BitlockerDeployment considerations within the EnterpriseBy Ken Foster<br />Index<br />What is Bitlocker?3Why should I use it?3How does Bitlocker Work?3Why is TPM Important?4What are my Deployment Options?4Preparing for Key Storage and Recovery?4Configuring BitLocker via Group Policy:5…. BitLocker Recovery Key backup to Active Directory5….. Saving a text file of the Recovery Key to a Network Location5….. Force FIPS 140-2 Compliant Algorithm use only6….. Setting the Encryption Method and Strength6….. Securing Bitlocker Secrets at Restart6….. Configure TPM platform validation profile6Using Command Line procedures to Manage Bitlocker6..... Forcing BitLocker encryption with TPM support6….. Recovering the key from Active Directory7Using the BitLocker Recovery Password Viewer (MMC Snap-in)8Using the BitLocker Repair Tool to recover data8<br />What is Bitlocker?Bitlocker is a proprietary whole disk encryption technology that is available within Windows Vista Ultimate and Enterprise editions. BitLocker is designed to provide whole disk encryption services, in an effort to render and data on the drive worthless without proper access. Drive interrogation disks may be able to read the disk, but it will render the data in cyphertext form, making the data useless. Bitlocker works in two modes, stand-alone and enterprise. This article will primarily cover Enterprise mode. In stand-alone mode, the key is stored in off-line media in the form of a USB device. Back-up copies of the recovery key are normally stored on a hard drive or printed as a means of recovery. In enterprise mode, the Active Directory schema is extended and the recovery key is stored, accessible by EFS recovery agents. BitLocker is certified FIPS 401-2 level 2 certification and is approved for Department of Defense use. The application will continue life and be extended into the Windows 7 environment in the form of ‘BitLocker To-Go’, which will support removable media in addition to whole disk encryption services for all internal drives. <br />Why should I use it?Whole disk encryption is a method that inhibits and potentially prevents the theft of information from a protected device by unauthorized users. Depending on the industry, various regulatory requirements may dictate specific standards for the protection of client, corporate, and intellectual data. The use of Whole Disk encryption provides a level of safety and compliance in regards to these standards. The use of encryption adheres to the ‘do diligence’ requirements for which most corporate officers and government officials are regulatory bound. Encryption of sensitive data also provides peace of mind to those customers directly affected by the loss and lowers the response costs for the data breach. While is has been suggested that BitLocker can save time by eliminating the need to shred drives at end of life, I do not know anyone who is actively using this method of data destruction.<br />How does Bitlocker Work?Bitlocker leverages a combination of hardware and software to protect the disk from unauthorized viewing. From a hardware perspective, Bitlocker leverages the use of the Trusted Platform Module (TPM) if available; to manage pre-boot system integrity and store the decryption key the operating system will use to access the encrypted data. From a software perspective, Bitlocker encrypts the device using an Advanced Encryption Standard (AES) 128bit key. If additional security is required, as in Department of Defense andother secure activities, Bitlocker can be set to use a 256bit key strength via a series of switches at time of encryption. To give you some perspective, it would take 149 trillion years to crack a 128-bit AES key based on 2001 technology (the year AES was released). For relative comparison, the universe is believed to be less than 20 billion years old. Why is TPM Important?Though BitLocker can be used with or without a TPM, its use provides an extra layer of security and is considered the most secure method for using BitLocker in Windows Vista. The TPM is a microchip installed on the motherboard of a computer that communicates via hardware bus with the rest of the system. This chip provides basic security-related encryption services to the system. Computers that incorporate TPM’s create two types of encryption keys, wrapping and sealing. The wrapping key (the Private key) is referred to as the Storage Root Key (SRK), which is stored within the TPM itself. Once created by the TPM, the wrapping key is never exposed to any other component, software, process, or person. The second key type is the sealing key. When a sealing key is first created, the TPM records a snapshot of configuration values and file hashes. A sealing key is only "
when the current system values match the snapshot values. By using the sealed key integrity process, BitLocker can detect attacks against the integrity of the Windows operating system or an attempted hardware alteration such as remounting the drive into a different machine.<br />What are my Deployment Options?BitLocker supports four different configurations, depending on the hardware capability of the system and the desired level of security. These options are listed from least secure to most, which coincidentally is also the order of least to most user intrusive. For computers without TMP support, your only option is BitLocker with Universal Serial Bus (USB) device. This option stores the sealing key on the USB device. In order to boot you must have the USB device or provide the recovery key. The introduction of the USB devices as the boot dongle places the system as some risk as one of the two components can potentially be altered externally. The next level of security would be the BitLocker with TPM and USB. This leverages the TMP chip and requires a USB dongle as well for further verifications. This configuration would be for installations where you desire to create a two-man rule for system logon. One user possesses the physical USB dongle and the other the device. The next configuration is BitLocker with TPM. This option is the most transparent to the user. The configuration leverages the TPM without the risk of exposing an external device. Finally the last and most secure configurations is BitLocker with TPM and personal identification number (PIN). Again as in the BitLocker with TPM and USB configuration, you can create a two man-rule if you desire by separating the PIN from the physical device. The added benefit is there is no external device to potentially risk compromise.<br />Preparing for Key Storage and Recovery?If you are not integrating your BitLocker recovery keys into an Active Directory Domain, the following will not apply. For those of you not following this practice (because you are not domain members or are a home user), best of luck should something go wrong! Always ensure as a minimum you retain three copies of your recovery key, secured with the level of safety equal to twice that of the value of the data your protecting should it be compromised. For those of you on an Active Directory 2003 / 2008 domain the following information will provide you detailed instructions for the storage and recovery of the keys. Here are prerequisites for storing the BitLocker keys in Active Directory.<br />You will need to extend the schema in Active Directory if your Domain Controllers are not already using Server 2008 schema extensions. <br /><ul><li>BitLocker recovery information is stored in a sub-object of the Computer object in Active Directory, which means that the Computer object serves as the container for one or more BitLocker recovery objects associated with a particular Computer object, based on the number of BitLocker-protected drives said computer object.
The name of the BitLocker recovery object has a fixed length of 63 characters that consists of the following information: <Object Creation Date and Time><Recovery GUID>
If your computer has a TPM chip (Trusted Platform module), then you’re also are able to store the TPM recovery information in Active Directory. To store TPM recovery information in Active Directory, then you need to change the permission on the Computer class object in Active Directory. </li></ul>Configuring BitLocker via Group Policy:Group Policy is a powerful tool. For instance, you may decide to force the encryption of all mobile devices (laptops and tablet PC’s) in your organization. To do so, you build and assign a group policy to the appropriate Organization Unit (OU) container. Once an object is placed in the container and upon policy refresh (which can be forced immediately via the ‘gpupdate /force’ command at the command prompt), the policy will be applied. This clearly falls into the category of ‘with the least amount of administrative effort’. To edit group policy, logon to a Windows Vista machine with domain credentials that has the rights to modify Group Policies.<br /> <br />1. At the Vista Start | Search command prompt, type GPMC.MSC and press Enter<br />2. Expand Computer Configuration ><br />3. Expand Administrative Templates > <br />4. Expand Windows Components > <br />5. Expand BitLocker Drive Encryption ><br />From this location the following options can be configured:<br />1. BitLocker Recovery Key backup to Active Directory<br />Double-click Turn on BitLocker backup to Active Directory Domain Services <br /><ul><li>Select the Enabled radio button
Under Select BitLocker recovery information to store – select Recovery passwords and key packages.</li></ul>If your client computers supports a compliant TPM chip, then you want to enable a Group Policy setting that allows your clients to back up TPM recovery information to Active Directory, see sub step below: <br />Navigate to Computer Configuration > Administrative Templates > System > Trusted Platform Module Services <br />Double-click Turn on TPM backup to Active Directory Domain Services<br />Select the Enabled radio button<br />2. Saving a text file of the Recovery Key to a Network Location (Secondary protocol for Safety) –Note: It must saved to a secure network location:<br /><ul><li>Locate the Control Panel Setup: Configure recovery folder option
set to Enable, and specify the network path</li></ul>3. Supporting Bitlocker on Non-TPM systems – (If desired)<br /><ul><li>Under Control Panel Setup: Enable Advanced Startup Options
check Allow BitLocker without a compatible TPM and configure further policy options.</li></ul>4. Force FIPS 140-2 Compliant Algorithm use only – <br /><ul><li>Location Computer Configuration
System Cryptography: Use FIPS compliant algorithms)</li></ul>5. Setting the Encryption Method and Strength – <br /><ul><li>Locate the Configure encryption method
Set the desired encryption algorithm.</li></ul>6. Securing Bitlocker Secrets at Restart:<br /><ul><li>Locate the Prevent memory overwrite on restart option
Set to Disable. This enforces the removal of BitLocker secrets from memory on restart.</li></ul>7. Configure TPM platform validation profile – <br /><ul><li>Set to Enable, and use the recommended defaults except for PCR 10: Boot Manager. Note: BitLocker gets unhappy if you have that option selected and the computer goes into hibernation. It will usually ask for a recovery password when the system wakes from hibernation, or on reboot.</li></ul>Using Command Line procedures to Manage Bitlocker:Forcing the Drive to Encrypt via command line require we use the BitLocker command line utility (manage-bde.wsf). <br />Forcing BitLocker encryption with TPM support<br />From the Vista Start Menu, locate the Command Prompt shortcut. Right-click the icon and select Run as administrator <br />Enter the following command:cscript manage-bde.wsf –on –recoverypassword C: <br />Follow the instructions on the screen to start the encryption process (see figure 5)Figure 5<br />Recovering the key from Active Directory:The last thing we’ll do is show you how to perform an encryption centrally, where we also make sure While the volume is being encrypted, we can check whether the BitLocker recovery key has been backed up by typing the following command:cscript GET-BitLockerRecoveryInfo.VBSNotice that the recovery listed in figure 6 below matches the recovery key created in the previous step and listed in figure 5.Figure 6<br />Using the BitLocker Recovery Password Viewer (MMC Snap-in)The BitLocker Recovery Password Viewer is an extension for the Active Directory Users and Computers (ADUC) MMC snap-in that allows you locate and view BitLocker recovery passwords that are stored in Active Directory. It runs on Windows XP, Vista (Ultimate, and Enterprise), and Server 2008. After you install this tool, you can examine a computer object's Properties dialog box to view the corresponding BitLocker recovery passwords (if you have the appropriate permissions). Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. Before you can use the BitLocker Recovery Password Viewer tool to view BitLocker recovery passwords, the following conditions must be true: <br />The domain must be configured to store BitLocker recovery information.<br />Windows Vista-based computers must be joined to the domain.<br />BitLocker Drive Encryption must have been enabled on the Windows Vista-based computers.<br />Before you run this tool on the domain for the first time, run the following command from your Windows system folder as an Enterprise Administrator: regsvr32.exe BdeAducExt.dll<br />Using the BitLocker Repair Tool to recover dataEventually, all hardware devices failure. The BitLocker Repair Tool can help you to access encrypted data should the hard disk has been severely damaged. This tool can reconstruct critical parts of the drive and salvage any recoverable data. A recovery password or recovery key is required to decrypt the data. Use this command-line tool if the following conditions are true:<br />You have encrypted the volume by using BitLocker Drive Encryption.<br />Windows Vista does not start, or you cannot start the BitLocker recovery console.<br />You do not have a copy of the data that is contained on the encrypted volume.<br />Using a new hard drive (of equal or larger size) and a Flash Drive, the Bitlocker repair tool can assist you in recovering the data. The full process is documented in KB article 928201. It is recommended you prepare the necessary items and have a copy of this article printed and available at your recovery station.<br />