Companies have always been concerned about the security of data on
their mobile users’ computers. What happens if the computer is lost or
stolen? How can you be sure that the “stuff” on that computer does not
fall into the wrong hands? The answer is encryption, and there have
been various options like
GuardianEdge,
CheckPoint Pointsec and
TrueCrypt, but
now with Windows 7 Enterprise and Ultimate, Microsoft has introduced a
new alternative called BitLocker and BitLocker to Go that is built right
into the Operating System. Let me tell you about it and how to use it.
- About BitLocker
- Enable and Activate TPM chip
- Boot Order
- Enable BitLocker
- Automatically Store Keys in AD
- Access the BitLocker Recovery Keys
- BitLocker to Go (encrypt removable media)
About BitLocker
Before getting started, let me briefly cover just what BitLocker is.
Microsoft describes it as a way to protect your data from being lost or
stolen by “
putting a virtual lock on your files“.
While this is basically true, it is more than just locking the files,
it’s really locking the file system that the files exist on, not just
the files themselves. That’s because BitLocker is a “full disk
encryption” suite (FDE) that secures an entire partition and not just
contents of directories
like EFS does (Encrypted
File System). It can also be called “Full Volume Encryption” (FVE) as
it is actually encrypting a partition on the disk.
To boil it down further, encryption is just a way of scrambling data
by using a secret code or “key” that would make that data unintelligible
without that key. Maybe think of it as something like
Pig Latin
for data, except that no one can decipher it unless they have your
secret decoder key. That key is usually stored in your computer in a
place called a TPM chip (a “
Trusted Platform Module“)
that is built into most modern laptops, and if the hard drive is ever
removed from the computer, or if the computer boots from something other
than that hard drive (like a CD/DVD or USB drive) then the data on the
disk cannot be read or copied – it is protected by BitLocker!
Here’s a brief video to tell you more.
BitLocker can also be used to encrypt removable media like a USB
drive using “BitLocker to Go”. The drive can then be used on any
Windows 7 computer by simply plugging it in and entering the password
you created when you encrypted it. Earlier versions of Windows like
Vista and XP can also read the disk (if it’s FAT, not NTFS). When they
attach the encrypted media, if they don’t already have it, they will be
prompted to install the
BitLocker to Go Reader
which is included on the drive, and then they can copy files from the
encrypted disk but are not able to write to it. PCMAG has a
nice and brief article on it too.
Here’s
another video about BitLocker and
this one is all about BitLocker to Go.
Enable and Activate TPM
As I mentioned earlier, in order to decrypt a “BitLocked” drive you
must have the decryption key. This key can be entered manually, which
would be very cumbersome, or it can be presented from a USB flash drive
that you connect to the computer, but better yet, the key can be stored
in a TPM chip that is built in to the computer. Microsoft has a nice
overview of
how keys are secured within TPM
if you’d like some more details. Before you can use the TPM chip, you
must Enable it AND Activate it. Most of the laptops I have done this on
have required two reboots into the BIOS but you only need to do this
the first time you want to enable BitLocker and then leave it alone.
For example, here’s how you do it on a Dell Latitude laptop. Boot
the laptop and press F2 (sometimes Delete) to enter the BIOS, then
navigate to Security and select TPM Security. The first time you open
this you’ll only have the option to Enable TPM security by checking the
box. If you’ve been here before you may see additional options but the
main thing is to ensure that the box IS checked. You’ll be told that
you need to restart for the changes to take effect so click OK, save
your changes and restart.
You’ll want to enter the BOIS again so hit F2 (or Delete) to get into
the BIOS System Setup and navigate back to TPM Security again. This
time you can Activate the chip. Again, save your settings and reboot.
If you don’t have a TPM chip, you can still use BitLocker, but for
this guide I will assume you will be using TPM. HowToGeek has a nice
guide on
using a USB Startup Key for BitLocker instead of using TPM.
Set the Boot Order
It may not be obvious, but the way the TPM secures the encryption
keys is by ensuring that the way your system boots up or starts is
always the same as it was at the time you enabled BitLocker. This means
if you are encrypting your system drive (C:) it is important that you
set the boot order so that the Hard Drive is always first. If the
computers tries to boot from CD/DVD or USB first then you the TPM chip
will not release the keys to decrypt the drive and you’ll end up being
unable to boot your system without manually entering the key. It’s by
design. If later you want to boot from other media you can still hit F12
or change the BIOS setting, just know that the disk will not
automatically unlock and you will need the decryption key in order to
access it.
I have seen it work fine when a “Diskette Drive” is listed first in
the boot order, but laptops don’t have those anymore so the HDD ends up
being first by natural selection. I find it best practice to force the
HDD to be first by definition. Why? For example, if a user has a
bootable disc in their computer like a Windows DVD, when their computer
boots and reads from the DVD the user is prompted to “press any key to
boot” from that disc. If they do not press any key the machine moves to
the next boot option, presumably the hard drive, but I have seen some
computers try booting next from the encrypted partition and not from the
boot partition. This prompts the user to enter the decryption key and
results in a call to tech support. If they remove the DVD and boot
normally it works fine.
So, new rule: Set the BIOS boot order to
load the HDD first. If you need to boot something else press F12 while
booting to manually select it at that time.
Enable BitLocker
There isn’t really anything to “enable” in order to start using
BitLocker itself on Windows 7, just right click any hard drive that you
want to encrypt and select “Turn on BitLocker…”
Note: If you want to use BitLocker on Windows Server 2008 R2
computer, you do need to install the “BitLocker Drive Encryption”
Feature as it is not there by default.
This will start up the wizard that’ll first check for a TPM chip.
If all goes well you should see this screen. If not then you may need to step back and Activate your TPM chip in the BIOS.
You should now be able to click Next through the following couple of pages while the wizard does some setup for you.
When asked to save your key, I find it easiest to just save it to a
file someplace (it just generates a text file), the catch is you cannot
save it to the drive that you are encrypting! You can put it on a
different local drive if you have one, a network share or even put it on
a USB flash drive if you like. So click on
Save the recovery key to a file and put it someplace. It’ll tell you that the key has been saved and then you can continue.
At this point you are ready to encrypt your drive. It’s a good idea
however to run the BitLocker system check. It will make sure that the
TPM chip can present the decryption keys and you won’t have any issues
after the drive is encrypted. Running the check has helped me catch a
few computers with a strange boot order or other problems before I got
too deep.
Once your computer reboots, if the check passes you’ll see a balloon
pop up from the system tray indicating that the disk is being
encrypted. Now you can just sit back, let BitLocker do it’s thing, and
you are done! If it fails, you might see
something like this instead indicating that BitLocker can not be enabled, in which case you’ll have some troubleshooting to do.
While it is encrypting the drive you CAN shutdown or reboot your
computer and it will resume the encryption without giving you any
hassle. Also, you may notice that the disk appears to be nearly full
until the encryption is complete. That’s nothing to worry about as once
it is complete it will display the true free space of the drive.
The process does take a while and you may notice some slower than
normal performance until it’s done, but once the disk is encrypted you
should not notice any performance degradation. In fact, a BitLocker
disk should have
less than a 5% difference when compared to performance statistics when it is not encrypted which is very comparable to other encryption solutions.
At this point you can call it a day for this computer. You’ve got
BitLocker working and the drive is encrypted. If you are planning a
moree wide-scale deployment of BitLocker, then read on…
Store Keys in AD
If you are looking at implementing or supporting BitLocker in a
corporate environment, one of the most important things is to have
possession of the BitLocker Recovery Keys. If that computer ever dies
or if you need to pull that hard drive from it’s current hardware then
you will need that key in order to decrypt and read it. Also, unless
you configure a Group Policy to prevent it, users can enable BitLocker
on their own, purposly or not, and they likely would never think to give
you the key. Rest assured that you can create a domain policy that
will require the computer to store it’s key in Active Directory as a
property of the computer account and it’s all done automatically!
Microsoft has a very comprehensive guide on
how to do this on TechNet.
Prepare Active Directory
If you already have a Domain Controller running Windows 2008 or newer
then you already have the ability to store this information in Active
Directory. If you do not, then you cna either add a 2008 DC which will
update the schema for you, or just extend the AD schema to include
BitLocker information. If you are not sure, you can
check if the required schema objects already exist or not.
If you want to store information about the TPM chip as well as BitLocker,
StarrAndersen has provided a script
that adds an access control entry (ACE) so that backing up TPM recovery
information is possible. Just log in to one of your Domain Controllers
with a domain Administrator account and run the script (
cscript Add-TPMSelfWriteACE.vbs).
One last thing to do is to delegate write permissions on the
msTPM-OwnerInformation object to the “SELF” account. Tom Acker has
a great article on how to do this
on the TechNet blog. Essentially what you need to do is open the AD
Users and Computers MMC, right click the OU where your computers are (or
the domain root) and Delegate rights to the SELF account using a
“custom task” to only the Computer objects. You grant General,
Property-specific and Create/deletion to the “Write
msTPM-OwnerInformation” attribute.
Create Group Policy
Now that Active Directory is ready to store the BitLocker and TPM
information, we need a policy that will cause the computers to actually
write that information. Below are the steps to configure Windows 7 and
2008 R2, but if you need Vista or 2008 you’ll find the instructions
on TechNet here.
Create a new Group Policy and navigate to
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.
There you will see three more folders that contain the settings for how
Windows 7 and 2008 R2 manage the BitLocker information for
three different kinds of drives: Fixed, Operating System and Removable.
The core settings for all three are pretty similar, just Double click the
Choose how BitLocker-protected drives can be recovered setting and Enable it. Specify that you want to store
Recovery passwords and key packages and check the option for
Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives.
This prevent users from enabling BitLocker unless the computer is
connected to the domain and the backup of BitLocker recovery information
to AD DS succeeds.
You can repeat this for the other types of drives as well. Read the
included Help text to determine what is appropriate for your
environment.
In the same Policy, now navigate to
Computer Configuration\Administrative Templates\System\Trusted Platform Module Services.
Double-click
Turn on TPM backup to Active Directory Domain Services, enable it and make sure
Require TPM back to AD DS
is checked. This prevents the TPM owner password from being set or
changed unless the computer is connected to the domain and AD DS backup
succeeds.
When you’re done just close the Policy editor and link the GPO
someplace in AD that you feel is appropriate. Now you can test it out
by making sure the policy is being applied to a new test workstation (
gpresult /h res.htm && res.htm)
and then enable BitLocker on it as described at the beginning of this
article. You should no longer be promoted for a place to save the
Recovery key as it’ll automatically be stored in Active Directory.
Note: Computers that
already have BitLocker enabled prior to getting these policies will not
store their recovery keys or TPM information into AD because that only
happens at the time of TPM Activation and when you actually enable
BitLocker. You can manually force a computer to store it’s information
by using
manage-bde -protectors -get c: to find the “numerical password” for the drive, then
manage-bde -protectors -adbackup c: -id {NumericalPasswordGoesHere}.
New activations will automatically store into AD, so you could disable
BitLocker and then re-enable it to cause automatic storage.
Access the BitLocker Recovery Keys
To see the information that is being stored in AD, you need to
install the BitLocker Recovery Password Viewer which is a component of
Remote Server Administration Tools (RSAT). On your 2008 R2 Domain
Controller(s) you simply start the “Add a feature” wizard and navigate
to the RSAT/Feature Administration Tools and select the BitLocker Drive
Encryption Administration Utilities.
Once the Viewer has been added, you can now open the Active Directory
Users and Computers MMC and open the Properties page of any computer
account to see the BitLocker recovery tab. There you will see all of the
Recovery ID’s and Passwords that have been generated for all drives
encrypted by that computer.
But what happens if you have a hard drive that has been encrypted but
you do not know what computer it came from? When you attach the disk to
a machine and attempt to read it, you’ll be presented with a message
that says it’s encrypted and you’ll need the
Recovery Password. It will also tell you what the
Password ID is. You can then Search Active Directory for this ID to find the Recovery Password.
If the drive was encrypted by a computer in your domain, it’ll find
the Recovery Password that you can use to be able to read/write to the
encrypted partitions on that disk.
BitLocker to Go
Microsoft is well aware that not all data is going to be stored
safely on your locally encrypted hard drives and that potentially
sensitive data could be placed on a removable device like a USB Thumb
drive. For those cases, you can still use BitLocker to protect that
data using what is being called BitLocker To Go (or BTG in some cases).
You can use Group Policy to allow or require removable drives to be
encrypted with BTG, and instead of needing a TPM chip to access the
contents, the user need only remember the password that they define.
And you can still store that password in Active Directory in case they
forget it.
Rather than go into much detail on it here, you should check out
Rocky Hacker’s MSDN Blog post on BitLocker to Go.
In case you are wondering, non-Windows 7 users can still access
drives that are protected with BTG, but they use a utility called
“BitLockerToGo Reader” which is included on the unencrypted portion of
the removable drive, and this only allows them to read or copy contents
from the device, not write to it. This adds some security and is pretty
convenient too.
Summary
I think Microsoft has done a great job with BitLocker to give users
an easy and transparent way to protect data on their computers and
removable drives. It may require a little leg work on the part of the
IT staff to set up the ideal environment to support it, but it is
plausible to have the whole thing up and running in a matter of just a
few hours.
For those of use (wisely) using SCCM to deploy your Windows 7
workstations, you can also enable BitLocker as a step in your OSD Task
Sequence. For details, check out
Teh Wei King’s blog post. And if you are using MDOP (
Microsoft Desktop Optimization Pack) you should look into the pending release of MBAM (
Microsoft BitLocker Administration and Monitoring), currently available in
Beta on Microsoft Connect. Yay Automation!
http://blog.concurrency.com/infrastructure/enable-bitlocker-automatically-save-keys-to-active-directory/