Windows BitLocker Table of Contents Windows BitLocker ......................................................................................................................... 2 Windows BitLocker Overview ......................................................................................................... 3 Windows BitLocker Usage .............................................................................................................. 5 Windows BitLocker Advantages ..................................................................................................... 8 Windows BitLocker Disadvantages ............................................................................................... 10 Windows BitLocker Configuration -1 ............................................................................................ 16 Windows BitLocker Configuration - Turn On ................................................................................ 17 Windows BitLocker Configuration - Turn Off................................................................................ 18 Notices .......................................................................................................................................... 19 Page 1 of 19 Windows BitLocker Windows BitLocker 79 **079 Another locker is Windows BitLocker. This is the one we talked about that has encryption associated with it. Page 2 of 19 Windows BitLocker Overview Windows BitLocker Overview BitLocker provides hard drive encryption. • Windows system drive • Fixed data drives (internal hard drives) BitLocker ToGo is used for removable hard drives. • External hard drives • USB drives If a TPM (Trusted Platform Module) is on the system, BitLocker will store the cryptographic keys in the TPM. 80 **080 Hard drive encryption. The Windows system drive is going to be encrypted with BitLocker. Any internal drives I have on this computer system are going to be encrypted with BitLocker. BitLocker itself does not work with these devices-- any external drives or USB devices. If I want to have encryption on these devices, there is a version-- it's called BitLocker ToGo-- that I can employ that will support that capability. When we think about encryption, encryption requires keys. If we have a trusted platform module on the computer system, BitLocker will use Page 3 of 19 that Trusted Platform Module to store those cryptographic keys. So those keys-- if you think about it, the danger is this: If I have a hard drive and I'm going to encrypt that entire hard drive, and the keys are stored on that hard drive, then once I do the encryption, I will never have access to the keys to be able to decrypt it. So we want the keys stored somewhere else, and that's why we use the Trusted Platform Module-- a chip on the machine, for example, that is going to allow us to have those keys to decrypt it. Right? So, I have BitLocker for internal system drives and then BitLocker ToGo for external drives. Page 4 of 19 Windows BitLocker Usage Windows BitLocker Usage BitLocker requires two partitions. • System partition to contain files needed to start the system • An OS partition for Windows and all other files that will be encrypted Files are automatically encrypted as they are added to the drive. Microsoft provides a step-by-step guide to BitLocker. Ref: http://technet.microsoft.com/en-us/library/cc732725%28v=ws.10%29.aspx 81 **081 Yes? Student: So the obvious question is, if a machine doesn't have TPM, where does it store its keys? Mark Williams: Then you're going to have to have a-- well, it would store it on a different partition on the drive, or you could even have a different drive that you would store it on. Maybe you would want to store your keys on a removable device. All right? Student: I see. Thank you. Page 5 of 19 Mark Williams: You'd have to choose. And that's one of the things to keep in mind. When we're installing BitLocker externally, it does require two partitions, and that's partly-- partly the reason is if I don't have a TPM, that second partition is going to be for the keys, and that second partition would also be for the basic files that are needed to get it going. If I encrypt every single thing, then obviously it won't work at all. So we have two partitions. Which, that implies-- if I have to have multiple partitions-- that implies I'm going to have to BitLocker when I first build the machine, right? Doing it later on is going to be much more cumbersome. Yeah? Student: You can store it in Active Directory, but you have to extend the schema. So. Mark Williams: Active Directory on the domain controller? Student: Yeah. But apparently you have to extend the schema a little bit. There's a little bit of work involved. Mark Williams: A little bit of work. Student: Yeah. Mark Williams: Yeah, I can't imagine doing any of this without a little bit of work. Student: Right. Mark Williams: All right. One of Page 6 of 19 the nice things about BitLocker is once you do encrypt the drive, if I create a new file, I add a new file, I modify the file, that newly created, newly added, newly modified file is automatically going to get encrypted on the drive. All right? The cool thing is, it is not-- well, I say the cool thing. Initially it's not a real simple task to enable BitLocker. But the cool thing is Microsoft does provide a very good guide that you can follow that gets you through the steps. All right? Page 7 of 19 Windows BitLocker Advantages Windows BitLocker Advantages BitLocker helps to stop the hackers from accessing the system files that they rely on to get to your passwords. Data cannot be accessed even if the drive is placed in another system. BitLocker can be turned off at any time. 82 **082 Why do we want to do it? Like I said, if that government agency that sent me that letter telling me that my data was on a stolen laptop, had they told me that the laptop was encrypted, I would not have had any troubles with that issue. Right? But they didn't do that. One of my partners one time, she was in a hotel. She had her laptop stolen from the hotel. And we weren't worried about it, because we knew that she does use full hard disk encryption, so all the customer data, all the client data that we had on that laptop-- it's not a big deal. Yeah, Page 8 of 19 they have the hardware, they have a machine, but there's no way, without the proper key, that they're going to be able to get access to that actual customer data. And that's the big benefit. Once I turn on BitLocker, it is flexible in the fact I can turn it off if I want. I can even turn it off for short periods of time if I wanted to do that. I personally can't think of a real good reason why I would want to-- after enabling BitLocker-- turn it off, other than maybe there's a performance issue or performance reason that I might want to turn it off for a period of time. You have a reason? Student: Updating BIOS. Mark Williams: Updating BIOS? Okay. Student: They don't see that as a hardware change. So you just suspend it, do it, bring it back, and it's fine. Mark Williams: All right, very good. That's a good point. I hadn't thought of that. So updating BIOS. All right. Page 9 of 19 Windows BitLocker Disadvantages Windows BitLocker Disadvantages Data is only encrypted on the BitLocker drive. • Move the data, say send the file in an email, the encryption is lost. BitLocker may cause performance issues. 83 **083 Disadvantages. The data is only protected while it's on that BitLocker drive. If I take that data off of that BitLocker drive and move it somewhere else-- say send it to you in an email-- the encryption does not go with it. And so that's a potential danger. And just the mere fact that we're doing any kind of encryption and decryption just to use files and data, it's probably going to be a performance hit. How about servers and databases? Would you guys use BitLocker in a database environment? I don't think I would. Page 10 of 19 Student: I've used Microsoft as a product for SQL Server. Transparent data encryption. And it only took about a 3 percent hit. Mark Williams: A 30 percent hit? Student: Three percent hit. Mark Williams: Oh, I was going to say, only a 30 percent hit? That's pretty bad. But 3 percent. Student: Utilization when I the database. It wasn't bad. I mean, it was a pretty decent Dell server. Mark Williams: All right. It did take a hit. You have to really take a look at what kind of equipment you're running it on. Right? And also look at the application-- the utility, I should say. How often is the data going to be accessed and by how many people-- that all is going to have a bearing on, "Should I turn on this encryption on this very busy server on this very busy database or not?" A lot of people would say that the encryption-- the performance hit that we take is just too great. But 3 percent, that's not too bad at all. Student: That's not bad. The one caveat was it needed the enterprise version of SQL, which was more money. And the plus side of it was there's certain laws saying if your data is encrypted and it gets compromised, then you have leeway as to whether you need to do notification or not. It just depends. Page 11 of 19 Mark Williams: Yes? Student: The thing is there's quite a nice alternative, self-encrypting drives, which is relatively low cost, and really easy to manage, and you complete a separate-- the data on rest encryption from your CPU. And it's platform-transparent. So that's much easier to deal with. Mark Williams: That is an alternative, absolutely. Student: Who makes it? Student: Quite a few.