BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK

Agenda Is EFS Dead? A quick review What threats does it mitigate? What threats ARE NOT mitigated Vista SP1 To Gain Access We Need Deployment Considerations Resources

Is EFS Dead? ?

A Quick Review BitLocker BitLocker

What threats does it mitigate? rest Over-riding Access Controls

What threats ARE NOT mitigated? Stupid User! Stupid Admin! Removable Media Weak Passwords

SP1 Multi-volume support Key Rolling

What Is A Trusted Platform Module ? TPM 1.2 spec:

Secure the pre-boot environment Measure EVERYTHING

What do we measure?

To gain access we need Full Volume Encryption Key Volume Master Key Multiple places to store it

Volume Master Key – option 1 TPMAccess

Volume Master Key – option 2 TPMPINAccess

Volume Master Key – option 3 TPM Startup Key Access

Volume Master Key – option 4 Recovery Key Startup Key Access

Volume Master Key – option 5 Recovery Password Access

BitLocker Encryption Hello, World! (Plaintext) Full-Volume Encryption Key (FVEK) Derive Sector Key Diffuser (“Elephant”) AES Uryyb, Jbeyq! (Encrypted Sector)

Keys and Protectors (“Authenticators”) DATA 1 FVEK 2 VMK 3 TPM 4 TPM+USB TPM+PIN USB Key (Recovery or Non-TPM) Recovery Password (48 Digits) Where’s the Encryption Key? 1.Data is encrypted with the FVEK 2.The FVEK is encrypted with the VMK and then stored in the volume metadata. 3.The VMK is encrypted by one or more key protectors, then stored in the volume metadata. 4.The Trusted Platform Module will not decrypt the VMK if the system integrity check fails.

Disk Configuration Partitioning guidelines: Disk ConfigurationPartition 1Partition 2Partitions 3 WinRE and BitLocker on separate partitions BitLocker Type 0x7 1.5GB (Active) Windows RE Type 0x27 1GB Windows Vista Type 0x7 Windows RE and BitLocker on same partition Windows RE/BitLocker Type 0x7 1.5GB (Active) Windows Vista Type 0x7 Not needed

You can measure the BIOS too

Deployment Considerations

Windows Vista Security Guide provides customers with best practices and automated tools to help them quickly and easily deploy Windows Vista, and provides tested guidance to balance their needs for security and functionality SOLUTIONACCELERATORS Act faster. Go further. Tested guidance by Windows Vista Security Experts Preconfigured, customizable security settings Unique GPO Accelerator tool deploys security configurations in minutes vs. hours Understanding the Options with the Windows Vista Security Guide

Please fill in your Evaluation Form

Resources Data Encryption Toolkit for Mobile PCs Bitlocker Drive Encryption Technical Overview Keys to Protecting Data with Bitlocker Drive Encryption Developing Credential Providers for Windows Vista Create Custom Login Experiences With Credential Providers For Windows Vista Create Custom Login Experiences With Credential Providers For Windows Vista

Resources Visit TechNet in the ATE Pavilion and get a FREE 60-day subscription to TechNet Plus! Technical Communities, Webcasts, Blogs, Chats & User Groups Microsoft Learning and Certification Microsoft Developer Network (MSDN) & TechNet Trial Software and Virtual Labs

© 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.