BitLocker/Active Directory Encryption Procedure Department: Information Security Office Version: 1.0 Last Revised: 09/26/2011
Purpose
To provide a step-by-step procedure for encrypting installed laptop hard drives using BitLocker in ASU's Active Directory environment.
Scope
Laptops running Windows 7, Server 2008, or newer, used to handle or store sensitive data at ASU. System requirements: TPM 1.2-compliant chip TCG-compliant BIOS Windows 7 Enterprise or Ultimate, or Windows Server 2008 R2 Joined to an ASU Active Directory domain Note: Domain connection is required to store BitLocker recovery keys and TPM owner information, not for operation of an encrypted laptop. The laptop does not have to remain connected to the AD domain after the encryption procedure; however, it is recommended to keep the laptop connected until the process has completed.
Audience
Technical support staff responsible for end user equipment
Procedure Preparation
1. Required: Verify that the laptop meets the requirements listed above. 2. Strongly recommended: Back up the laptop's hard drive. 3. Required: Update the laptop to the current BIOS firmware (typically available from the computer manufacturer's support/drivers download site). 4. Recommended: Have a USB drive or other removable media on hand.
Activate the TPM Chip
The TPM chip must be activated before beginning the encryption process. On most systems, this is done at the BIOS level. The instructions below apply to most Dell laptops; other systems may not be identical, but should be very similar. 1. Boot the system into BIOS setup. 2. Choose "Security" from the BIOS menu. 3. Set "TPM Activation" to "Activate." 4. Set "TPM Security" to "On." 5. Save the settings, exit, and reboot.
Apply Active Directory Storage Settings
Configure the laptop to enable and require storage of the BitLocker recovery key and TPM owner information in Active Directory. This can be done using any of the following methods: Link the ASURITE Group Policy object EnableBitLockerKeyStorage to the system (or, preferably, the OU that contains it). Create your own GPO using the EnableBitLockerKeyStorage GPO's settings as a base, and apply it to the system or its containing OU). Apply the EnableBitLockerKeyStorage GPO's settings to the laptop manually.
The EnableBitLockerKeyStorage GPO's settings and a brief step-by-step guide to creating a Group Policy object are included as appendices to this document.
When this task is complete, reboot the system to apply the settings.
Enable BitLocker
The laptop must be configured to enable and require storage of the BitLocker recovery key and TPM owner information in Active Directory. This can be done by any of the following methods: 1. In the Control Panel, under the System and Security category, choose BitLocker Drive Encryption. 2. Under BitLocker Drive Encryption - Hard Disk Drives, next to the C: drive, click Turn On BitLocker. 3. Check the box to Run BitLocker System Check. 4. Click to Restart when prompted. BitLocker will initialize the TPM chip and/or partition the disk as required, then will begin drive encryption. This process can be paused, and/or the system can be used while encryption proceeds in the background. Note: During the encryption process, the disk will temporarily appear to be full. Disk encryption with BitLocker does not affect free disk space noticeably.
Transfer of Ownership
On personnel termination and/or transfer of the laptop to a new user, 1. Use the BitLocker Drive Encryption control panel to disable BitLocker. The disk will be decrypted. 2. Use the Enable BitLocker procedure above to re-enable BitLocker. This will generate and store a new BitLocker recovery key.
Data Recovery/Key Retrieval
To recover data from a disk encrypted with BitLocker, follow the instructions online at http://support.microsoft.com/kb/928202
Appendix: Creating and/or Applying a Group Policy Object
Preparation Download and install MS Remote Server Administration Tools.
Download: http://www.microsoft.com/download/en/details.aspx?id=7887 Documentation: http://technet.microsoft.com/en-us/library/ee449467(WS.10).aspx
Step 1 Start the Group Policy Editor.
Run mmc.exe Add the following snap-ins, selecting your target domain when prompted: o Active Directory Users and Computers o Group Policy Management
(Note: You can add whatever other snap-ins you like and save this as your own management console if you like. Just answer "yes" when asked if you want to save the console on closing, and give it a filename. Next time, open the file in MMC to save a few clicks.) Step 2 Find your OU.
Expand the Group Policy Management snap-in. Expand the Forest, then Domains, then your target domain. Your top-level OU should be visible now (e.g., M.IT). Keep expanding if you are managing a sub-OU (e.g., M.IT.ACIT). Right-click your OU and choose the appropriate option: o Link an Existing GPO... (step 3a) o Create a GPO in this domain, and Link it here... (step 3b)
Step 3a Link an existing GPO.
Select the template from the list of Group Policy objects and click OK. It will appear under your OU name. Double-click it to view more information.
Don't expect to have permission to change the template settings. This would affect others who are using the same template. If you want to apply settings that are different, either override the template with another of your own or create your own template instead of linking the existing one. Step 3b Create a GPO and Link it.
Give your template a name. You can choose an existing template as a starting point. The Group Policy Management Editor should open in a new window. Choose the settings you want to apply, then save the template and exit.
Appendix: EnableBitLockerKeyStorage GPO Settings
Computer Configuration (Enabled) Policies Administrative Templates Policy definitions (ADMX files) retrieved from the local machine. System/Trusted Platform Module Services Policy
Turn on TPM backup to Active Directory Domain Services Require TPM backup to AD DS Enabled
If selected, cannot set or change TPM owner password if backup fails (recommended default).
If not selected, can set or change TPM owner password even if backup fails. Backup is not automatically retried.
Windows Components/BitLocker Drive Encryption Policy Store BitLocker recovery information in Active Directory Domain Services(Windows Server 2008 and Windows
Vista) Require BitLocker backup to AD DS Enabled
If selected, cannot turn on BitLocker if backup fails (recommended default). If not selected, can turn on BitLocker even if backup fails. Backup is not automatically retried. Recovery passwords and key Select BitLocker recovery information to store: packages A recovery password is a 48-digit number that unlocks access to a
BitLocker-protected drive. A key package contains a drive's BitLocker encryption key secured by one or more recovery passwords Key packages may help perform specialized recovery when the disk is damaged or corrupted.
Windows Components/BitLocker Drive Encryption/Fixed Data Drives Policy
Choose how BitLocker-protected fixed drives can be recovered Allow data recovery agent Enabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key Omit recovery options from the BitLocker setup wizard Enabled Save BitLocker recovery information to AD DS for fixed data drives Enabled Backup recovery passwords and key Configure storage of BitLocker recovery information to AD DS: packages Do not enable BitLocker until recovery information is stored to AD DS for Enabled fixed data drives
Windows Components/BitLocker Drive Encryption/Operating System Drives Policy
Choose how BitLocker-protected operating system drives can be recovered Allow data recovery agent Enabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key Omit recovery options from the BitLocker setup wizard Enabled Save BitLocker recovery information to AD DS for operating system drives Enabled Store recovery passwords and key Configure storage of BitLocker recovery information to AD DS: packages Do not enable BitLocker until recovery information is stored to AD DS for Enabled operating system drives
User Configuration (Enabled) No settings defined.