4 BitLocker™ Drive Encryption BitLocker Drive Encryption fully encrypts the entire Windows Vista volume.Enhanced in Windows Vista SP1 and Windows Server 2008 to provide multi-volume/drive protection!Designed specifically to prevent the unauthorized disclosure of data when it is at rest.Provides data protection on your Windows client systems, even when the system is in unauthorized hands.Designed to utilize a v1.2 Trusted Platform Module (TPM) for secure key storage and boot environment authenticationBitLocker
5 What Is A Trusted Platform Module (TPM)? Smartcard-like module on the motherboardProtects secretsTPM is made up of a set of entry points called PCR’s. Holds Platform Measurements (hashes).Performs cryptographic functionsRSA, SHA-1, RNGCreates, stores and manages keysProvides a unique Endorsement Key (EK)Provides a unique Storage Root Key (SRK)Anchors chain of trust for keys and credentialsProtects itself against attacksTPM is made up of a set of entry points called PCR’s. These PCR’s are used to store information that builds what is called the Core Root of Trust Measurement.EK is a key applied by the manufacturer, VAR, or OEM. Infineon TPM’s are manufactured with an EK in place. Broadcom TPM’s do not ship with an EK in place. This service can be provided by your OEM or VAR but this is dependant on the PC manufacturer. If your machine do not have EK’s you can create one using the TPM WMI provider however this is not the recommended method. The EK that is placed on the TPM should be managed by and organization that can guarantee it uniqueness and that is was applied in a secure environment.TPM has built in protection for dictionary attacks using anti-hammering technology.TPM 1.2 spec:
6 BitLocker™ Partition Layout Disk partition requirements for BitLocker are unique make sure you consider this from the beginning of your deployment design.Two partitions are required.System Partition (Primary, NTFS, Active, 1.5Gb, Type 7)Why so large? – The minimum partition size recommendation was made for the following reasons:BitLocker requires 50mb of spaceWinRE requires 550mb of spaceServicing requires 900mb of spaceOS Partition (Primary, NTFS, Type 7, Any size)
7 Encryption Key Storage OS Volume Contains:Encrypted OSEncrypted Page FileEncrypted Temp FilesEncrypted DataEncrypted Hibernation FileWhere’s the Encryption Key?SRK (Storage Root Key) contained in TPMSRK encrypts FVEK (Full Volume Encryption Key) protected by TPM/PIN/USB Storage DeviceFVEK stored (encrypted by SRK) on hard drive in the OS VolumeSystem Volume Contains:(All Unencrypted)MBRBoot managerBoot UtilitiesSRKYou would have your Master Boot Record or MBR, you would have a small system partition that would be approximately 1500MB and would hold your boot utilities. This partition is unencrypted.This unencrypted code works with the TPM to determine if the system is in order and to obtain the initial decryption key. If any part of the code is compromised (for example by introduction of malicious code) the TPM ensures that the volume decryption key is never revealed.And lastly you have an encrypted OS volume that holds an encrypted OS, and encrypted page, temp and hibernation files, and any other data in the volume. This entire volume is encrypted with full volume encryption. 2FVEK13
8 BitLocker ProtectorsBitLocker™ offers a spectrum of protection allowing an organization to customize according to its requirements.*******This slide shows the 4 levels of protection that BitLocker provides. The concepts of “What it is”, “What you know”, and “What you have”TPM onlyTPM plus PINUSB onlyTPM plus USB
9 BitLocker™ Drive Encryption Architecture Static Root of Trust Measurement of boot components When a PC is reset, PCR 0 through 15 on the TPM are reset and execution is transferred to a trusted portion of firmware. This trusted portion of firmware in combination with the hardware is known as the Core Root of Trust Measurement (CRTM). This portion of firmware can only be reflashed through a very secure mechanism.The CRTM measures the next stage of firmware into PCR before executing it. This is typically the portion of firmware used for testing and configuring critical hardware such as memory. As the boot proceeds, more code is measured and written into PCR and the data is measured and written into PCR. Code is always measured before it is executed. After a measurement is written to a PCR, its value is permanently changed. The new PCR value is the concatenation hash of the previous contents and the new measurement. This can be described as SHA-1or PCR[x] || data. As long as each portion of code ensures that any new code is measured before execution, then the chain of trust is maintained.The firmware measures option ROMs into PCR. Option ROMs may measure more code into PCR and data into PCR. Finally the firmware measures the code portion of the MBR into PCR and the partition table into PCR.The MBR takes over this process by determining the active boot partition, loading the first sector of the boot partition into memory, and measuring the first 512 bytes of that sector into PCR. The MBR then transfers the execution to this boot sector.The boot sector of the active partition loads and measures the remaining boot code into PCR before transferring the execution to it.After the boot code has found and loaded BOOTMGR, it measures BOOTMGR into PCR before transferring the execution to it. In the EFI boot case, the BOOTMGR is instead measured directly into PCR and PCR. PCR and PCR are not used.The BOOTMGR checks the integrity of any boot applications loaded with respect to any Secure Startup partitions and ensures that the necessary integrity is kept to access a Secure Startup partition after BOOTMGR has gained access to the partition. If the Root of Trust Measurement before this point is invalid, then no Secure Startup partitions are accessible.BOOTMGR transfers control to the operating system loader for the specified partition that checks the integrity of all windows components before transferring control to the operating system. The operating system then checks integrity of all executables loaded up to, including, and after an authenticated logon.
10 BitLocker™ Recovery Scenarios Lost/Forgotten Key ProtectorsLost USB key, user forgets PINUpgrade to Core FilesPlanned change to pre-OS files (BIOS upgrade, etc…)Broken HardwareHard drive moved to a new systemDeliberate AttackModified or missing pre-OS files (Hacked BIOS, MBR, etc…)The important this to remember is that recovery can occur “in the field” allowing users to continue operating Windows normal.Lost keys and PIN’s can be either recreated through the BitLocker GUI, using manage-bde, or the WMI provider.Broken hardware you can move the disk drive to another machine and recover the data.Deliberate attacks can happen for many reasons review the BitLocker error codes to determine problem. May be necessary to rebuild machine to ensure integrity. Some customers plan to replace the machine in the event a deliberate attack occurs.
11 BitLocker™ Recovery Options BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management.· Recovery passwordA 48-digit recovery password used to recover a BitLocker-protected volume. Users enter this password to unlock a volume when BitLocker enters recovery mode.· Key package dataWith this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package will only work with the volume it was created on, which can be identified by the corresponding volume ID.· TPM owner password hashWhen ownership of the TPM is taken a hash of the ownership password can be taken and stored in AD DS. This information can then be used to reset ownership of the TPM.The important this to remember is that recovery can occur “in the field” allowing users to continue operating Windows normal.Lost keys and PIN’s can be either recreated through the BitLocker GUI, using manage-bde, or the WMI provider.Broken hardware you can move the disk drive to another machine and recover the data.Deliberate attacks can happen for many reasons review the BitLocker error codes to determine problem. May be necessary to rebuild machine to ensure integrity. Some customers plan to replace the machine in the event a deliberate attack occurs.
12 Platform Threats & Mitigations BIOS ModificationTHREAT --- Lost Core Root of Trust for MeasurementMITIGATION --- Secure CRTM UpdateMITIGATION --- Provide extra protection with PIN or USBPhysical MemoryTHREAT --- Key exposure in physical memoryMITIGATION --- Memory Overwrite on ResetDictionary Attack Against PINTHREAT --- Key exposureMITIGATION --- Anti-hammering countermeasuresEnd UsersTHREAT --- Unsafe practices (PIN nearby, USB in laptop case)MITIGATION --- User education, corporate security policyThis slide portrays some of the more common threats to the BitLocker platform, and how these are mitigated.
14 Prepare to Deploy – Part 1 Define support structure and processes. Who will do What, When, and How?Extend active directory to support escrow of BitLocker recovery information (TPM owner pass, recovery pass).Delegate rights to allow support personnel to recover machines. DA + Confidential Attribute by default.If users are local admin apply other GP to prohibit users from changing BitLocker settings.Use GP to configure power management settings.It’s very important as with all technology projects to plan and prepare what you are going to do.Always extend the AD schema so you are able to same recovery information from clients.
15 Prepare to Deploy – Part 2 Use GP to configure power management settings.Work with the OEM to determine default ship state of TPM.If possible ship with TPM enabled.Choose a deployment tools and methodologies.Enable BitLocker after joining domainDecide what BitLocker protectors will be used.TPM only least user impactTPM+USB or PIN high user impact high support costDecide whether or not to use WinRE in conjunction with BitLocker.
16 Group Policy and BitLocker BitLocker group policy exists for drive encryption and TPM management.Can be configured and the domain level or via local policy.Used to control backup of recovery information to Active Directory.Control user experience in UI and prohibit use of certain protectors.Can be used to set a mandatory encryption method.BitLocker setting are controlled at the computer level not user.GP Deployment ConsiderationsAlways require backup of recovery passwords and TPM owner auth to AD.On BitLocker machines limit the use of sleep and hybrid sleep. Setup power plan in GP to configure prohibit.Limit user access to power management functions to prevent change.Remove sleep options from start menu.Limit user access to BitLocker control panel unless needed to reset PIN’s or create additional protectors.Consider hiding the system partition using GP to keep user from seeing the drive.
17 Deployment ScenariosDeploying Bit Locker ready machines with the following deployment toolsWindows Deployment ServicesSMS 2003 OSDUnattended InstallationImaging with ImageXSystem Center Configuration ManagerBDD 2007/MDT
18 Maintaining a BitLocker Enabled System Disabling BitLocker does not decrypt the disk and encryption still occurs.When disabled a key is written to the disk that is in the clear and is used to access the VMK.Disabling can be automated through WMI and removes two-factor authentication allowing unobstructed reboots.Re-enabling BitLocker re-keys and re-encrypts the VMK. Any two-factor options are restored.MS provided SP’s, patches, and upgrades that update BitLocker or sealed boot components automatically call FVEUpdate so no disabling is needed.BitLocker must be disabled before updating system BIOS.
19 Things to ConsiderOnly recovery passwords not recovery keys are escrowed to AD.Recovery password escrow is only done when password is created cannot be re-escrowed.Managing recovery passwords and keys post deployment requires scripting, manage-bde, or GUI.No single application for post deployment management of machines.PIN’s are only stored on the TPM and not escrowed anywhere for recovery.No status information in WMI that can be queried by inventory tools.
20 Additional Resources Trusted Computing Group (TCG) Windows Hardware & Driver Central (WHDC)BitLocker MSDN Content