BitLocker Drive Encryption Overview

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Vista

BitLocker Drive Encryption is a data protection feature available Windows Server 2008 R2 and in some editions of Windows 7. Having BitLocker integrated with the operating system addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.

BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.

On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and it does not provide the pre-startup system integrity verification offered by BitLocker with a TPM.

In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.

System integrity verification

BitLocker can use a TPM to verify the integrity of early boot components and boot configuration data. This helps ensure that BitLocker makes the encrypted drive accessible only if those components have not been tampered with and the encrypted drive is located in the original computer.

BitLocker helps ensure the integrity of the startup process by taking the following actions:

  • Provide a method to check that early boot file integrity has been maintained, and help ensure that there has been no adversarial modification of those files, such as with boot sector viruses or rootkits.

  • Enhance protection to mitigate offline software-based attacks. Any alternative software that might start the system does not have access to the decryption keys for the Windows operating system drive.

  • Lock the system when it is tampered with. If any monitored files have been tampered with, the system does not start. This alerts the user to the tampering, because the system fails to start as usual. In the event that system lockout occurs, BitLocker offers a simple recovery process.

Hardware, firmware, and software requirements

To use BitLocker, a computer must satisfy certain requirements:

  • For BitLocker to use the system integrity check provided by a TPM, the computer must have a TPM version 1.2. If your computer does not have a TPM, enabling BitLocker will require you to save a startup key on a removable device such as a USB flash drive.

  • A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS. The BIOS establishes a chain of trust for pre-operating system startup and must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require a TCG-compliant BIOS.

  • The system BIOS (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. For more information about USB, see the USB Mass Storage Bulk-Only and the Mass Storage UFI Command specifications on the USB Web site (https://go.microsoft.com/fwlink/?LinkId=83120).

  • The hard disk must be partitioned with at least two drives:

    • The operating system drive (or boot drive) contains the operating system and its support files; it must be formatted with the NTFS file system.

    • The system drive contains the files that are needed to load Windows after the BIOS has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the NTFS file system. The system drive should be at least 1.5 gigabytes (GBs).

Installation and initialization

BitLocker is installed automatically as part of the operating system installation. However, BitLocker is not enabled until it is turned on by using the BitLocker setup wizard, which can be accessed from either the Control Panel or by right-clicking the drive in Windows Explorer.

At any time after installation and initial operating system setup, the system administrator can use the BitLocker setup wizard to initialize BitLocker. There are two steps in the initialization process:

  1. On computers that have a TPM, initialize the TPM by using the TPM Initialization Wizard, the BitLocker Drive Encryption item in Control Panel, or by running a script designed to initialize it.

  2. Set up BitLocker. Access the BitLocker setup wizard from the Control Panel, which guides you through setup and presents advanced authentication options.

When a local administrator initializes BitLocker, the administrator should also create a recovery password or a recovery key. Without a recovery key or recovery password, all data on the encrypted drive may be inaccessible and unrecoverable if there is a problem with the BitLocker-protected drive.

Note

BitLocker and TPM initialization must be performed by a member of the local Administrators group on the computer.

For detailed information about configuring and deploying BitLocker, see the Windows BitLocker Drive Encryption Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkID=140225).

Enterprise implementation

BitLocker can use an enterprise's existing Active Directory Domain Services (AD DS) infrastructure to remotely store recovery keys. BitLocker provides a wizard for setup and management, as well as extensibility and manageability through a Windows Management Instrumentation (WMI) interface with scripting support. BitLocker also has a recovery console integrated into the early boot process to enable the user or helpdesk personnel to regain access to a locked computer.

For more information about writing scripts for BitLocker, see Win32_EncryptableVolume (https://go.microsoft.com/fwlink/?LinkId=85983).

Computer decommissioning and recycling

Many personal computers today are reused by people other than the computer's initial owner or user. In enterprise scenarios, computers may be redeployed to other departments, or they might be recycled as part of a standard computer hardware refresh cycle.

On unencrypted drives, data may remain readable even after the drive has been formatted. Enterprises often make use of multiple overwrites or physical destruction to reduce the risk of exposing data on decommissioned drives.

BitLocker can help create a simple, cost-effective decommissioning process. By leaving data encrypted by BitLocker and then removing the keys, an enterprise can permanently reduce the risk of exposing this data. It becomes nearly impossible to access BitLocker-encrypted data after removing all BitLocker keys because this would require cracking 128-bit or 256-bit AES encryption.

BitLocker security considerations

BitLocker cannot protect a computer against all possible attacks. For example, if malicious users, or programs such as viruses or rootkits, have access to the computer before it is lost or stolen, they might be able to introduce weaknesses through which they can later access encrypted data. And BitLocker protection can be compromised if the USB startup key is left in the computer, or if the PIN or Windows logon password are not kept secret.

The TPM-only authentication mode is easiest to deploy, manage, and use. It might also be more appropriate for computers that are unattended or must restart while unattended. However, the TPM-only mode offers the least amount of data protection. If parts of your organization have data that is considered highly sensitive on mobile computers, consider deploying BitLocker with multifactor authentication on those computers.

For more information about BitLocker security considerations, see Data Encryption Toolkit for Mobile PCs (https://go.microsoft.com/fwlink/?LinkId=85982).

Implementing BitLocker on servers

For servers in a shared or potentially non-secure environment, such as a branch office location, BitLocker can be used to encrypt the operating system drive and additional data drives on the same server.

By default, BitLocker is not installed with Windows Server 2008 R2. Add BitLocker from the Windows Server 2008 R2 Server Manager page. You must restart after installing BitLocker on a server. Using WMI, you can enable BitLocker remotely.

BitLocker is supported on Extensible Firmware Interface (EFI) servers that use a 64-bit processor architecture.

Note

BitLocker does not support cluster configurations.

Key management

After the drive has been encrypted and protected with BitLocker, local and domain administrators can use the Manage BitLocker page in the BitLocker Drive Encryption item in Control Panel to change the password to unlock the drive, remove the password from the drive, add a smart card to unlock the drive, save or print the recovery key again, automatically unlock the drive, duplicate keys, and reset the PIN.

Note

The types of keys that can be used on a computer can be controlled by using Group Policy. For more information about using Group Policy with BitLocker, see the BitLocker Deployment Guide (https://go.microsoft.com/fwlink/?LinkID=140286).

Disabling BitLocker protection temporarily

An administrator may want to temporarily disable BitLocker in certain scenarios, such as:

  • Restarting the computer for maintenance without requiring user input (for example, a PIN or startup key).

  • Updating the BIOS.

  • Installing a hardware component that has optional read-only memory (option ROM).

  • Upgrading critical early boot components without triggering BitLocker recovery. For example:

    • Installing a different version of the operating system or another operating system, which might change the master boot record (MBR).

    • Repartitioning the disk, which might change the partition table.

    • Performing other system tasks that change the boot components validated by the TPM.

  • Upgrading the motherboard to replace or remove the TPM without triggering BitLocker recovery.

  • Turning off (disabling) or clearing the TPM without triggering BitLocker recovery.

  • Moving a BitLocker-protected drive to another computer without triggering BitLocker recovery.

These scenarios are collectively referred to as the computer upgrade scenario. BitLocker can be enabled or disabled through the BitLocker Drive Encryption item in Control Panel.

The following steps are necessary to upgrade a BitLocker-protected computer:

  1. Temporarily turn off BitLocker by placing it into disabled mode.

  2. Upgrade the system or the BIOS.

  3. Turn BitLocker back on.

Forcing BitLocker into disabled mode will keep the drive encrypted, but the drive master key will be encrypted with a symmetric key stored unencrypted on the hard disk. The availability of this unencrypted key disables the data protection offered by BitLocker but ensures that subsequent computer startups succeed without further user input. When BitLocker is enabled again, the unencrypted key is removed from the disk and BitLocker protection is turned back on. Additionally, the drive master key is keyed and encrypted again.

Moving the encrypted drive (that is, the physical disk) to another BitLocker-protected computer does not require any additional steps because the key protecting the drive master key is stored unencrypted on the disk.

Warning

Exposing the drive master key even for a brief period is a security risk, because it is possible that an attacker might have accessed the drive master key and full drive encryption key when these keys were exposed by the unencrypted key.

For detailed information about disabling BitLocker, see Windows BitLocker Drive Encryption Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkID=140225).

System recovery

A number of scenarios can trigger a recovery process, for example:

  • Moving the BitLocker-protected drive into a new computer.

  • Installing a new motherboard with a new TPM.

  • Turning off, disabling, or clearing the TPM.

  • Updating the BIOS.

  • Updating option ROM.

  • Upgrading critical early boot components that cause system integrity validation to fail.

  • Forgetting the PIN when PIN authentication has been enabled.

  • Losing the USB flash drive containing the startup key when startup key authentication has been enabled.

An administrator can also trigger recovery as an access control mechanism (for example, during computer redeployment). An administrator may decide to lock an encrypted drive and require that users obtain BitLocker recovery information to unlock the drive.

Recovery setup

Using Group Policy, an IT administrator can choose which recovery methods to require, deny, or make optional for users who enable BitLocker. The recovery password can be stored in AD DS, and the administrator can make this option mandatory, prohibited, or optional for each user of the computer. Additionally, the recovery data can be stored on a USB flash drive.

Recovery password

The recovery password is a 48-digit, randomly generated number that can be created during BitLocker setup. If the computer enters recovery mode, the user will be prompted to type this password by using the function keys (F0 through F9). The recovery password can be managed and copied after BitLocker is enabled. Using the Manage BitLocker page in the BitLocker Drive Encryption item in Control Panel, the recovery password can be printed or saved to a file for future use.

A domain administrator can configure Group Policy to generate recovery passwords automatically and back them up to AD DS as soon as BitLocker is enabled. The domain administrator can also choose to prevent BitLocker from encrypting a drive unless the computer is connected to the network and AD DS backup of the recovery password is successful.

Recovery key

The recovery key can be created and saved to a USB flash drive during BitLocker setup; it can also be managed and copied after BitLocker is enabled. If the computer enters recovery mode, the user will be prompted to insert the recovery key into the computer.