Inside Windows 7 Security: BitLocker Drive Encryption

Windows 7 is the next generation of operating system due from Microsoft and it is still set for a planned release for early 2010 which would be three years after the release of Windows Vista.

[NOTES FROM THE FIELD] Microsoft has now released their Release Candidate for Windows 7; I wrote a brief article Windows 7 Release Candidate (Build 7100) – Early Details on this already and indications are that Microsoft will have Windows 7 available for the 2009 holiday shopping season. Stay tuned…

This article series is an overview of BitLocker and Encrypting File System (EFS) in Windows 7. My first article in this series covered a high level review of the Encrypting File System and in this article, I’ll review some of the information with respect to Bitlocker on Windows 7.

What is BitLocker?

BitLocker Drive Encryption is available on some versions of Windows Vista, Windows Server 2008 R2 and in some editions of Windows 7.

Using BitLocker Drive Encryption is one of the best ways to protect portable systems such as laptops from loss of data and information when the laptops themselves are lost or stolen. Additionally, the use of BitLocker on desktop systems is also a good consideration when you consider how much information can be lost from recycled desktop systems that have not undergone a proper hard drive wipe routine before being sold off.

BitLocker leverages the Trusted Platform Module (TPM) version 1.2 hardware component installed in many of the newer laptop systems sold today. Additionally, many motherboard hardware vendors are now incorporating the Trusted Platform Module as part of their releases.

It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.

[NOTES FROM THE FIELD] BitLocker can still be used on some systems to encrypt the Windows operating system drive even when the Trusted Platform Module (TPM) version 1.2 is not present. In that situation the end user needs to insert a USB startup key to boot the computer or to bring a system out of hibernation.

Additionally, systems that do not have TPM available cannot leverage the pre-startup system integrity verification offered by BitLocker with a TPM.

System requirements for BitLocker Drive Encryption

There are system requirements in order to leverage BitLocker. The quick rundown on these requirements are:

  • In order for BitLocker to use the system integrity check provided by the Trusted Platform Module it must have a TPM running version 1.2 otherwise BitLocker will require you to save a startup key on a removable device such as a USB flash drive.
  • Systems with a TPM must also have the Trusted Computing Group compliant BIOS which allows for the required chain of trust for the initialization process before the operating system loads. Systems without a TPM do not require a TCG-compliant BIOS.
  • The system BIOS for TPM and non-TPM systems must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
  • You need to have a primary partition that is at least 1.5 gigabytes (GBs) in size and it needs to be marked as the active partition. This is used by bootmgr to boot the system. The boot files are also found on this partition as well.
  • You’ll need at least one other primary partition to be used for the operating system and for data storage.

BitLocker System Integrity Check

BitLocker uses TPM to validate the integrity of a system by performing a check of the boot components and boot configuration data. This security measure is done to verify that the system is still in the checked state it is expected to be in.

If the system appears to have been changed in some manner BitLocker leaves the system locked before the operating system is loaded to prevent access to the information that is encrypted.

The potential changes could be anything from installed Trojans or root kits that have made their way onto an affected system to a malicious user attempting to boot to the computer or laptop from an alternate operating system with the intention of gaining unauthorized access to the data on the system.

According to the information supplied by Microsoft and other resources, there are a number of scenarios where the user or an administrator would need to recover the system / unlock a hard drive because the security has denied access; these include (but are not limited to):

  • Attempting to access a hard drive with BitLocker enabled in a different system
  • This would include attaching it via external Firewire / USB ports to another system
  • Changing / replacing motherboard with a new TPM.
  • Changing the status of the TPM (turning it off, temporarily disabling, and / or clearing the TPM
  • Updating the system BIOS and or any of the other ROM on the motherboard.
  • Intentional or unintentional changes to the initialization routine / boot components that cause system integrity validation to fail.
  • Entering the wrong PIN information when PIN authentication has been enabled.
  • Loss of (or damage to) the USB flash drive that has the information for the startup key when startup key authentication has been enabled.

Temporarily Disabling BitLocker

There are a few situations where you might need to temporarily disable BitLocker Drive Encryption to perform changes or maintenance to a system. Doing this will allow you to incorporate the changes to the system as part of an authorized change and that would keep the system from going into a state at start up that might require it to be recovered.

Some examples of these scenarios where you may need to temporarily disable BitLocker:

  • Updating the BIOS on the motherboard or other ROM that might be present.
  • This includes installing a hardware component that has its own ROM available.
  • Making other major system changes on the hardware side (replacing motherboard, adding devices that affect system initialization, etc)
  • Making intentional changes to the initialization routine / boot components
  • Installing a different version of the operating system
  • Changing the system startup to allow for dual booting
  • Making desired / required changes to the master boot record (MBR).
  • Changing the disk partitions when these changes affect the partition table.
  • Moving a BitLocker-protected drive to another computer

That’s a wrap for my overview of of BitLocker for Windows 7 – I hope you found it a good investment of your time.

Next up, I’ll be reviewing some of the high level information on the BitLocker To Go functionality which extends BitLocker data protection to USB storage devices allowing them to be secured.

I am always looking forward to any feedback you have on this or any of the articles I have written so feel free to drop in some comments or contact me directly.

Additionally, I would welcome any suggestions topics of interest that you would like to see and based on demand and column space I’ll do what I can to deliver them to you.

Best of luck in your studies.