Presentation is loading. Please wait.

Presentation is loading. Please wait.

BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK

Published byMadilyn Wollett Modified over 9 years ago

Similar presentations

Presentation on theme: "BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK"— Presentation transcript:

1 BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK http://blogs.technet.com/steve_lamb Stephen.lamb@microsoft.com

2 Agenda Is EFS Dead? A quick review What threats does it mitigate? What threats ARE NOT mitigated Enhancements @ Vista SP1 To Gain Access We Need Deployment Considerations Resources

3 Is EFS Dead? ?

4 A Quick Review BitLocker BitLocker

5 What threats does it mitigate? Data @ rest Over-riding Access Controls

6 What threats ARE NOT mitigated? Stupid User! Stupid Admin! Removable Media Weak Passwords

7 Enhancements @ SP1 Multi-volume support Key Rolling

8 What Is A Trusted Platform Module ? TPM 1.2 spec: www.trustedcomputinggroup.org

9 Secure the pre-boot environment Measure EVERYTHING

10 What do we measure?

11 To gain access we need Full Volume Encryption Key Volume Master Key Multiple places to store it

12 Volume Master Key – option 1 TPMAccess

13 Volume Master Key – option 2 TPMPINAccess

14 Volume Master Key – option 3 TPM Startup Key Access

15 Volume Master Key – option 4 Recovery Key Startup Key Access

16 Volume Master Key – option 5 Recovery Password Access

17 BitLocker Encryption Hello, World! (Plaintext) Full-Volume Encryption Key (FVEK) Derive Sector Key Diffuser (“Elephant”) AES Uryyb, Jbeyq! (Encrypted Sector)

18 Keys and Protectors (“Authenticators”) DATA 1 FVEK 2 VMK 3 TPM 4 TPM+USB TPM+PIN USB Key (Recovery or Non-TPM) 123456- 789012- 345678- Recovery Password (48 Digits) Where’s the Encryption Key? 1.Data is encrypted with the FVEK 2.The FVEK is encrypted with the VMK and then stored in the volume metadata. 3.The VMK is encrypted by one or more key protectors, then stored in the volume metadata. 4.The Trusted Platform Module will not decrypt the VMK if the system integrity check fails.

19 Disk Configuration Partitioning guidelines: Disk ConfigurationPartition 1Partition 2Partitions 3 WinRE and BitLocker on separate partitions BitLocker Type 0x7 1.5GB (Active) Windows RE Type 0x27 1GB Windows Vista Type 0x7 Windows RE and BitLocker on same partition Windows RE/BitLocker Type 0x7 1.5GB (Active) Windows Vista Type 0x7 Not needed

20 You can measure the BIOS too

21 Deployment Considerations

22 Windows Vista Security Guide provides customers with best practices and automated tools to help them quickly and easily deploy Windows Vista, and provides tested guidance to balance their needs for security and functionality SOLUTIONACCELERATORS Act faster. Go further. Tested guidance by Windows Vista Security Experts Preconfigured, customizable security settings Unique GPO Accelerator tool deploys security configurations in minutes vs. hours Understanding the Options with the Windows Vista Security Guide

23 Please fill in your Evaluation Form

24 Resources Data Encryption Toolkit for Mobile PCs Bitlocker Drive Encryption Technical Overview Keys to Protecting Data with Bitlocker Drive Encryption Developing Credential Providers for Windows Vista Create Custom Login Experiences With Credential Providers For Windows Vista Create Custom Login Experiences With Credential Providers For Windows Vista

25 Resources Visit TechNet in the ATE Pavilion and get a FREE 60-day subscription to TechNet Plus! Technical Communities, Webcasts, Blogs, Chats & User Groups http://www.microsoft.com/communities/default.mspx http://www.microsoft.com/communities/default.mspx Microsoft Learning and Certification http://www.microsoft.com/learning/default.mspx http://www.microsoft.com/learning/default.mspx Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn http://microsoft.com/technet http://microsoft.com/msdn http://microsoft.com/technet Trial Software and Virtual Labs http://www.microsoft.com/technet/downloads/trials/default.mspx http://www.microsoft.com/technet/downloads/trials/default.mspx

26 © 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK"

Similar presentations

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.
Rambling on the Private Data Security

Rambling on the Private Data Security
Rodney Buike IT Pro Advisor, Microsoft Canada

Rodney Buike IT Pro Advisor, Microsoft Canada
Craig Ashley | Sr. Product Manager Michael Raymond | SDET II.

Craig Ashley | Sr. Product Manager Michael Raymond | SDET II.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
BitLocker: deep details, improvements and benifits

BitLocker: deep details, improvements and benifits
Windows 8: Windows To Go Overview Zvezdan PavkovicTanya Koval Senior ConsultantArchitect WCL333.

Windows 8: Windows To Go Overview Zvezdan PavkovicTanya Koval Senior ConsultantArchitect WCL333.
More Control and Flexibility Vitalis Konopelec Technology Solution Professional Microsoft Slovakia s.r.o.

More Control and Flexibility Vitalis Konopelec Technology Solution Professional Microsoft Slovakia s.r.o.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Michael Kleef Technology Advisor | Microsoft Australia

Michael Kleef Technology Advisor | Microsoft Australia
SEC316: BitLocker™ Drive Encryption

SEC316: BitLocker™ Drive Encryption
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Kalpesh Patel Ramprabhu Rathnam

Kalpesh Patel Ramprabhu Rathnam
BitLocker™ Drive Encryption Hardware Enhanced Data Protection

BitLocker™ Drive Encryption Hardware Enhanced Data Protection
MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi

MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi
Making Identity and Access Management Real – The Early Days Brian Lauge Pedersen Senior Technology Specialist.

Making Identity and Access Management Real – The Early Days Brian Lauge Pedersen Senior Technology Specialist.
File System and Full Volume Encryption Sachin Patel CSE 590TU 3/9/2006.

File System and Full Volume Encryption Sachin Patel CSE 590TU 3/9/2006.
Jeremy Chapman – Deployment and Management Baldwin Ng – Assessment

Jeremy Chapman – Deployment and Management Baldwin Ng – Assessment
Secure Startup Hardware-Enhanced Security Peter Biddle Product Unit Manager Windows Security Microsoft Corporation Stacy Stonich Program Manager Windows.

Secure Startup Hardware-Enhanced Security Peter Biddle Product Unit Manager Windows Security Microsoft Corporation Stacy Stonich Program Manager Windows.
Virtual techdays Desktop Security with Windows 7 AppLocker & BitLocker to Go Aviraj Ajgekar│ Technology Evangelist │Microsoft Corporation Blog: http://blogs.technet.com/aviraj.

Virtual techdays Desktop Security with Windows 7 AppLocker & BitLocker to Go Aviraj Ajgekar│ Technology Evangelist │Microsoft Corporation Blog:

Similar presentations

Ads by Google