BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK
Agenda Is EFS Dead? A quick review What threats does it mitigate? What threats ARE NOT mitigated Vista SP1 To Gain Access We Need Deployment Considerations Resources
Is EFS Dead? ?
A Quick Review BitLocker BitLocker
What threats does it mitigate? rest Over-riding Access Controls
What threats ARE NOT mitigated? Stupid User! Stupid Admin! Removable Media Weak Passwords
SP1 Multi-volume support Key Rolling
What Is A Trusted Platform Module ? TPM 1.2 spec:
Secure the pre-boot environment Measure EVERYTHING
What do we measure?
To gain access we need Full Volume Encryption Key Volume Master Key Multiple places to store it
Volume Master Key – option 1 TPMAccess
Volume Master Key – option 2 TPMPINAccess
Volume Master Key – option 3 TPM Startup Key Access
Volume Master Key – option 4 Recovery Key Startup Key Access
Volume Master Key – option 5 Recovery Password Access
BitLocker Encryption Hello, World! (Plaintext) Full-Volume Encryption Key (FVEK) Derive Sector Key Diffuser (“Elephant”) AES Uryyb, Jbeyq! (Encrypted Sector)
Keys and Protectors (“Authenticators”) DATA 1 FVEK 2 VMK 3 TPM 4 TPM+USB TPM+PIN USB Key (Recovery or Non-TPM) Recovery Password (48 Digits) Where’s the Encryption Key? 1.Data is encrypted with the FVEK 2.The FVEK is encrypted with the VMK and then stored in the volume metadata. 3.The VMK is encrypted by one or more key protectors, then stored in the volume metadata. 4.The Trusted Platform Module will not decrypt the VMK if the system integrity check fails.
Disk Configuration Partitioning guidelines: Disk ConfigurationPartition 1Partition 2Partitions 3 WinRE and BitLocker on separate partitions BitLocker Type 0x7 1.5GB (Active) Windows RE Type 0x27 1GB Windows Vista Type 0x7 Windows RE and BitLocker on same partition Windows RE/BitLocker Type 0x7 1.5GB (Active) Windows Vista Type 0x7 Not needed
You can measure the BIOS too
Deployment Considerations
Windows Vista Security Guide provides customers with best practices and automated tools to help them quickly and easily deploy Windows Vista, and provides tested guidance to balance their needs for security and functionality SOLUTIONACCELERATORS Act faster. Go further. Tested guidance by Windows Vista Security Experts Preconfigured, customizable security settings Unique GPO Accelerator tool deploys security configurations in minutes vs. hours Understanding the Options with the Windows Vista Security Guide
Please fill in your Evaluation Form
Resources Data Encryption Toolkit for Mobile PCs Bitlocker Drive Encryption Technical Overview Keys to Protecting Data with Bitlocker Drive Encryption Developing Credential Providers for Windows Vista Create Custom Login Experiences With Credential Providers For Windows Vista Create Custom Login Experiences With Credential Providers For Windows Vista
Resources Visit TechNet in the ATE Pavilion and get a FREE 60-day subscription to TechNet Plus! Technical Communities, Webcasts, Blogs, Chats & User Groups Microsoft Learning and Certification Microsoft Developer Network (MSDN) & TechNet Trial Software and Virtual Labs
© 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.