Professional Documents
Culture Documents
BitLocker Drive Encryption - Fahim
BitLocker Drive Encryption - Fahim
BitLocker Drive Encryption - Fahim
ODM Team
Technical Resources
Table of Contents
Context ...................................................................................................................................... 2
Limitation ............................................................................................................................. 3
Context
Data protection is an important aspect to take into account when manipulating information that
belong to persons of concern. And in order to be in phase with the Division of International
Protection (DIP) that recommends measures to be taken to ensure the confidentiality and
integrity of personal data, we are about to present a Windows functionality that can play a key
role in securing data: BitLocker Drive Encryption.
It is sure that all machines and devices we use in our daily work do not contain sensitive data
regarding PoCs. Servers (fixed and mobile) that contain proGres servers and databases, hard
drives that contain database backups, scanned documents of PoCs and any kind of sensitive
information should be protected to level up the security of the data contained.
Through this document, we will explain what this Windows functionality is about and how to
used it.
What is BitLocker?
BitLocker lets you encrypt the hard drive(s) on your Windows 7 and Vista Enterprise, Windows
7 and Vista Ultimate or Windows Server 2008 and R2 and late versions of Windows (8, 8.1,
and 10). BitLocker will not encrypt hard drives for Windows XP, Windows 2000 or Windows
2003.
BitLocker drives can be encrypted with 128 bit or 256 bit encryption keys. This is strong
enough to protect your data in the event the computer is lost or stolen. BitLocker protects your
hard drive from offline attack. Unlike Encrypting File System (EFS), which enables you to
encrypt individual files, BitLocker encrypts the entire drive. You can log on and work with
your files normally, but BitLocker can help block hackers from accessing the system files they
rely on to discover your password, or from accessing your drive by removing it from your
computer and installing it in a different computer so they can harvest your data. BitLocker also
protects your data if a malicious user boots from an alternate Operating System.
With either attack method, BitLocker encrypts the hard drive so that when someone has
physical access to the drive, the drive is unreadable. In case of crash of a machine that has
been encrypted using BitLocker, when connected to another machine, it includes the
functionality that prompts the user for the recovery key so the hard drive can be accessed.
In late versions of Windows starting from Windows 7 (pro and ultimate editions), BitLocker
functionality is extended to removable drives. That functionality is called BitLocker to
Go. BitLocker to Go gives you the ability to encrypt your thumb drives and even USB hard
drives.
When you add new files to a drive that is encrypted with BitLocker, BitLocker encrypts them
automatically. Files remain encrypted only while they are stored in the encrypted drive. Files
copied to another drive or computer are decrypted. If you share files with other users, such as
through a network, these files are encrypted while stored on the encrypted drive, but they can
be accessed normally by authorized users.
If you encrypt the operating system drive, BitLocker checks the computer during startup for
any conditions that could represent a security risk (for example, a change to the BIOS or
changes to any startup files). If a potential security risk is detected, BitLocker will lock the
operating system drive and require a special BitLocker recovery key to unlock it. Make sure
that you create that recovery key when you turn on BitLocker for the first time; otherwise, you
could permanently lose access to your files.
If your computer has the TPM chip, BitLocker uses it to seal the keys that are used to unlock
the encrypted operating system drive. When you start your computer, BitLocker asks the TPM
for the keys to the drive and unlocks it.
If you encrypt data drives (fixed or removable), you can unlock an encrypted drive with a
password or a smart card, or set the drive to automatically unlock when you log on to the
computer. You can turn off BitLocker at any time, either temporarily by suspending it, or
permanently by decrypting the drive.
Limitation
BitLocker does not protect your files individually. After a windows log on your computer and
work with your files normally. But if you leave your computer unprotected anyone else who
have access to that machine have at the same access to all your data whether the drive is
encrypted or not.
To encrypt the drive that Windows is installed on (the operating system drive), BitLocker needs
to store its own encryption and decryption keys in a hardware device that is separated from
your hard disk. Hence, you must have one of the followings:
• A computer with Trusted Platform Module (TPM), which is a special microchip in many
computers that supports advanced security features. If your computer was manufactured
with TPM version 1.2 or higher, BitLocker will store its key in the TPM.
• A removable USB memory device, such as a USB flash drive. If your computer doesn’t
have TPM version 1.2 or higher, BitLocker will store its key on the flash drive. This option
is only available if your system administrator has set up your computer to allow the use of
a startup key instead of the TPM.
To turn on BitLocker Drive Encryption on the operating system drive, your computer’s hard
disk must:
• Have at least two partitions: a system partition (which contains the files needed to start
your computer and must be at least 200 MB) and an operating system partition (which
contains Windows). The operating system partition will be encrypted and the system
partition will remain unencrypted so your computer can start. If your computer doesn't
have two partitions, BitLocker will create them for you. Both partitions must be formatted
with the NTFS file system.
• Have a BIOS that is compatible with TPM or supports USB devices during computer
startup. If this isn't the case, you will need to update the BIOS before using BitLocker. For
more information on updating your BIOS, see Update the BIOS for BitLocker Drive
Encryption.
On data drives
You can use BitLocker to encrypt fixed data drives (such as internal hard drives) and you can
use BitLocker to Go to encrypt removable data drives (such as external hard drives and USB
flash drives). To encrypt a data drive, it must be formatted using either the exFAT, FAT16,
FAT32, or NTFS file system and must have at least 64 MB of available memory.
1. You can either right click on the drive and select Turn on BitLocker or go to Control
Panel > System and Security > BitLocker Drive Encryption and click on Turn on
BitLocker on the OS drive. Here we have the tree steps to go for the drive encryption.
Click Next.
2. In this step, we’re going to prepare the drive. If not already created, BitLocker will create
a new partition on which will be installed system files that will allow the machine to start.
The partition that BitLocker will create, won’t have a drive letter, so won’t be visible on
the Computer folder. After this step, you’re going to restart the machine. Click next and
wait until the partition is created then click Restart Now.
3. Now that our drive has been prepared, the next step is to turn on the TPM security hardware.
By clicking next you will require to restart the machine but beforehand, make sure to
remove any external device like USB flash drives. Click on Restart.
4: TPM activation
4. Since the two first steps has been successfully completed, we’re going to proceed with the
drive encryption. Next we’ll be asked to choose one option to save the recovery key we
mentioned before.
Our recommendation: Save the recovery key in a USB flash disk. Use a USB flash disk
specially designed for the purpose of storing BitLocker recovery keys, no data. This will allow
you to keep it separate from the encrypted drive. The USB flash disk won’t need to be encrypted
and will only be used to unlock encrypted drives when in case a password is forgotten or any
kind of incident that may conduct to drive lock. We can always recover data in case we lose
the startup key.
After the key saved on the USB flash, click next. In the next window, make sure that Run
BitLocker System Check is selected before you click on Continue. You will restart the
machine to launch the drive encryption. In this case, make sure to keep the USB flash disk that
contain the recovery key plugged during the process.
When you try to turn on BitLocker on an OS drive and receive an error message related to the
absence of a compatible TPM, here is the procedure to follow to encrypt the drive.
1. Launch the Local group policy editor and enable the ‘Require additional authentication at
startup’ option. For that press Start + R and type in the Run dialog box: gpedit.msc. In the
editor, Go to navigation pane under Computer configuration > Administrative
Templates > Windows Components > BitLocker Drive Encryption > Operating
System Drives and double click on Require additional authentication at startup.
Select the Enabled option and make sure that the option Allow BitLocker without a compatible
TPM is checked then validate.
2. Now we can return to the Computer folder, do a right click on the OS drive and select Turn
On BitLocker.
▪ Use BitLocker without additional keys: this option is less secure because it allows you to
encrypt your drive without a single key. No PIN needed no startup key either.
▪ Require a PIN at every startup: as it is stated you will be asked to give a PIN that will serve
as password and required at every system startup.
▪ Require a Startup key at every startup: with this option, you won’t need to memorize a
password since the key will be stored in an external support like a USB flash drive. And
the system to start up, will require you to have that support plugged so that the key may be
read and the operating system to be unlocked.
In the next window, select the USB flash drive to save the Startup key and click on Save. Next
choose to save the recovery key in a USB flash drive. Once the recovery key is saved in the
next windows, ensure that Run BitLocker System check option is selected and click on
Continue. And finally, you will reboot the machine to launch the drive encryption but make
sure that the USB flash drive that contain the startup and recovery key is plugged in.
On fixed drives
When you right click on the data drive and select Turn on BitLocker, here is the interface you
get:
Here we have three options to unlock our drive to get the data stored on it:
encrypted drive if this option is selected. You will require a smart card reader installed
or connected to the machine so that you can read information stored in the card.
▪ Automatically unlock: This option allows your encrypted drive to be automatically
unlocked when you log on to Windows.
Our recommendation: On fixed drives, use a password to protect the data stored in it.
Even after windows log on, the drive will remain locked until you decide to open it using
your password. It will automatically lock itself when the machine is turned off.
Next we save the recovery key in a USB flash drive and start the encryption.
On external drives
Rather than having three choices like with fixed drives, here we have two as shown in below
image.
And in this case, the recovery key is not stored in USB flash but in a file or printed. And then
you can start the drive encryption.
With regard to the importance of securing the data, we request you to take action and start
encrypting your computers and drives as soon as possible, at least before the end of this year
(31 December 2016). And the drive encryption only concern devices on which sensitive
information are stored like proGres servers (not necessarily clients), backup drives, and all data
drives that hold PoCs related data.