker?

  • Do I have to decrypt my encrypted volume to download and install system updates and upgrades?

Deployment and Administration

  • Can BitLocker deployment be automated in an enterprise environment?

  • Will BitLocker encrypt more than just the operating system volume?

  • What is the performance impact when BitLocker is enabled on a Windows Vista–based computer?

  • Approximately how long will initial encryption take when BitLocker is enabled?

  • What happens if the computer is turned off during encryption or decryption?

  • Why does it appear that most of the free space in my volume is taken when BitLocker is converting?

  • Does BitLocker encrypt and decrypt the entire volume all at once when reading and writing data?

  • How can I prevent users on a network from storing data in an unencrypted volume?

  • What system changes would cause the integrity check on my computer to fail?

  • Can I swap hard disks on the same computer if BitLocker is enabled?

  • Can I access my BitLocker-encrypted volume if I insert the hard disk into a different computer?

  • Can I dual boot Windows Vista and another operating system on a BitLocker-enabled computer?

Key Management

  • What is the difference between a TPM password, recovery password, recovery key, PIN, and a startup key?

  • How can the recovery password be stored?

  • If I lose my recovery information, will the data encrypted by BitLocker be unrecoverable?

  • Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?

  • Can the USB flash drive that is used as the startup key also be used to store the recovery key?

  • Can I save the startup key on multiple USB flash drives?

  • Can I save multiple (different) startup keys on the same USB flash drive?

  • Can I generate multiple (different) startup keys for the same computer?

  • Can I generate multiple PIN combinations?

  • What encryption keys are used in BitLocker? How do they work together?

  • Where are the encryption keys stored?

  • Why do I have to use the function keys to enter the PIN or the 48-character recovery password?

  • How does BitLocker help prevent an attacker from discovering the PIN?

  • How can I evaluate a TPM's dictionary attack mitigation mechanism?

  • Can PIN length and complexity be managed with Group Policy?

  • How are the PIN and TPM used to derive the volume master key?

Active Directory Domain Services

Important

For detailed instructions about how to configure Active Directory Domain Services (AD DS) for BitLocker, see https://go.microsoft.com/fwlink/?LinkId=67438.

  • Does BitLocker require schema extension to store recovery information in AD DS?

  • What type of information is stored in AD DS?

  • How is the recovery information secured while in transit from the client to AD DS?

  • Is the BitLocker recovery information stored in AD DS in plain text?

  • What if BitLocker is enabled on a computer before the computer has joined the domain?

  • If I change the BitLocker recovery password on my computer and store the password in AD DS, will it overwrite the old recovery password stored in AD DS?

Security

  • What form of encryption does BitLocker use? Is it configurable?

  • What is the diffuser?

  • What is the most secure way to configure BitLocker?

  • What are the implications of using the sleep or hibernate power management options?

  • What are the advantages of using a TPM?

  • Is Microsoft pursuing any security certification for BitLocker?

Other Questions

  • Can I use EFS with BitLocker?

  • Can I run a kernel debugger with BitLocker?

  • How does BitLocker handle memory dumps?

  • Can BitLocker support smart cards for pre-boot authentication?

  • Can I use a non-Microsoft TPM driver?

  • Can I write applications directly to the TPM Base Services?

  • How can I determine the manufacturer of my TPM?

  • Can other tools that manage or modify the master boot record work with BitLocker?

  • Will BitLocker work with computers that use EFI-based system firmware?

Overview and Requirements

What is BitLocker? How does it work?

Windows BitLocker Drive Encryption is a data protection feature available in Windows Vista Enterprise and Windows Vista Ultimate for client computers and in Windows Server 2008. BitLocker provides enhanced protection against data theft or exposure on computers that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned.

Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access on lost or stolen computers by combining two major data-protection procedures:

  • Encrypting the entire Windows operating system volume on the hard disk. BitLocker encrypts all user files and system files in the operating system volume, including the swap and hibernation files.

  • Encrypting multiple fixed volumes. Once the operating system volume has been encrypted, BitLocker can encrypt other volumes. This feature requires a computer running Windows Vista Enterprise with Service Pack 1 (SP1), Windows Vista Ultimate with SP1, or Windows Server 2008.

  • Checking the integrity of early boot components and boot configuration data. On computers that have a Trusted Platform Module (TPM) version 1.2, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer's boot components appear unaltered and the encrypted disk is located in the original computer.

BitLocker is tightly integrated into Windows Vista and provides enterprises with enhanced data protection that is easy to manage and configure. For example, BitLocker can use an existing Active Directory Domain Services (AD DS) infrastructure to remotely store BitLocker recovery keys. BitLocker also provides a recovery console that enables data retrieval for computers that are not members of the domain or computers that are unable to connect the domain (for example, computers in the field).

Does BitLocker support multifactor authentication?

If you enable BitLocker on a computer that has a TPM version 1.2, you can add additional factors of authentication to the TPM protection. BitLocker offers the option to lock the normal boot process until the user supplies a personal identification number (PIN) or inserts a USB device (such as a flash drive) that contains a BitLocker startup key or, if you are running Windows Vista with SP1 or Windows Server 2008, both the PIN and the USB device can be required. These additional security measures provide multifactor authentication and helps ensure that the computer will not start or resume from hibernation until the correct authentication method is presented.

What are the BitLocker hardware and software requirements?

To take advantage of all BitLocker features, your computer must meet the hardware and software requirements listed in the table below.

BitLocker hardware and software requirements

Requirement Description

Hardware configuration

Computer must meet the minimum requirements for Windows Vista. For more information about Windows Vista requirements, see https://go.microsoft.com/fwlink/?LinkId=83233.

Operating system

Windows Vista Ultimate or Windows Vista Enterprise. Both include BitLocker Drive Encryption.

Hardware Trusted Platform Module (TPM)*

TPM version 1.2

BIOS configuration

  • Trusted Computing Group (TCG)-compliant BIOS.

  • BIOS must be set to start first from the hard disk, and not the USB or CD drives.

  • BIOS must be able to read from a USB flash drive during startup.

File system

Two NTFS disk partitions, one for the system volume and one for the operating system volume. The system volume partition must be at least 1.5 gigabytes (GB) and set as the active partition.

*A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification.

Why are two partitions required? Why does the system volume have to be so large?

Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must happen outside of the encrypted operating system volume. This configuration helps to protect the operating system and the information in the encrypted volume. The unencrypted system volume should be at least 1.5 GB, which allows enough space for boot files, the Windows Pre-Execution environment (WinPE), and other files that may be specific to setup or upgrade programs. Computer manufacturers and enterprise customers can also store system tools or other recovery tools in this volume.

Which TPMs does BitLocker support?

BitLocker supports Trusted Platform Module (TPM) version 1.2. BitLocker does not support older TPMs. Version 1.2 TPMs provide increased standardization, security enhancement, and improved functionality over previous versions. Windows Vista was designed with these TPM improvements in mind.

How can I tell whether my computer has a TPM version 1.2?

In the BitLocker control panel, click the Turn On BitLocker link. If you receive the following error message, then either your computer does not have a TPM version 1.2 or the BIOS is not compatible with BitLocker or with the TPM:

A TPM was not found. A TPM is required to turn on BitLocker. If your computer has a TPM, the contact the computer manufacturer for BitLocker-compatible BIOS.

If you receive this error message, contact the computer manufacturer to verify that the computer has a TPM version 1.2, or to get a BIOS update.

Some computers might have TPMs that do not appear in the Windows Vista TPM Microsoft Management Console snap-in (tpm.msc). If you think that your computer has a TPM version 1.2 and you receive this error, contact the computer manufacturer to get a BIOS update. In addition, some manufacturers provide a BIOS setting that hides the TPM by default, and other manufacturers do not make the TPM available unless it is enabled in the BIOS. If you believe that your TPM is hidden in the BIOS, consult the manufacturer's documentation for instructions that detail how to display or enable the TPM.

Can I use BitLocker on a computer without a TPM version 1.2?

Yes, you can enable BitLocker on a computer without a TPM version 1.2, provided that the BIOS has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected volume until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.

To help determine whether a computer can read from a USB device during the boot process, use the BitLocker System Check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.

To enable BitLocker on a computer without a TPM, use Group Policy to enable the advanced BitLocker user interface. With the advanced options enabled, the non-TPM settings appear in the BitLocker setup wizard. For instructions about using Group Policy to enable the advanced user options, see https://go.microsoft.com/fwlink/?LinkId=83223.

How do I obtain BIOS support for the TPM on my computer?

Contact the computer manufacturer directly to request a Trusted Computing Group (TCG)-compliant BIOS. Ask the following questions when requesting a BIOS:

  1. Does the computer have a Windows Vista-ready BIOS? Does it pass Windows Vista logo tests?

  2. Is the BIOS Trusted Computing Group (TCG)-compliant?

  3. Does the BIOS have a secure update mechanism to help prevent a malicious BIOS from being installed on the computer?

Upgrading

What versions of Windows Vista include BitLocker? Can I use BitLocker on a Windows XP–based computer?

BitLocker is available in Windows Vista Ultimate and Windows Vista Enterprise. BitLocker is not available in Windows XP.

How do I upgrade my Windows XP–based computer to Windows Vista with the necessary disk configuration for BitLocker?

You must first install Windows Vista Ultimate or Windows Vista Enterprise and then run the BitLocker Drive Preparation Tool. This tool automatically configures your disk partition layout for BitLocker. For more information about the BitLocker Drive Preparation Tool, see https://go.microsoft.com/fwlink/?LinkId=83261.

What is the difference between disabling and decrypting when I turn off BitLocker?

Decrypt completely removes BitLocker protection and fully decrypts the volume.

Disable keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk volume. By storing this key unencrypted, the disable option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire volume. Once the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, and the clear key is erased.

Do I have to decrypt my encrypted volume to download and install system updates and upgrades?

Any system upgrades, including those from Windows Anytime Upgrades, require volume decryption prior to installation. Various non-Microsoft updates require that you disable BitLocker prior to installing them. Updates from Microsoft Update do not require volume decryption or that you disable BitLocker.

Please refer to the table below to determine whether you must disable BitLocker or decrypt your volume before you perform an upgrade or update installation.

Action Type of Update

Decrypt

System upgrades (including Windows Anytime Upgrades)

Disable

Non-Microsoft software updates, such as:

  • Computer manufacturer firmware updates

  • Trusted Platform Module (TPM) firmware updates

  • Non-Microsoft application updates that modify boot components

Once you have installed the upgrade or update, you can re-enable BitLocker. Upon re-enabling, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the update. If these types of upgrades or updates are applied without decrypting or disabling BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.

Deployment and Administration

Can BitLocker deployment be automated in an enterprise environment?

Yes, you can automate the deployment and configuration of BitLocker with scripts that make use of the Windows Management Instrumentation (WMI) providers for BitLocker and TPM administration. How you choose to implement the scripts depends on your environment. You can also use the BitLocker command-line tool, manage-bde.wsf, to locally or remotely configure BitLocker. For additional information about writing scripts that make use of the BitLocker WMI providers, see https://go.microsoft.com/fwlink/?LinkId=80600.

Will BitLocker encrypt more than just the operating system volume?

BitLocker provides a user interface for the encryption of the entire operating system volume, including Windows system files and the hibernation file. You can optionally use Encrypting File System (EFS) in Windows Vista to protect other volumes. The EFS keys are stored by default in the operating system volume. Therefore, if BitLocker is enabled for the operating system volume, all data that is protected by EFS is also indirectly protected by BitLocker. Additionally, advanced users can encrypt local data volumes using a command-line interface (manage-bde.wsf). In Windows Vista with SP1, after you have encrypted your operating system volume, you can then choose to encrypt additional data volumes through the user interface as an alternative to using the command-line interface.

What is the performance impact when BitLocker is enabled on a Windows Vista–based computer?

Generally it imposes a single-digit percentage performance overhead.

Approximately how long will initial encryption take when BitLocker is enabled?

BitLocker encryption proceeds at the rate of about 500 MB per minute in most cases. Encryption occurs in the background while you continue to work, and the system remains usable.

What happens if the computer is turned off during encryption or decryption?

The BitLocker encryption and decryption processes can be interrupted by turning the computer off, and it will resume where it left off the next time Windows starts. This is true even if the power is suddenly unavailable.

Why does it appear that most of the free space in my volume is taken when BitLocker is converting?

BitLocker cannot ignore free space when the volume is being encrypted because unallocated disk space commonly contains data remnants that users believe has been deleted. However, it is not efficient to encrypt free space on a volume. To solve this problem, BitLocker first creates a large placeholder file that takes most of the available disk space, and then deletes disk sectors that belong to the placeholder file. During this process, BitLocker leaves 6 GB of available space for short-term system needs. All other space, including the 6 GB of free space not occupied by the placeholder file, is encrypted. When encryption of the volume is paused or completed, the placeholder file is deleted and the amount of available free space reverts to normal.

For additional information about this process, see https://go.microsoft.com/fwlink/?LinkId=83240.

Does BitLocker encrypt and decrypt the entire volume all at once when reading and writing data?

No, BitLocker does not encrypt and decrypt the entire volume when reading and writing data. The encrypted sectors in the BitLocker-protected volume are decrypted only as they are requested from system read operations. Blocks that are written to the volume are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-enabled volume.

How can I prevent users on a network from storing data in an unencrypted volume?

If you are concerned that your users might inadvertently store data in the unencrypted volume, use access control lists (ACLs) and Group Policy to configure access control for the volume or hide the drive letter.

For additional information about how to hide drive letters, see https://go.microsoft.com/fwlink/?LinkId=83219.

What system changes would cause the integrity check on my computer to fail?

The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected volume:

  • Moving the BitLocker-protected drive into a new computer.

  • Installing a new motherboard with a new TPM.

  • Turning off, disabling, or clearing the TPM.

  • Changing the BIOS, master boot record (MBR), boot sector, boot manager, or other early boot components or boot configuration data.

This functionality is by design; BitLocker perceives unauthorized modification of any of the early boot components as a potential attack and will place the system into recovery mode. Authorized administrators can update boot components without entering recovery mode by disabling BitLocker beforehand.

Can I swap hard disks on the same computer if BitLocker is enabled?

Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-enabled on the same computer.

Can I access my BitLocker-encrypted volume if I insert the hard disk into a different computer?

If the other computer is running Windows Vista Ultimate or Windows Vista Enterprise, the encrypted hard disk can be unlocked from the BitLocker Control Panel item on the alternate computer.

Note

This is a quick and straightforward way to recover information from a broken computer that has a BitLocker-protected volume on the hard disk.

When you unlock the BitLocker-enabled hard disk on the alternate computer, the only authentication operation available will be recovery. The hard disk will appear in the BitLocker Control Panel item with an option to unlock the volume using the recovery password or recovery key.

Can I dual-boot Windows Vista and another operating system on a BitLocker-enabled computer?

Yes, it is possible to dual boot a BitLocker-enabled instance of Windows Vista Ultimate or Windows Vista Enterprise with another operating system. For additional information about how to create and configure a dual-boot system, see https://go.microsoft.com/fwlink/?LinkId=83222.

Key Management

What is the difference between a TPM password, recovery password, recovery key, PIN, and a startup key?

There are multiple keys that can be generated and used by BitLocker. Some keys are required and some are optional protectors you can choose to use depending on the level of security you require.

TPM owner password

Prior to enabling BitLocker on a computer with a TPM version 1.2, you must initialize the TPM. The initialization process generates a TPM owner password, which is a password set on the TPM. To change the state of the TPM, for enabling or disabling, you can use the TPM owner password. For more information about TPM management, see https://go.microsoft.com/fwlink/?LinkId=83223.

Recovery password and recovery key

When you set up BitLocker, you must create a recovery password. In the event that your computer enters a recovery state, you need this recovery information (either a recovery password or recovery key) to unlock the encrypted data on the volume. You can save the recovery password in one of these formats:

  • As a numerical password consisting of 48 digits divided into 8 groups. During recovery, you need to type this password into the BitLocker recovery console by using the function keys on your keyboard.

  • As a recovery key stored as a file on a USB flash drive, in a format that can be read directly by the BitLocker recovery console. During recovery, you need to insert this USB device.

PIN

For a higher level of security with the TPM, you can configure BitLocker with a personal identification number (PIN). The PIN is a user-created value that must be entered each time the computer starts or resumes from hibernation. The PIN can consist of 4 to 20 digits, and is stored internally as a 256-bit hash of the entered Unicode characters. This value is never displayed back to the user in any form or for any reason. The PIN is used to provide another factor of authentication in conjunction with TPM authentication.

Startup key

Configuring a startup key is another method to enable a higher level of security with the TPM. The startup key is a key stored on a USB flash drive, and the USB flash drive must be inserted every time the computer starts. The startup key is used to provide another factor of authentication in conjunction with TPM authentication.

Important

You must have a startup key to use BitLocker on a non-TPM computer.

For additional information about BitLocker keys, see https://go.microsoft.com/fwlink/?LinkId=83225.

How can the recovery password be stored?

The recovery password can be saved to a folder, saved to one or more USB devices, or printed. A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and transparently store them to Active Directory Domain Services (AD DS). For more information about how to store recovery information in AD DS, see https://go.microsoft.com/fwlink/?LinkId=67438.

Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?

Yes. You can use manage-bde.wsf command-line tool to do this. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following command:

cscript %systemroot%\system32\manage-bde.wsf –protectors –add %systemdrive% -tpmandpin <4-20 digit numeric PIN>

You can use the following command to view a list of available parameters for manage-bde.wsf:

cscript %systemroot%\system32\manage-bde.wsf -?

If I lose my recovery information, will the BitLocker-protected data be unrecoverable?

BitLocker is designed to make the encrypted volume unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted volume. Therefore, we highly recommend that you store the recovery information in AD DS or in another safe location.

However, this is a valuable feature when a computer is decommissioned, sold, or redeployed. The computer can be placed into a recovery state so that only the recovery information holder can access the encrypted volume's contents.

Can the USB flash drive that is used as the startup key also be used to store the recovery key?

While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.

Can I save the startup key on multiple USB flash drives?

Yes, you can save a computer's startup key on multiple USB flash drives.

Can I save multiple (different) startup keys on the same USB flash drive?

Yes, you can save BitLocker startup keys for different computers on the same USB flash drive.

Can I generate multiple (different) startup keys for the same computer?

You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.

Can I generate multiple PIN combinations?

It is technically possible to generate multiple PINs, but it is neither supported nor recommended.

What encryption keys are used in BitLocker? How do they work together?

Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios. The following table details how the volume master key may be encrypted.

Volume master key encryption methods

Encryption method Description

TPM storage root key + startup key

  • RSA encryption of an internal key that is combined with the startup key

  • Volume master key is encrypted with a 128-bit or 256-bit Advanced Encryption Standard (AES) key

TPM storage root key + PIN

Volume master key is encrypted with RSA

TPM-only storage root key

Volume master key is encrypted with RSA

Startup key only

Volume master key is encrypted with AES

Recovery key

Volume master key is encrypted with AES

Recovery password + salt

  • Derived key is stretched using a computationally expensive algorithm.

  • Volume master key is encrypted with AES

Clear key

Volume master key is encrypted with AES key; AES key is stored unencrypted and unprotected when BitLocker is disabled

Where are the encryption keys stored?

The full volume encryption key is encrypted by the volume master key and stored in the encrypted volume. The volume master key is encrypted by the appropriate key protector and stored in the encrypted volume. The clear key that is used to encrypt the volume master key is also stored in the encrypted volume, along with encrypted volume master key.

The following table details where the BitLocker encryption keys are stored and which key is used to encrypt another key.

BitLocker key storage locations and encryption data

Key Encrypted with Stored to

Full volume encryption key

Volume master key

Encrypted volume

Volume master key

The key protectors, including the clear key

Encrypted volume

Clear key

Not encrypted

Encrypted volume

This storage process ensures that the volume master key is never stored unencrypted, and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the volume for redundancy. The keys can be read and processed by the Boot Manager.

Why do I have to use the function keys to enter the PIN or the 48-character recovery password?

The F1 through F10 keys are universally mapped scancodes available in the pre-operating-system environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-operating system environment on all keyboards.

How does BitLocker help prevent an attacker from discovering the PIN?

It is possible that a PIN can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.

The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.

Once you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.

How can I evaluate a TPM's dictionary attack mitigation mechanism?

The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:

  • How many failed authorization attempts can occur before lockout?

  • What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?

  • What actions can cause the failure count and lockout duration to be decreased or reset?

Can PIN length and complexity be managed with Group Policy?

You cannot use Group Policy to enforce BitLocker PIN rules. However, you can use Group Policy to require or disallow a PIN from being created by using the BitLocker setup wizard. For more information about security Group Policy settings, see the Windows Vista Security Guide at https://go.microsoft.com/fwlink/?LinkId=82582.

How are the PIN and TPM used to derive the volume master key?

BitLocker hashes the user-specified PIN using SHA-256 and the first 160 bits of the hash are used as authorization data sent to the TPM to seal the volume master key. The volume master key is now protected by both the TPM and the PIN. To unseal the volume master key, you are required to enter the PIN each time the computer restarts or resumes from hibernation.

Active Directory Domain Services

Important

For detailed instructions about how to configure Active Directory Domain Services (AD DS) for BitLocker, see https://go.microsoft.com/fwlink/?LinkId=67438.

Does BitLocker require schema extension to store recovery information in AD DS?

This depends on the operating system and AD DS implementation.

Windows Server 2003 with Service Pack 1 (SP1)

In AD DS under Windows Server 2003 with SP1, the schema must be extended to support storing BitLocker and TPM recovery and password information.

Windows Server 2008

In AD DS under Windows Server 2008, the schema already includes the required attributes, beginning with the Beta 3 release.

What type of information is stored in AD DS?

Three primary pieces of information are stored in AD DS. The following table details this information.

Primary information stored in AD DS

Stored information Description

Hash of the TPM owner password

The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows Vista, such as the BitLocker Setup Wizard or the TPM MMC.

BitLocker recovery password

Allows you to unlock and access the volume in the event of a recovery incident.

BitLocker key package

Helps to repair damage to the hard disk that would otherwise prevent standard recovery. Recovery of the key package requires the BitLocker Repair Tool. For more information about this tool, see https://go.microsoft.com/fwlink/?LinkId=82584.

How is the recovery information encrypted while in transit from the client to AD DS?

Authentication flags are set to encrypt transmission of recovery information from a Windows Vista client to AD DS. BitLocker sets the authentication flags ADS_SECURE_AUTHENTICATION, ADS_USE_SEALING, and ADS_USE_SIGNING. For additional information about these flags, see https://go.microsoft.com/fwlink/?LinkId=102659.

Is the BitLocker recovery information stored in AD DS in plain text?

Yes, in the current version of BitLocker, the recovery information is stored unencrypted in AD DS, but the entries have access control lists (ACLs) that limit access to only domain administrators.

If an attacker gains full access to AD DS, all computers in the domain, including BitLocker-protected computers, can be compromised. For more information about securing access to AD DS, see https://go.microsoft.com/fwlink/?LinkId=83266.

What if BitLocker is enabled on a computer before the computer has joined the domain?

If BitLocker is enabled on a computer before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied.

The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process.

Important

Joining a computer to the domain should be the first step for new computers within an enterprise. Once joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).

If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?

No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each computer. To identify the latest password, check the date on the object.

Security

What form of encryption does BitLocker use? Is it configurable?

BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits, as well as an optional diffuser. The default encryption setting is AES 128 + diffuser, but the options are configurable by using Group Policy. For additional information about the BitLocker encryption method, see https://go.microsoft.com/fwlink/?LinkId=80598.

What is the diffuser?

The diffuser is designed to mitigate a possible class of attacks that involve changing encrypted information to introduce a security vulnerability into the system. With the diffuser, small changes to the encrypted cipher text of a sector affect the entire sector when the data is decrypted. This behavior makes targeted attacks much more difficult to perform. For additional information about the BitLocker encryption method, see https://go.microsoft.com/fwlink/?LinkId=80598.

What is the most secure way to configure BitLocker?

The most secure way to configure BitLocker is on a computer with a TPM version 1.2 and a TCG-compliant BIOS implementation, plus either a startup key or a PIN. These methods provide additional authentication by requiring either an additional physical key (a USB flash drive with a computer-readable key written to it) or a PIN that was set by the user.

What are the implications of using the sleep or hibernate power management options?

BitLocker in its basic configuration (with a TPM but without advanced authentication) provides additional security for the sleep or hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication.

What are the advantages of a TPM?

Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.

Note

Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.

Is Microsoft pursuing any security certification for BitLocker?

All of the versions of BitLocker that have been included with the operating system have obtained the Federal Information Processing Standard (FIPS) 140-2 certification, and have been Common Criteria certified EAL4+.

Other Questions

Can I use EFS with BitLocker?

Yes, you can use Encrypting File System (EFS) to encrypt files in a BitLocker-protected volume. BitLocker helps protect the entire operating system volume against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. You can also use EFS in Windows Vista to encrypt files in other volumes that are not encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system volume; therefore, if BitLocker is enabled for the operating system volume, data that is encrypted by EFS in other volumes is also indirectly protected by BitLocker.

Can I run a kernel debugger with BitLocker?

Yes; however, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to disable BitLocker first to avoid putting your computer into recovery mode.

How does BitLocker handle memory dumps?

Windows Vista has a modified storage driver stack to ensure that memory dumps are encrypted when BitLocker is enabled.

Can BitLocker support smart cards for pre-boot authentication?

BitLocker currently does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the BIOS, and most computers either do not implement BIOS support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult. Microsoft is evaluating options for supporting smart cards as part of pre-boot authentication.

Can I use a non-Microsoft TPM driver?

Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them. Microsoft cannot guarantee the security or stability of the system if a non-Microsoft TPM driver is used.

Can I write applications directly to the TPM Base Services?

The TPM Base Services (TBS) supplies a very low-level application programming interface (API) that provides an interface for intermediate software, such as Trusted Computing Group Software Stack (TSS) implementations designed to communicate directly with a TPM. Software vendors that want to use TPM functionality within their applications should use a TSS or other application-level API and not use the TPM Base Services directly. Some TSS vendors have versions of their software layer that have been written to use the TBS.

How can I determine the manufacturer of my TPM?

To determine your TPM manufacturer, use the following procedure.

To determine the TPM manufacturer

  1. Click Start, and type tpm.msc in the Start Search box.

  2. The TPM manufacturer is listed in the main pane, under TPM Manufacturer Information.

Note

The Manufacturer Name field in the TPM Manufacturer Information listing is information provided by the TPM and is often an abbreviation (such as ATML for Atmel, BRCM for Broadcomm, or IFX for Infineon).

Can other tools that manage or modify the master boot record work with BitLocker?

We do not recommend this for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows Vista might force the computer into recovery mode.

Will BitLocker work on computers that use EFI-based system firmware?

Support for computers that use Extended Firmware Interface (EFI)-based system firmware is planned for Windows Server 2008, but it is not currently supported in Windows Vista. Few EFI-capable client computers are currently being manufactured; therefore, Microsoft concentrated its initial efforts on the conventional BIOS support used by most systems today. As more EFI hardware becomes available, Microsoft might reevaluate EFI support.