This segment of the BitLocker guide, courtesy of SearchWindowsSecurity.com, clears up rumors about the security tool by addressing and correcting two common misconceptions to help channel professionals gain a deeper understanding of BitLocker's strengths and weaknesses.
BitLocker Drive Encryption, the security feature touted in Windows Vista, is sparking controversy. Some of the furor is predicated on misinformation about what BitLocker really is or how it is to be used, or how it might be possible to perform an end-run around it.
BitLocker has no key escrow system. "Key escrow," a controversial provision in some encryption systems, allows a third party such as a government body to hold a set of universal keys that would allow any data encrypted by the system to be unlocked with one of those keys. When asked if BitLocker would have any such "back door" provisions, Niels Ferguson, one of the Microsoft developers responsible for BitLocker, responded as bluntly as possible: "Over my dead body. … In the unlikely situation we're forced to [add key escrow] by law, we'll either announce it publicly or withdraw the entire feature."
You can't gain access to a BitLocker volume by simply installing a parallel copy of Vista or moving the hard drive to another computer. BitLocker uses multiple key structures to ensure that a system volume cannot be decrypted by using another parallel install of Vista or some other extra operating system (OS) mechanism. Only the OS, encrypted by a given combination of keys, can access the key required to read the boot volume.
BitLocker demystified: End-to-end encryption for Vista
About the author
Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
This tip originally appeared on SearchWindowsSecurity.com.
This was first published in January 2007