SECCT10:
BitLocker™ Drive Encryption
Deployment
Russell Humphries
Senior Product Manager – Window Vista Security
Disclaimer
•
•
•
•
•
This presentation contains preliminary information that may be changed substantially
prior to final commercial release of the software described herein.
The information contained in this presentation represents the current view of
Microsoft Corporation on the issues discussed as of the date of the presentation.
Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot
guarantee the accuracy of any information presented after the date of the
presentation.
This presentation is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION
IN THIS PRESENTATION.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this presentation. Except as
expressly provided in any written license agreement from Microsoft, the furnishing of
this information does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
© 2006 Microsoft Corporation. All rights reserved.
Information Loss Is Costly
Information loss – whether via theft or accidental leakage – is costly on
several levels
Financial
The U.S. Dept of Justice estimates that intellectual property
theft cost enterprises $250 billion in 2004
Loss of revenue, market capitalization, and competitive
advantage
Legal &
Regulatory
Compliance
Increasing regulation: SOX, HIPAA, GLBA
Bringing a company into compliance can be complex and
expensive
Non-compliance can lead to significant legal fees, fines
and/or settlements
Image &
Credibility
Leaked executive e-mails can be embarrassing
Unintended forwarding of sensitive information can
adversely impact the company’s image and/or credibility
“BitLocker Drive Encryption provides stronger protection for
data stored on your Windows Vista ™ systems – even
when the system is in unauthorized hands or is running a
different or attacking OS. BitLocker does this by utilizing
full volume encryption; this prevents a thief who boots
another OS or runs a software disk inspection tool from
breaking Vista file and system protections or even the
offline viewing of data files.”
BitLocker Drive Encryption
BitLocker Drive Encryption fully
encrypts the entire Windows Vista
volume.
Designed specifically to prevent the
unauthorized disclosure of data
when it is at rest.
Provides data protection on your
Windows client systems, even
when the system is in
unauthorized hands.
Designed to utilize a v1.2 Trusted
Platform Module (TPM) for secure
key storage and boot
environment authentication
BitLocker
Security Management
secure
usable
Adapted from Jesper M. Johansson, “Security Management”, Microsoft TechNet
affordable
Who are these people?
National Interest
Spy
Personal Gain
Thief
Personal Fame
Trespasser
Curiosity
Vandal
Script-Kiddy Undergraduate
7
Author
Expert
Specialist
Who are these people?
Largest area by $ spent
National Interest
Spy
Largest area by $ lost
Personal Gain
Thief
Fastest
growing
segment
Personal Fame
Trespasser
Curiosity
Vandal
Script-Kiddy Undergraduate
Largest area by volume
8
Author
Expert
Specialist
Spectrum of Protection
Ease of Use
BitLocker offers a spectrum of protection allowing
customers to balance ease-of-use against the threats
they are most concerned with.
TPM Only
Protects against:
SW-only attacks
Vulnerable to:
Some HW attacks
Dongle Only
Protects against:
All HW attacks
Vulnerable to:
Losing dongle
Pre-OS attacks
Dongle left with
device
TPM + PIN
Protects against:
Many HW attacks
Vulnerable to:
Some HW attacks
Security
TPM + Dongle
Protects against:
Software and
HW attacks
Vulnerable to:
Losing dongle
Dongle left with
device
BitLocker disk layout
Ease of Deployment
Integration with existing infrastructure
Deployment features
Functionality fully exposed by WMI
Supplied MMC plug-in
Integrates with Group Policy
Active Directory
Seamless integration with Longhorn Server
Schema extensions available for Server 2003 sp1 and
higher
Auto-escrow of recovery keys enabled by default
Confidential bit set on keys; read-only by admin only
BitLocker
TPM Administration Storyboard – New Machine
Windows
User
name:
Password:
Log on to:
OK
A configuration change was requested to
enable, activate, and allow a user to take
ownership of this computer’s TPM (Trusted
Platform Module)
2
*********
Domain
Cancel
Shut Down...
Options <<
4
NOTE: This action will switch on the TPM
Press [F10] to enable, activate, and allow a
user to take ownership of the TPM
Press ESC to reject this change request and
continue
11
Username
3
Note: Steps 1-3 can be pre-config’ed (OEM, SP)
Basic TPM Administration/Deployment
1. Machine arrives at enterprise in uninitialized state.
2. Turn TPM On
3. Check for physical presence by rebooting
the machine and prompting user at BIOS
screen for key press.
4. Log back into Windows Vista
5. Take Ownership of TPM
6. Check for existence of Endorsement Key
(Provided by OEM)
7. Create TPM Administration Password.
8. Commit changes to TPM and initialize.
9. Publish TPM Administration Password to
AD/File
10. TPM Initialization Complete
*********
9
10
5
*********
8
7
6
BitLocker
Enterprise Machine Deployment with TPM
BDE installation
1.
2.
3.
4.
5.
Active Directory prepared for CS keys
Windows Vista Install
a.
BDE is only available in the Enterprise
and Ultimate versions of Windows
Vista.
b.
BDE requires a partition separate from
the Windows Vista OS partition with a
min free space of 350Mb.
c.
During installation the system is
checked for correct version of TPM (v
1.2) and BIOS via Plug and Play.
d.
TPM & BDE drivers are installed.
BDE Initialization
a.
Scripted initialization of TPM.
b.
TPM Ownership password saved to
Active Directory
Remote executed Script BDE
a.
Policy saves recovery key to AD
b.
System encrypted
Inspect audit logs for successful end to
encryption.
Windows Vista Install
Active Directory is prepared
for BDE Keys
2
1
Store TPM Ownership
Password
TPM Script Initialization
Store BDE recovery key
2
3
BDE script setup
4
5
BitLocker
BitLocker Recovery
2
2
11
Example Recovery Scenario
1. Feature turned on.
2. AD access via network.
3. Recovery key escrowed to AD and/or
USB dongle.
4. User drops laptop and breaks
motherboard.
5. HD from old broken machine put into
new laptop with BDE enabled.
6. BDE can’t access HD because the
TPM key in new laptop is different.
7. User launches BDE recovery:
A. User uses USB dongle to recover
the drive.
-orA. User calls admin and Administrator
authenticates user.
B. Admin gets correct recovery key
from AD.
C. Admin reads key to user over the
phone.
D. User types in recovery key.
8. Recovery key is used to recover
the drive
4
5
6
7a
33
7b
88
7e
7
7d
D
7
7c
C
System Upgrade with BitLocker™
Upgrading computers with BDE
1
1.Turn off BitLocker
2.Upgrade system
Updated BIOS
-- or -Install Service Pack
3.Turn On BitLocker – no encryption
required
* If doing an update using Windows Update Services,
the hash of the new component will already be
calculated, so BitLocker will not need to be disabled to
do the update.
2
3
© 2006 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
