Chapter 2: BitLocker Drive Encryption

Published: April 04, 2007

Microsoft® BitLocker™ Drive Encryption is an integral new security feature in the Enterprise and Ultimate versions of the Windows Vista™ operating system that provides considerable offline data and operating system protection for your computer.

BitLocker is a full-volume encryption technology that helps ensure that data stored on a computer running Windows Vista is not revealed if the computer is tampered with when the installed operating system is offline. It is designed for systems that have a compatible Trusted Platform Module (TPM) microchip and BIOS. If these components are present, BitLocker uses them to provide enhanced protection for your data and to help assure early boot component integrity. This functionality helps protect your data from theft or unauthorized viewing by encrypting the entire volume.

The TPM is usually installed on the motherboard of a computer, and it uses a hardware bus to communicate with the rest of the computer. Computers that incorporate a TPM have the ability to create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key (SRK), which is stored within the TPM itself. The private portion of a key pair created in a TPM is never exposed to any other component, software, process, or person.

BitLocker provides two primary capabilities:

  • It provides per-computer encryption by encrypting the contents of the operating system volume. An attacker who removes the volume will not be able to read it unless they also obtain the keys, which in turn requires attacking the recovery infrastructure or the TPM on the original computer.
  • It provides full-volume encryption by encrypting the entire contents of protected volumes, including the files used by Windows Vista, the boot sector, and slack space formerly allocated to files in use. An attacker is therefore prevented from recovering useful information by analyzing any portion of the disk without recovering the key.

Recovery mechanisms exist for authorized users who encounter legitimate conditions that require recovery. For example, if the TPM fails validation because of a necessary upgrade, because the motherboard that contains the TPM is replaced, or because the hard disk drive that contains the operating system volume is moved to another computer, the system enters recovery mode and the user must use a recovery key that is stored on a USB device or in the Active Directory® directory service to regain access to the volume.

The recovery process is the same for all BitLocker scenarios. If the recovery key is physically separated from the computer (and therefore not lost with the computer) and the attack is not an insider attack by someone like a domain administrator, attacks against the recovery key would be very difficult.

After BitLocker authenticates access to a protected operating system volume, the BitLocker file system filter driver uses a full-volume encryption key (FVEK) to transparently encrypt and decrypt disk sectors as data is written to and read from the protected volume. When the computer hibernates, an encrypted hibernation file is saved to the protected volume. Pending access authentication, this saved file is decrypted when the computer resumes from hibernation.

BitLocker supports several different options, depending on the hardware capability of the computing device and the desired level of security. These options include:

  • BitLocker with TPM
  • BitLocker with Universal Serial Bus (USB) device
  • BitLocker with TPM and personal identification number (PIN)
  • BitLocker with TPM and USB

BitLocker Option: BitLocker with TPM

BitLocker with TPM requires a computer with TPM version 1.2 hardware. This option is transparent to the user because the boot process is not altered in any way and additional passwords or hardware are not needed.

TPM-only authentication mode will provide the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. TPM-only mode is easiest to deploy, manage, and use. Also, TPM-only may be more appropriate for computers that are unattended or must reboot while unattended.

However, TPM-only mode offers the least amount of data protection. This mode protects against some attacks that modify early boot components, but the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker’s multifactor authentication modes can mitigate many of these attacks.

If some parts of your organization have data on mobile computers that is considered extremely sensitive, consider the best practice of deploying BitLocker with multifactor authentication on those computers. Requiring users to enter a PIN or insert a USB startup key significantly reduces the ease of attack on sensitive data.

The following figure shows the logical flow of the decryption process in this option.

BitLocker Drive Encrypiton with TPM

Figure 2.1. BitLocker decryption process with TPM

The steps in the illustrated sequence are as follows:

  1. The BIOS starts and initializes the TPM. Trusted/measured components interact with the TPM to store component measurements in the TPM's Platform Configuration Registers (PCRs).
  2. If the PCR values match the expected values, the TPM uses the storage root key (SRK) to decrypt the volume master key (VMK).
  3. The encrypted FVEK is read from the volume and the decrypted VMK is used to decrypt it.
  4. Disk sectors are decrypted with the FVEK as they are accessed.
  5. Plaintext data is provided to applications and processes.

Securing the VMK is an indirect way to protect data on the disk volume. The addition of the VMK allows the system to rekey easily when keys that are upstream in the trust chain are lost or compromised, because decrypting and re-encrypting the entire disk volume would be expensive.

As described in the preceding process, BitLocker prevents the volume from being decrypted and the operating system from being loaded if it detects changes to the Master Boot Record (MBR) Code, the NTFS Boot Sector, the NTFS Boot Block, the Boot Manager, and other critical components.

Mitigated Risks: BitLocker with TPM

The BitLocker with TPM option mitigates the following risks to data:

  • Key discovery through offline attack. The VMK is encrypted using the SRK, a key that is held within the TPM hardware. The VMK is then used to encrypt the FVEK. To decrypt the data on the encrypted volume, the attacker would need to mount a brute-force attack to determine the value of the FVEK.

    Note By default, BitLocker uses Advanced Encryption Standard AES-128 algorithm plus the 128-bit strength of the Elephant diffuser. (For more details about the role of the diffuser in adding security to BitLocker, see the BitLocker Drive Encryption AES-CBC + Elephant diffuser white paper.) You can optionally configure BitLocker to use AES-256 plus the 256-bit version of Elephant, plain AES-128, or plain AES-256. See the Windows Vista documentation for more details about how to select these cipher strengths for BitLocker.

  • Offline attacks against the operating system. Offline attacks against the operating system are mitigated by the fact that an attacker has to either successfully recover the SRK from the TPM and then use it to decrypt the VMK, or conduct a brute-force attack on the FVEK. In addition, BitLocker configured with its diffuser technology (enabled by default) mitigates precisely focused attacks of this nature, because small modifications to ciphertext will propagate over a larger area.
  • Plaintext data leaks through hibernation file. A main goal of BitLocker is to protect data on the operating system volume of the hard disk drive when the computer is turned off or in hibernation mode. When BitLocker is enabled, the hibernation file is encrypted.
  • Plaintext data leaks through system paging file. When BitLocker is enabled, the system paging file is encrypted.
  • User error. Because BitLocker is a full-volume encryption technology, it encrypts all files stored in the Windows Vista operating system volume. This functionality helps prevent mistakes by users who make incorrect decisions about whether or not to apply encryption.

Residual Risks and Mitigations: BitLocker with TPM

The BitLocker with TPM option does not mitigate the following risks without additional controls and policy:

  • Computer left in hibernation. The state of the laptop computer and BitLocker encryption keys are not changed when the laptop enters hibernation. This risk can be mitigated by enabling the Prompt for password when computer resumes from sleep setting.
  • Computer left in sleep (standby) mode. As with hibernation, the state of the laptop computer and BitLocker encryption keys are not changed when the laptop enters sleep mode. When it resumes from sleep mode, the FVEK remains accessible to the computer. This risk can be mitigated by enabling the Prompt for password when computer resumes from sleep setting.
  • Computer left logged on and desktop unlocked. After the computer is booted and the VMK is unsealed, unencrypted data can be accessed by anyone with access to the keyboard. The most useful mitigation for this risk is security awareness training for users who might have sensitive information on their computers.
  • Discover local/domain password. Because the TPM is permanently attached to the user's computer, it is not considered a second credential for authentication or access to the encrypted files. If a user's password is compromised, the encryption solution is also compromised. This risk can be mitigated by training users to create good passwords and not share them with anyone or write them in an obvious location. Strong network password policies can effectively prevent a successful dictionary attack on a password by an attacker who uses widely available tools.
  • Insider can read encrypted data. BitLocker with TPM does not require any credentials other than a valid user account password to access all encrypted data on the computer. Therefore, any user account that can log on to the computer can access some or all of the BitLocker-encrypted files as if BitLocker was not enabled. The most useful mitigation for this risk is to require an additional authentication factor to use the computer (which is possible with some other BitLocker options) or to tightly control the policy for each computer with regard to who is allowed to log on. In addition, proper deployment of EFS can significantly mitigate this risk.
  • Online attacks against the operating system. Online attacks against the operating system are not mitigated by this option. If an attacker can unseal the volume and cause a normal boot, the operating system might be susceptible to a variety of attacks, including escalation of privilege and remote code execution attacks.
  • Platform attacks. A computer configured with BitLocker in its basic mode (TPM-only) will boot and load the operating system up to the Microsoft Windows® user-credential interface (the Winlogon service) without requiring any additional BitLocker authentication elements. To load the operating system from the encrypted volume, the computer must gain privileged access to the decryption keys. It does this in a secure manner because it operates within a Trusted Computing Base (TCB) that it validates using a TPM. Any attack against the platform, such as direct memory access (DMA) across the PCI bus, might lead to disclosure of key material.
  • Required authentication factor left with computer. The TPM provides an additional layer of security, because without it a sealed volume cannot be decrypted. This functionality protects against attacks that move the encrypted volume from one computer to another. However, because the TPM cannot be removed from the computer it is necessarily always present and does not provide the same strength of a completely independent authentication factor. The TPM provides no protection if an attacker discovers additional authenticators, such as the user's computer account password (for BitLocker with TPM only), the user's USB token, or the user's BitLocker PIN.

BitLocker Option: BitLocker with USB Device

BitLocker provides support for full-volume encryption on computers that do not have a TPM version 1.2 chip. Although the additional protection that the TPM provides is not present with this option, many organizations that require a basic encryption solution may find the BitLocker with USB device option satisfactory when combined with policies such as strong user account passwords and the Prompt for password when computer resumes from sleep or hibernate setting.

Because there is no TPM in this option, there is no seal/unseal operation on the VMK. Instead, the VMK is encrypted and decrypted through traditional software mechanisms that use a symmetric key that is present on the USB device. After the USB device is inserted in the computer, BitLocker retrieves the key and decrypts the VMK. The VMK is then used to decrypt the FVEK, as shown in the following figure.

Figure 2.2. BitLocker decryption process with USB device

The steps in the illustrated sequence are as follows:

  1. The operating system starts and prompts the user to insert a USB device that contains the USB key.
  2. The VMK is decrypted with the key on the USB device.
  3. The encrypted FVEK is read from the volume and the decrypted VMK is used to decrypt it.
  4. Disk sectors are decrypted with the FVEK as they are accessed.
  5. Plaintext data is provided to applications and processes.

Mitigated Risks: BitLocker with USB Device

The BitLocker with USB device option mitigates the following risks to data:

  • Computer left in hibernation. After hibernation, BitLocker will require reauthentication with the USB device.
  • Discover local/domain password. BitLocker with a USB device requires an authentication factor other than a valid computer account password to access encrypted data on the computer.
  • Insider can read encrypted data. Same as the previous risk mitigation explanation.
  • Key discovery through offline attack. The VMK is encrypted using a key on the USB device. If the USB device is not available, the attacker would need to mount a brute-force attack to determine the value of the FVEK.
  • Offline attacks against the operating system. The VMK is encrypted using a key on the USB device. If the USB device is not available, the attacker would need to successfully manipulate thousands of sectors that contain operating system modules (equivalent to a brute-force attack) to determine the value of the FVEK. In addition, BitLocker configured with its diffuser technology (enabled by default) mitigates precisely focused attacks of this nature, because small modifications to ciphertext will propagate over a larger area.
  • Plaintext data leaks through hibernation file. A main goal of BitLocker is to protect data on the operating system volume of the hard disk drive when the computer is turned off or in hibernation mode. When BitLocker is enabled, the hibernation file is encrypted.
  • Plaintext data leaks through system paging file. When BitLocker is enabled, the system paging file is encrypted.
  • User error. Because BitLocker is a full-volume encryption technology, it encrypts all files stored in the Windows Vista operating system volume. This functionality helps prevent mistakes by users who make incorrect decisions about whether or not to apply encryption.

Residual Risks and Mitigations: BitLocker with USB Device

The BitLocker with USB device option does not mitigate the following risks without additional controls and policy:

  • Computer left in sleep (standby) mode. The state of the laptop computer and Bitlocker encryption keys are not changed when the laptop enters sleep mode. When it resumes from sleep mode, the FVEK remains accessible to the computer. This risk can be mitigated by enabling the Prompt for password when computer resumes from sleep setting.
  • Computer left logged on and desktop unlocked. After the computer is booted and the VMK is unsealed, unencrypted data can be accessed by anyone with access to the keyboard. The most useful mitigation for this risk is security awareness training for users who might have sensitive information on their computers.
  • Online attacks against the operating system. Online attacks against the operating system are not mitigated by this option. If an attacker can cause a normal boot by providing the USB device at boot time, the operating system might be susceptible to a variety of attacks, including escalation of privilege and remote code execution attacks.
  • Platform attacks. A computer configured with BitLocker and a USB device will boot and load the operating system up to the Windows user-credential interface (Winlogon) by using the key contained on the USB device. Any attack against the platform, such as DMA across the PCI bus or via IEEE 1394 interfaces, might lead to disclosure of key material.
  • Required authentication factor left with computer. The USB device is a single physical authentication factor, and the encryption solution depends on it. It is possible that untrained or careless users could store the USB device in the bag with the mobile PC, which would make the device available to a thief. The risk of users losing the computer and the USB device at the same time can be mitigated by using a risk mitigation approach that requires a second non-physical authentication factor such as a personal identification number (PIN) or password.

BitLocker Option: BitLocker with TPM and PIN

A computer with a TPM version 1.2 chip and a BIOS that supports BitLocker can be configured to require two factors to decrypt data that was encrypted with BitLocker. The first factor is the TPM and the second factor is a PIN.

Note For security-conscious organizations, Microsoft recommends use of BitLocker with TPM and PIN as the preferred option because there is no external token to lose or attack.

Adding a PIN requirement to a BitLocker-enabled computer significantly enhances the security of the BitLocker technology at the cost of usability and manageability. In this option, the user is prompted for two passwords to use their computer, one for BitLocker (at boot time) and one for the computer or domain at logon. The two passwords should and probably will be different, because the PIN is restricted to numeric characters entered through the function keys and most domain password policies would reject an all-numeric password.

Although the PIN provides additional security, it can be attacked by very patient or motivated attackers. BitLocker processes the PIN before localized keyboard support is available, and therefore only the function keys (F0 - F9) can be used. This functionality limits the entropy of the key and makes brute-force attacks possible, although not particularly quick. Fortunately, the TPM PIN mechanism is designed to be resistant to dictionary attacks. The details vary from vendor to vendor, but each adds a geometrically increasing delay before allowing a new number to be entered after an incorrect PIN is entered. The effect of this delay is to slow down a possible brute-force attack, which makes the attack ineffective. This input delay is known as anti-hammering protection. Users can help mitigate possible brute force attacks against the PIN by choosing relatively strong PINs with seven digits and at least four unique values. More information about choosing strong PINs can be found on the MSDN System Integrity Team Blog.

The current version of BitLocker does not provide direct support for backing up the PIN. Because the user has two passwords to remember, it is even more important to create a BitLocker recovery key that can be used if the user forgets their BitLocker PIN.

The following figure shows the logical flow of the decryption process in the BitLocker with TPM and PIN option.

BitLocker Drive Encryption with TPM and PIN

Figure 2.3. BitLocker decryption process with TPM and PIN

The steps in the illustrated sequence are as follows:

  1. The BIOS starts and initializes the TPM. Trusted/measured components interact with the TPM to store component measurements in the TPM’s Platform Configuration Registers (PCRs). The user is prompted for a PIN.
  2. The VMK is decrypted by the TPM using the SRK if the PCR values match the expected values and the PIN is correct.
  3. The encrypted FVEK is read from the volume and the decrypted VMK is used to decrypt it.
  4. Disk sectors are decrypted with the FVEK as they are accessed.
  5. Plaintext data is provided to applications and processes.

An interesting difference between this option and the basic BitLocker with TPM option is that the PIN is combined with the TPM key to unseal the VMK. After the unseal operation is successfully performed, BitLocker performs as it does in the basic option.

Mitigated Risks: BitLocker with TPM and PIN

The BitLocker with TPM and PIN option mitigates the following risks to data:

  • Computer left in hibernation. BitLocker with TPM and PIN mitigates this risk because the user is prompted to provide the PIN when the laptop resumes from hibernation mode.
  • Discover local/domain password. A major advantage of the BitLocker with TPM and PIN option is that the solution introduces another factor, or credential, that is required to boot the computer or resume from hibernation mode. This benefit is significant for those users who are at risk for either social engineering attacks or because they have poor password habits, such as using their Windows password on untrusted computers.
  • Insider can read encrypted data. A user who has an authorized domain account must log on to the computer, which requires it to be booted. A user with an authorized domain account who does not have the additional authentication factor will not be able to boot the computer to log on. No data can be accessed from the laptop by any user who does not know the PIN, even a domain user who might otherwise be allowed to log on to the computer because of domain policy.
  • Key discovery through offline attack. The VMK is encrypted using a key within the TPM hardware that is combined with a PIN. If the PIN is not known, the attacker would need to mount a brute-force attack to determine the value of the FVEK.
  • Offline attacks against the operating system. The VMK is encrypted using a key within the TPM hardware that is combined with a PIN. If the PIN is not known, the attacker would need to mount a brute-force offline attack to determine the value of the FVEK and use it to decrypt the volume to attack the operating system files.
  • Plaintext data leaks through hibernation file. A main goal of BitLocker is to protect data on the operating system volume of the hard disk when the computer is turned off or in hibernation mode. When BitLocker is enabled, the hibernation file is encrypted.
  • Plaintext data leaks through system paging file. When BitLocker is enabled, the system paging file is encrypted.
  • Required authentication factor left with computer. The PIN is a second non-physical authentication factor that cannot be lost with the computer unless it is written somewhere, such as on a piece of paper.
  • User error. Because BitLocker is a full-volume encryption technology, it encrypts all files stored on the Windows Vista operating system volume. This functionality helps prevents mistakes by users who make incorrect decisions about whether or not to apply encryption.

Residual Risks and Mitigations: BitLocker with TPM and PIN

The BitLocker with TPM and PIN option does not mitigate the following risks without additional controls and policy:

  • Computer left in sleep (standby) mode. The state of the laptop computer and Bitlocker encryption keys are not changed when the laptop enters sleep mode. When it resumes from sleep mode, the FVEK remains accessible to the computer. This risk can be mitigated by enabling the Prompt for password when computer resumes from sleep setting.
  • Computer left logged on and desktop unlocked. After the computer is booted and the VMK is unsealed, unencrypted data can be accessed by anyone with access to the keyboard. The most useful mitigation for this risk is security awareness training for users who might have sensitive information on their computers.
  • Online attacks against the operating system. Online attacks against the operating system are not mitigated by this option.
  • Platform attacks. A computer configured with BitLocker, a TPM, and a user PIN will boot and load the operating system up to the Windows user-credential interface (Winlogon) after the user PIN is entered. Until the user enters the PIN, platform attacks cannot recover the key material. After the PIN is entered, such attacks might lead to disclosure of key material.

BitLocker Option: BitLocker with TPM and USB Device

In the previous option, BitLocker was configured to use a PIN as a second factor of authentication with the TPM. It is also possible to use a USB device as an alternative to the PIN. In this option, the user is prompted to insert the USB device at boot time or when resuming from hibernation mode.

The following figure shows the logical flow of the decryption process in the BitLocker with TPM and USB option.

BitLocker Drive Encryption with TPM and USB device

Figure 2.4. BitLocker decryption process with TPM and USB device

The steps in the illustrated sequence are as follows:

  1. The BIOS starts and initializes the TPM. Trusted/measured components interact with the TPM to store component measurements in the TPM’s Platform Configuration Registers (PCRs).
  2. The user is prompted for the USB device that contains the BitLocker key.
  3. An intermediate key is decrypted by the TPM using the SRK if the PCR values match the expected values. This intermediate key is combined with the key on the USB device to produce another intermediate key that is used to decrypt the VMK.
  4. The encrypted FVEK is read from the volume and the decrypted VMK is used to decrypt it.
  5. Disk sectors are decrypted with the FVEK as they are accessed.
  6. Plaintext data is provided to applications and processes.

This option is different from the basic BitLocker with TPM or BitLocker with TPM and PIN options, because key material stored on the USB is combined with the TPM key to decrypt the VMK. After the unseal operation is successfully completed, BitLocker operates the same as in the basic option.

Mitigated Risks: BitLocker with TPM and USB Device

The BitLocker with TPM and USB device option mitigates the following risks to data:

  • Computer left in hibernation. After hibernation, BitLocker will require reauthentication with the USB device.
  • Discover local/domain password. Like the previous option, the main advantage of the BitLocker with TPM and USB option is that the solution introduces another factor, or credential, that is required to boot the computer or resume from hibernation mode.
  • Insider can read encrypted data. Because this option adds an authentication factor, it reduces the risk that an unauthorized user with a valid account will be able to boot the computer, log on, and read encrypted data.
  • Key discovery through offline attack. If the USB device is not present, the attacker would need to mount a brute-force attack against the key kept on the USB device to determine the value of the FVEK.
  • Offline attacks against the operating system. If the USB device is not present, the attacker would need to mount a brute-force attack against the key kept on the USB device to successfully attack the operating system.
  • Plaintext data leaks through hibernation file. A main goal of BitLocker is to protect data on the operating system volume of the hard disk when the computer is turned off or in hibernation mode. When BitLocker is enabled, the hibernation file is encrypted.
  • Plaintext data leaks through system paging file. On Windows Vista, the pagefile is encrypted using a temporary symmetric key that is generated at boot time but is never written to disk. After the system is shut down this key is discarded, so recovering data from the pagefile would require a brute-force attack to find the symmetric key that was used to encrypt the pagefile.
  • User error. Because BitLocker is a full-volume encryption technology, it encrypts all files stored in the Windows Vista operating system volume. This functionality helps prevent mistakes by users who make incorrect decisions about whether or not to apply encryption.

Residual Risks and Mitigations: BitLocker with TPM and USB Device

The BitLocker with TPM and USB device option does not mitigate the following risks without additional controls and policy:

  • Computer left in sleep (standby) mode. The state of the laptop computer and BitLocker encryption keys are not changed when the laptop enters sleep mode. When it resumes from sleep mode, the FVEK remains accessible to the computer. This risk can be mitigated by enabling the Prompt for password when computer resumes from sleep setting.
  • Computer left logged on and desktop unlocked. After the computer is booted and the VMK is decrypted, unencrypted data can be accessed by anyone with access to the keyboard. The most useful mitigation for this risk is security awareness training for users who may have sensitive information on their computers.
  • Online attacks against the operating system. An attacker who can cause a normal boot by providing the USB device as part of the boot process can mount a variety of attacks, including escalation of privilege attacks and attacks that can be remotely exploited.
  • Platform attacks. A computer configured with BitLocker, a TPM, and a USB device will boot and load the operating system up to the Windows user-credential interface (Winlogon). Platform attacks might lead to disclosure of key material.
  • Required authentication factor left with computer. The USB device is a single physical authentication factor, and the encryption solution depends on it. The risk of users losing the computer and the USB device at the same time can be mitigated by requiring a second non-physical authentication factor such as a PIN or password.

BitLocker Risk Analysis Summary

The following table lists data risks and indicates whether the different BitLocker options mitigate each risk. Risks that are mitigated for specific options are marked with the letter Y. Hyphens - indicate risks for which the specific option provides little or no mitigation.

Table 2.1. BitLocker Risk Mitigations

BitLocker Risk Mitigations

More Information

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.

Download

Get the Data Encryption Toolkit for Mobile PCs

Update Notifications

Sign up to learn about updates and new releases

Feedback

Send us your comments or suggestions