Presentation is loading. Please wait.

Presentation is loading. Please wait.

BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK

Similar presentations


Presentation on theme: "BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK"— Presentation transcript:

1 BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK

2 Agenda Is EFS Dead? A quick review What threats does it mitigate? What threats ARE NOT mitigated Vista SP1 To Gain Access We Need Deployment Considerations Resources

3 Is EFS Dead? ?

4 A Quick Review BitLocker BitLocker

5 What threats does it mitigate? rest Over-riding Access Controls

6 What threats ARE NOT mitigated? Stupid User! Stupid Admin! Removable Media Weak Passwords

7 SP1 Multi-volume support Key Rolling

8 What Is A Trusted Platform Module ? TPM 1.2 spec:

9 Secure the pre-boot environment Measure EVERYTHING

10 What do we measure?

11 To gain access we need Full Volume Encryption Key Volume Master Key Multiple places to store it

12 Volume Master Key – option 1 TPMAccess

13 Volume Master Key – option 2 TPMPINAccess

14 Volume Master Key – option 3 TPM Startup Key Access

15 Volume Master Key – option 4 Recovery Key Startup Key Access

16 Volume Master Key – option 5 Recovery Password Access

17 BitLocker Encryption Hello, World! (Plaintext) Full-Volume Encryption Key (FVEK) Derive Sector Key Diffuser (“Elephant”) AES Uryyb, Jbeyq! (Encrypted Sector)

18 Keys and Protectors (“Authenticators”) DATA 1 FVEK 2 VMK 3 TPM 4 TPM+USB TPM+PIN USB Key (Recovery or Non-TPM) Recovery Password (48 Digits) Where’s the Encryption Key? 1.Data is encrypted with the FVEK 2.The FVEK is encrypted with the VMK and then stored in the volume metadata. 3.The VMK is encrypted by one or more key protectors, then stored in the volume metadata. 4.The Trusted Platform Module will not decrypt the VMK if the system integrity check fails.

19 Disk Configuration Partitioning guidelines: Disk ConfigurationPartition 1Partition 2Partitions 3 WinRE and BitLocker on separate partitions BitLocker Type 0x7 1.5GB (Active) Windows RE Type 0x27 1GB Windows Vista Type 0x7 Windows RE and BitLocker on same partition Windows RE/BitLocker Type 0x7 1.5GB (Active) Windows Vista Type 0x7 Not needed

20 You can measure the BIOS too

21 Deployment Considerations

22 Windows Vista Security Guide provides customers with best practices and automated tools to help them quickly and easily deploy Windows Vista, and provides tested guidance to balance their needs for security and functionality SOLUTIONACCELERATORS Act faster. Go further. Tested guidance by Windows Vista Security Experts Preconfigured, customizable security settings Unique GPO Accelerator tool deploys security configurations in minutes vs. hours Understanding the Options with the Windows Vista Security Guide

23 Please fill in your Evaluation Form

24 Resources Data Encryption Toolkit for Mobile PCs Bitlocker Drive Encryption Technical Overview Keys to Protecting Data with Bitlocker Drive Encryption Developing Credential Providers for Windows Vista Create Custom Login Experiences With Credential Providers For Windows Vista Create Custom Login Experiences With Credential Providers For Windows Vista

25 Resources Visit TechNet in the ATE Pavilion and get a FREE 60-day subscription to TechNet Plus! Technical Communities, Webcasts, Blogs, Chats & User Groups Microsoft Learning and Certification Microsoft Developer Network (MSDN) & TechNet Trial Software and Virtual Labs

26 © 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.


Download ppt "BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK"

Similar presentations


Ads by Google