BITLOCKER

NAME : ANJALI PRASAD

ROLL NO: 03
PRN: 180105121003
TE BTECH CTIS (SEM 6TH)
SUBMITTED TO : PROF.SHARIQUE SIR
INDEX
❏ BITLOCKER
❏ HISTORY
❏ FEATURES
❏ DEVICE ENCRYPTION
❏ ENCRYPTION MODES
❏ ENABLING BITLOCKER IN WINDOWS SERVER 2012
❏ SECURITY CONCERNS
❏ REFERENCES
BITLOCKER
BitLocker is a full volume encryption feature included with Microsoft Windows versions
starting with Windows Vista. It is designed to protect data by providing encryption for entire
volumes. By default, it uses the AES encryption algorithm in cipher block chaining (CBC) or
XTS mode[1] with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied
to each individual sector.
HISTORY
BitLocker originated as a part of Microsoft's Next-Generation Secure Computing Base architecture in
2004 as a feature tentatively codenamed "Cornerstone"[and was designed to protect information on
devices, particularly if a device was lost or stolen; another feature, titled "Code Integrity Rooting",
was designed to validate the integrity of Microsoft Windows boot and system files. When used in
conjunction with a compatible Trusted Platform Module (TPM), BitLocker can validate the integrity of
boot and system files before decrypting a protected volume; an unsuccessful validation will prohibit
access to a protected system. BitLocker was briefly called Secure Startup before Windows Vista's
release to manufacturing.
BitLocker is available on:
● Ultimate and Enterprise editions of Windows Vista and Windows 7
● Pro and Enterprise editions of Windows 8 and 8.1
● Pro, Enterprise, and Education editions of Windows 10
● Windows Server 2008 and late
FEATURES
Initially, the graphical BitLocker interface in Windows Vista could only encrypt the operating system volume.
Starting with Windows Vista with Service Pack 1 and Windows Server 2008, volumes other than the
operating system volume could be encrypted using the graphical tool. Still, some aspects of the BitLocker
(such as turning autolocking on or off) had to be managed through a command-line tool called
manage-bde.wsf.[
The version of BitLocker included in Windows 7 and Windows Server 2008 R2 adds the ability to encrypt
removable drives. On Windows XP or Windows Vista, read-only access to these drives can be achieved
through a program called BitLocker To Go Reader, if FAT16, FAT32 or exFAT filesystems are used. In
addition, a new command-line tool called manage-bde replaced the old manage-bde.wsf.
Starting with Windows Server 2012 and Windows 8, Microsoft has complemented BitLocker with the
Microsoft Encrypted Hard Drive specification, which allows the cryptographic operations of BitLocker
encryption to be offloaded to the storage device's hardware.In addition, BitLocker can now be managed
through Windows PowerShell.Finally, Windows 8 introduced Windows To Go in its Enterprise edition, which
BitLocker can protect
DEVICE ENCRYPTION
Windows Mobile 6.5, Windows RT and core editions of Windows 8.1 include device encryption, a
feature-limited version of BitLocker that encrypts the whole system.Logging in with a Microsoft account with
administrative privileges automatically begins the encryption process. The recovery key is stored to either the
Microsoft account or Active Directory, allowing it to be retrieved from any computer. While device encryption
is offered on all versions of 8.1, unlike BitLocker, device encryption requires that the device meet the
InstantGo (formerly Connected Standby) specifications] which requires solid-state drives, non-removable
RAM (to protect against cold boot attacks) and a TPM 2.0 chip.
Starting with Windows 10 1703, the requirements for device encryption have changed, requiring a TPM 1.2 or
2.0 module with PCR 7 support, UEFI Secure Boot, and that the device meets Modern Standby requirements
or HSTI validation.
In September 2019 new update was released (KB4516071]) changing the default setting for BitLocker when
encrypting a self-encrypting hard drive. Now, the default is to use software encryption for newly encrypted
drives. This is due to hardware encryption flaws and security concerns related to those issues
Encryption modes

Three authentication mechanisms can be used as building blocks to implement BitLocker

encryption:
● Transparent operation mode: This mode uses the capabilities of TPM 1.2
hardware to provide for transparent user experience—the user powers up and logs
into Windows as usual. The key used for disk encryption is sealed (encrypted) by
the TPM chip and will only be released to the OS loader code if the early boot files
appear to be unmodified.
● User authentication mode: This mode requires that the user provide some
authentication to the pre-boot environment in the form of a pre-boot PIN or
password.
● USB Key Mode: The user must insert a USB device that contains a startup key
into the computer to be able to boot the protected OS. Note that this mode
requires that the BIOS on the protected machine supports the reading of USB
devices in the pre-OS environment.
How to enable BitLocker on Windows Server 2012 R2

Microsoft allows to encrypt the disks of a server with a feature named BitLocker. We are
going to see how you can enable BitLocker on a physical or virtual server to protect your
company from data theft.

Install the BitLocker Drive Encryption feature with the Add Roles and Features Wizard:
You need to restart the system after the installation
How to enable BitLocker on a virtual machine (without
TPM)
You need the Trusted Platform Module (TPM) in order to take advantage of BitLocker
encryption. Virtual machines don’t have the TPM module so you need to follow these two
steps BEFORE configuring BitLocker (BitLocker must be installed on the server).

Open the Local Group Policy Editor (gpedit.msc) and go to Computer

Configuration/Administrative Templates/Windows Components/BitLocker
Drive Encryption/Operating System Drives. Double-click Require additional
authentication at startup:
Select Enable and check Allow BitLocker without a compatibile TPM:
After a restart, open the Control Panel, you’ll find the BitLocker configuration panel. Open
it and click Turn On BitLocker:
We used a VM, so a system without a TPM, and Windows aks us to configure an additional
authentication at startup. We chose a password to protect the data, but we suggest to use a
USB flash drive instead. With a flash drive you don’t have to enter the password at every
server restart, just leave the USB drive plugged and you’ll be fine:
A recovery key can save you from big troubles. We printed it for security reasons
Choose the encryption mode more suited for your disks:
Click Continue :
Restart the system:
At the next boot you’ll be “forced” to enter the password or plug the USB flash drive. After the
Windows start BitLocker will begin the encryption process
SECURITY CONCERNS
According to Microsoft sources, BitLocker does not contain an intentionally built-in backdoor;
without which there is no way for law enforcement to have a guaranteed passage to the data
on the user's drives that is provided by Microsoft. In 2006 the UK Home Office expressed
concern over the lack of a backdoor and tried entering into talks with Microsoft to get one
introduced, although Microsoft developer Niels Ferguson and other Microsoft spokesmen
state that they will not grant the wish to have one added. Microsoft engineers have said that
FBI agents also put pressure on them in numerous meetings in order to add a backdoor,
although no formal, written request was ever made; Microsoft engineers eventually
suggested to the FBI that agents should look for the hard copy of the key that the BitLocker
program suggests its users to make. Although the AES encryption algorithm used in
BitLocker is in the public domain, its implementation in BitLocker, as well as other
components of the software, are proprietary; however, the code is available for scrutiny by
Microsoft partners and enterprises, subject to a non-disclosure agreement.