BitLocker demystified: Keying up

This portion of the BitLocker guide deals with controlling BitLocker behaviors using key management. Channel professionals will learn what BitLocker can and can't do.

This portion of the BitLocker guide deals with controlling BitLocker behaviors using key management. Channel professionals will learn what BitLocker can and can't do in this tip, from SearchWindowsSecurity.com.

In order for a system to use BitLocker, the two partitions described above have to be prepared before the initial installation. BitLocker itself is turned on (and the main drive encrypted) after Vista has been installed, and it can be managed remotely through WMI so that it can be administratively set up.

Therefore, if you plan to use BitLocker on multiple systems that are set up through cloning, you'll need to enable BitLocker after the cloning process so that each machine's key will be distinct and will be for that machine only. Microsoft has a quick walkthrough of the setup process for BitLocker for an individual machine; most of the partition preparation work could be done once for a machine image.

Note that once a set of keys is issued for a volume, the keys cannot be revoked or changed. The only way to do that is to shut off BitLocker and re-enable it. It is possible, however, to create a new PIN (not the recovery password) for a volume protected by TPM.

Right now, support for third-party multifactor authentication (i.e., smart cards or fingerprint readers) isn't actively available, but BitLocker was designed to allow the eventual inclusion of such trust mechanisms. A smart-card reader, for instance, could work at boot time as long as the device drivers are available to access the device (and at this point in Windows's evolution, it's a fairly trivial add-on).

You can use Group Policy to control BitLocker behaviors. For instance, you can back up BitLocker and TPM recovery data to Active Directory if needed, and many common BitLocker behaviors can be constrained if needed (such as issuing a new PIN).


BitLocker demystified: End-to-end encryption for Vista

  Introduction
  The basics
  Keying up
  Common misconceptions
  Competition

About the author
Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

This tip originally appeared on SearchWindowsSecurity.com.

This was first published in January 2007

Dig deeper on Application security and data protection

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close