3. On the Choose How You Want To Unlock This Drive page, select one or more protec- tion methods: • Use A Password To Unlock This Drive . Users will be prompted to type a password before they can access the contents of the drive . • Use My Smart Card To Unlock The Drive . Users will be prompted to insert a smart card before they can access the contents of the drive . You can use this option with removable drives; however, you will not be able to access the drive using Windows Vista or Windows XP because smart cards cannot be used with the BitLocker To Go Reader . • Automatically Unlock This Drive On This Computer . Windows will automatically unlock non-removable data drives without prompting the user . Selecting this option requires that the system volume be protected by BitLocker . If you move the drive to a different computer, you will be prompted for credentials . 4. On the How Do You Want To Store Your Recovery Key page, choose the method to save the recovery key . Click Next . 5. On the Are You Ready To Encrypt This Drive page, click Start Encrypting .

How to Manage BitLocker Keys on a Local Computer To manage keys on a local computer, follow these steps: 1. Open Control Panel and click System And Security . Under BitLocker Drive Encryption, click Manage BitLocker . 2. In the BitLocker Drive Encryption window, click Manage BitLocker .

Using this tool, you can save the recovery key to a USB flash drive or a file, or you can print the recovery key .

How to Manage BitLocker from the Command Line To manage BitLocker from an elevated command prompt or from a remote computer, use the Manage-bde .exe tool . The following example demonstrates how to view the status .

manage-bde -status

BitLocker Drive Encryption: Configuration Tool Copyright (C) Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with BitLocker Drive Encryption: Volume C: [] [OS Volume]

Size: 74.37 GB

BitLocker Drive Encryption Chapter 16 653 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

BitLocker Version: Windows 7 Conversion Status: Fully Encrypted Percentage Encrypted: 100% Encryption Method: AES 128 with Diffuser Protection Status: Protection On Lock Status: Unlocked Identification Field: None Key Protectors: TPM Numerical Password

Run the following command to enable BitLocker on the C drive, store the recovery key on the Y drive, and generate a random recovery password .

manage-bde -on C: -RecoveryKey Y: -RecoveryPassword

BitLocker Drive Encryption: Configuration Tool version 6.1.7100 Copyright (C) Microsoft Corporation. All rights reserved.

Volume C: [] [OS Volume] Key Protectors Added: Saved to directory Y:\

External Key: ID: {7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC} External Key File Name: 7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC.BEK

Numerical Password: ID: {75A76E33-740E-41C4-BD41-48BDB08FE755} Password: 460559-421212-096877-553201-389444-471801-362252-086284

TPM: ID: {E6164F0E-8F85-4649-B6BD-77090D49DE0E}

ACTIONS REQUIRED:

1. Save this numerical recovery password in a secure location away from your computer:

460559-421212-096877-553201-389444-471801-362252-086284

To prevent data loss, save this password immediately. This password helps ensure that you can unlock the encrypted volume.

654 Chapter 16 Managing Disks and File Systems Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

2. Insert a USB flash drive with an external key file into the computer.

3. Restart the computer to run a hardware test. (Type "shutdown /?" for command line instructions.)

4. Type "manage-bde -status" to check if the hardware test succeeded.

NOTE: Encryption will begin after the hardware test succeeds.

After you run the command, restart the computer with the recovery key connected to com- plete the hardware test . After the computer restarts, BitLocker will begin encrypting the disk . Run the following command to disable BitLocker on the C drive .

manage-bde -off C:

BitLocker Drive Encryption: Configuration Tool Copyright (C) Microsoft Corporation. All rights reserved.

Decryption is now in progress.

You can also use the Manage-bde .exe script to specify a startup key and a recovery key, which can allow a single key to be used on multiple computers . This is useful if a single user has multiple computers, such as a user with both a Tablet PC computer and a desktop computer . It can also be useful in lab environments, where several users might share several different computers . Note, however, that a single compromised startup key or recovery key will require all computers with the same key to be rekeyed . For detailed information about using Manage-bde .exe, run manage-bde.exe -? from a command prompt .

How to Recover Data Protected by BitLocker When you use BitLocker, the encrypted volumes will be locked if the encryption key is not available, causing BitLocker to enter recovery mode . Likely causes for the encryption key’s unavailability include:

n Modification of one of the boot files .

n The BIOS is modified and the TPM is disabled .

n The TPM is cleared .

n An attempt is made to boot without the TPM, PIN, or USB key being available .

n The BitLocker-encrypted disk is moved to a new computer .

After the drive is locked, you can boot only to recovery mode, as shown in Figure 16-19 . In recovery mode, you enter the recovery password using the function keys on your keyboard (just as you do when entering the PIN), pressing F1 for the digit 1, F2 for the digit 2, and so

BitLocker Drive Encryption Chapter 16 655 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

forth, with F10 being the digit 0 . You must use function keys because localized keyboard support is not yet available at this phase of startup .

Figure 16-19 Recovery mode prompts you for a 48-character recovery password .

If you have the recovery key on a USB flash drive, you can insert the recovery key and press Esc to restart the computer . The recovery key will be read automatically during startup . If you cancel recovery, the Windows Boot Manager will provide instructions for using Startup Repair to fix a startup problem automatically . Do not follow these instructions be- cause Startup Repair cannot access the encrypted volume . Instead, restart the computer and enter the recovery key .

More Info additionally, you can use the BitLocker Repair Tool, Repair-bde.exe, to help recover data from an encrypted volume. If a BitLocker failure prevents Windows 7 from starting, you can run repair-bde from the Windows Recovery Environment (Windows RE) command prompt. For more information about repair-bde, run repair-bde /? at a command prompt. For more information about troubleshooting startup problems, including using repair-bde, refer to Chapter 29.

How to Disable or Remove BitLocker Drive Encryption Because BitLocker intercepts the boot process and looks for changes to any of the early boot files, it can cause problems in the following nonattack scenarios:

n Upgrading or replacing the motherboard or TPM

n Installing a new operating system that changes the MBR or the Boot Manager

n Moving a BitLocker-encrypted disk to another TPM-enabled computer

n Repartitioning the hard disk

n Updating the BIOS

n Installing a third-party update outside the operating system (such as hardware firmware updates)

656 Chapter 16 Managing Disks and File Systems Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

To avoid entering BitLocker recovery mode, you can temporarily disable BitLocker, which allows you to change the TPM and upgrade the operating system . When you re-enable BitLocker, the same keys will be used . You can also choose to decrypt the BitLocker-protected volume, which will completely remove BitLocker protection . You can only re-enable BitLocker by repeating the process to create new keys and re-encrypt the volume . To disable or decrypt BitLocker, follow these steps: 1. Log on to the computer as Administrator . 2. From Control Panel, open BitLocker Drive Encryption . 3. To temporarily disable BitLocker by using a clear key, click Suspend Protection and then click Yes . To disable BitLocker permanently, click Turn Off BitLocker and then click Decrypt Drive .

How to Decommission a BitLocker Drive Permanently Compromises in confidentiality can occur when computers or hard disks are decommissioned . For example, a computer that reaches the end of its usefulness at an organization might be discarded, sold, or donated to charity . The person who receives the computer might extract confidential files from the computer’s hard disk . Even if the disk has been formatted, data can often be extracted . BitLocker reduces the risks of decommissioning drives . For example, if you use a startup key or startup PIN, the contents of the volume are inaccessible without this additional infor- mation or the drive’s saved recovery information . You can decommission a drive more securely by removing all key blobs from the disk . By deleting the BitLocker keys from the volume, an attacker needs to crack the encryption—a task that is extremely unlikely to be accomplished within anyone’s lifetime . As a cleanup task, you should also discard all saved recovery information, such as recovery information saved to AD DS . To remove all key blobs on a secondary drive (data volume), you can format that drive from Windows or the Windows RE . Note that this format operation will not work on a drive that is currently in use . For example, you cannot use it to more securely decommission the drive used to run Windows . To remove all key blobs on a running drive, you can create a script that performs the fol- lowing tasks: 1. Calls the Win32_EncryptableVolume.GetKeyProtectors method to retrieve all key protec- tors (KeyProtectorType 0) . 2. Creates a not-to-be-used recovery password blob (discarding the actual recovery password) by using Win32_EncryptableVolume.ProtectKeyWithNumericalPassword and a randomly generated password sequence . This is required because Win32_EncryptableVolume.DeleteKeyProtector will not remove all key protectors . 3. Uses Win32_EncryptableVolume.DeleteKeyProtector to remove all of the usable key protectors associated with the identifiers mentioned previously .

BitLocker Drive Encryption Chapter 16 657 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

4. Clears the TPM by calling the Win32_TPM.Clear method . For more information about developing a script or application to perform secure decom- missioning on a BitLocker-encrypted drive, refer to the Win32_EncryptableVolume WMI pro- vider class documentation at http://msdn.microsoft.com/en-us/library/aa376483.aspx and the Win32_TPM WMI provider class documentation at http://msdn.microsoft.com/en-us/library /aa376484.aspx .

How to Prepare AD DS for BitLocker BitLocker is also integrated into AD DS . In fact, although you can use BitLocker without AD DS, enterprises really shouldn’t—key recovery and data recovery agents are an extremely important part of using BitLocker . AD DS is a reliable and efficient way to store recovery keys so that you can restore encrypted data if a key is lost, and you must use Group Policy settings to configure data recovery agents . If your AD DS is at the Windows Server 2008 or later functional level, you do not need to prepare the AD DS for BitLocker . If your AD DS is at a functional level of Windows Server 2003 or earlier, however, you will need to update the schema to support BitLocker . For detailed instructions on how to configure AD DS to back up BitLocker and TPM recovery information, read “Configuring Active Directory to Back Up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information” at http://go.microsoft.com/fwlink/?LinkId=78953 . For information about retrieving recovery passwords from AD DS, read “How to Use the BitLocker Recovery Password Viewer For Active Directory Users And Computers Tool to View Recovery Passwords for Windows Vista” at http://support.microsoft.com/?kbid=928202 .

How to Configure a Data Recovery Agent Earlier versions of Windows supported storing BitLocker recovery keys in AD DS . This works well, but each BitLocker-protected volume has a unique recovery key . In enterprises, this can consume a large amount of space in AD DS . By using a data recovery agent instead of storing recovery keys in AD DS, you can store a single certificate in AD DS and use it to recover any BitLocker-protected volume . To configure a data recovery agent, follow these steps: 1. Publish the future data recovery agent’s certificate to AD DS . Alternatively, export the certificate to a cer. file and have it available . 2. Open a Group Policy object that targets the Windows 7 computers using the Group Policy object Editor and then select Computer Configuration\Policies\Windows Settings \Security Settings\Public Key Policies . 3. Right-click BitLocker Drive Encryption, click Add Data Recovery Agent to start the Add Recovery Agent Wizard, and then click Next .

658 Chapter 16 Managing Disks and File Systems Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

4. On the Select Recovery Agents page, click Browse Directory (if the certificate is stored in AD DS) or Browse Folders (if you have saved the cer. file locally) . Select a cer. file to use as a data recovery agent . After the file is selected, it will be imported and will appear in the Recovery Agents list in the wizard . You can specify multiple data recovery agents . After you specify all of the data recovery agents that you want to use, click Next . 5. The Completing The Add Recovery Agent page of the wizard displays a list of the data recovery agents that will be added to the Group Policy object . Click Finish to confirm the data recovery agents and close the wizard .

The next time Group Policy is applied to the targeted Windows 7 computers, the data re- covery agent certificate will be applied to the drive . At that point, you will be able to recover a BitLocker-protected drive using the certificate configured as the data recovery agent . Because of this, you must carefully protect the data recovery agent certificate .

How to Manage BitLocker with Group Policy BitLocker has several Group Policy settings located in Computer Configuration\Policies \Administrative Templates\Windows Components\BitLocker Drive Encryption that you can use to manage the available features . Table 16-2 lists these policies, which are written to the registry on targeted computers under the following registry key:

HKLM\Software\Policies\Microsoft\FVE

Table 16-2 Group Policy Settings for BitLocker Drive Encryption

Policy Description Store BitLocker Recovery Enabling this policy silently backs up BitLocker recovery in- Information In Active formation to AD DS . For computers running Windows 7 and Directory Domain Services Windows Server 2008 R2, enable the Fixed Data Drives (Windows Server 2008 And \Choose How BitLocker-Protected Fixed Drives Can Be Windows Vista) Recovered, Operating System Drives\Choose How BitLocker- Protected Operating System Drives Can Be Recovered, or Removable Data Drives\Choose How BitLocker-Protected Removable Drives Can Be Recovered policies . Choose Default Folder For Enabling this policy and configuring a default path for it sets Recovery Password the default folder to display when the user is saving recovery information for BitLocker . The user will have the ability to override the default .

BitLocker Drive Encryption Chapter 16 659 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

Policy Description Choose How Users Can Enabling this policy allows you to control which recovery Recover BitLocker-Protected mechanisms the user can choose . Disabling the recovery Drives (Windows Server 2008 password will disable saving to a folder or printing the key And Windows Vista) because these actions require the 48-digit recovery pass- word . Disabling the 256-bit recovery key will disable saving to a USB key . If you disable both options, you must enable AD DS backup or a policy error will occur . For computers running Windows 7 and Windows Server 2008 R2, enable the Fixed Data Drives\Choose How BitLocker-Protected Fixed Drives Can Be Recovered, Operating System Drives\Choose How BitLocker-Protected Operating System Drives Can Be Recovered, or Removable Data Drives\Choose How BitLocker- Protected Removable Drives Can Be Recovered policies . Choose Drive Encryption Enabling this policy allows configuration of the encryption Method And Cipher Strength method used by BitLocker Drive Encryption . The default if this key is not enabled is 128-bit AES with Diffuser . Other choices that can be configured are 256-bit AES with Diffuser, 128-bit AES, and 256-bit AES . Prevent Memory Overwrite Enabling this policy prevents Windows from overwriting On Restart memory on restarts . This potentially exposes BitLocker secrets but can improve restart performance . Provide The Unique Enable this policy if you want to prevent users from mount- Identifiers For Your ing BitLocker-protected drives that might be from outside Organization organizations . Validate Smart Card Certifi- Enable this policy only if you want to restrict users to smart cate Usage Rule Compliance cards that have an object identifier (OID) that you specify .

Operating System Drives Enabling this policy allows configuring additional startup \Require Additional options and allows enabling of BitLocker on a non–TPM- Authentication At Startup or compatible computer . On TPM-compatible computers, a Operating System Drives secondary authentication can be required at startup—either \Require Additional Authen- a USB key or a startup PIN, but not both . tication At Startup (Windows Server 2008 And Windows Vista) Allow Enhanced PINs For Enhanced PINs permit the use of characters including upper- Startup case and lowercase letters, symbols, numbers, and spaces . By default, enhanced PINs are disabled .

660 Chapter 16 Managing Disks and File Systems Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

Policy Description Operating System Drives Enables you to require a minimum PIN length . \Configure Minimum PIN Length For Startup Operating System Drives Enabling this policy allows you to control which recovery \Choose How BitLocker- mechanisms the user can choose and whether recovery Protected Operating System information is stored in the AD DS . Disabling the recovery Drives Can Be Recovered password will disable saving to a folder or printing the key because these actions require the 48-digit recovery pass- word . Disabling the 256-bit recovery key will disable saving to a USB key . Operating System Drives Enabling this policy allows detailed configuration of the PCR \Configure TPM Platform indices . Each index aligns with Windows features that run Validation Profile during startup . Fixed Data Drives\Configure Enables or requires smart cards for BitLocker to protect Use Of Smart Cards On Fixed non–operating system volumes . Data Drives Fixed Data Drives\Deny Requires drives to be BitLocker-protected before users can Writer Access To Fixed Drives save files . Not Protected By BitLocker Fixed Data Drives\Allow Ac- Allows you to prevent the BitLocker To Go Reader from cess To BitLocker-Protected being copied to fixed data drives, preventing users of earlier Fixed Data Drives From versions of Windows (including Windows Server 2008, Earlier Versions Of Windows Windows Vista, and Windows XP SP2 or SP3) from entering a password to access the drive . Fixed Data Drives\Configure Requires passwords to access BitLocker-protected fixed Use Of Passwords For Fixed drives and configures password complexity . Drives Fixed Data Drives\Choose Enabling this policy allows you to control which recovery How BitLocker-Protected mechanisms the user can choose and whether recovery Fixed Drives Can Be information is stored in the AD DS . Disabling the recovery Recovered password will disable saving to a folder or printing the key because these actions require the 48-digit recovery pass- word . Disabling the 256-bit recovery key will disable saving to a USB key .

For information about BitLocker To Go policies (which are configured in the Removable Data Drives node), refer to the section titled “BitLocker To Go” earlier in this chapter .

BitLocker Drive Encryption Chapter 16 661 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

The Costs of BitLocker Most security features require a tradeoff . The benefit to any security feature is that it reduces risk and thus reduces the cost associated with a security compromise . Most security features also have a cost—purchase price, increased maintenance, or decreased user productivity . The benefit of using BitLocker is reduced risk of loss of data confidentiality in the event of a stolen hard disk . Like most security features, BitLocker has costs (aside from any software or hardware costs):

n If a PIN or external key is required, the startup experience is not transparent to the user . If the user loses his PIN or startup key, he will need to wait for a Support Center representative to read him the password so that he can start his computer .

n In the event of hard disk failure or data corruption, recovering data from the disk can be more difficult .

More Info You should implement BitLocker in your organization only if the reduced security risks outweigh these costs. For more information about cost/benefit analysis, read the Security Risk Management Guide at http://technet.microsoft.com/en-us/library /cc163143.aspx.

Encrypting File System

BitLocker is not a replacement for the EFS introduced in Windows 2000, but it is a supplement to the EFS that ensures that the operating system itself is protected from attack . Best prac- tices for protecting sensitive computers and data will combine the two features to provide a high level of assurance of the data integrity on the system . EFS continues to be an important data-integrity tool in Windows 7 . EFS allows the encryp- tion of entire volumes or individual folders and files and can support multiple users using the same computer, each with protected data . Additionally, EFS allows multiple users to have secure access to sensitive data while protecting the data against unauthorized viewing or modification . EFS cannot be used to encrypt system files, however, and it should be combined with BitLocker to encrypt the system drive where sensitive data must be protected . EFS is susceptible to offline attack using the SYSKEY, but when you combine EFS with BitLocker to encrypt the system volume, this attack vector is protected . EFS uses symmetric key encryption along with public key technology to protect files and folders . Each user of EFS is issued a digital certificate with a public and private key pair . EFS uses the keys to encrypt and decrypt the files transparently for the logged-on user . Authorized users work with encrypted files and folders just as they do with unencrypted files and folders . Un- authorized users receive an Access Denied message in response to any attempt to open, copy, move, or rename the encrypted file or folder .

662 Chapter 16 Managing Disks and File Systems Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.