How to use BitLocker as part of a customer data protection program

BitLocker can be an effective tool in your data protection services. Phil Cox gives specific recommendations for implementing BitLocker to protect your client's data.

As an information security consultant, one of my jobs is to help my clients protect their data, which often involves utilizing BitLocker, Encrypting File Systems and NTFS file system permissions to protect data at rest. In this tip, the first of two tips on BitLocker, you will learn how to use Bitlocker and develop an understanding of the three Windows technologies and how they complement each other to protect data at rest. The goal of this tip is to establish a foundation to enable you, the security consultant, to use these technologies as part of your customer data protection program portfolio to help your clients in architecture designs or implementations. These technologies enable you to enhance your offerings by leveraging functionality you can't develop yourself.

Underlying concepts

The terms "offline" and "run-time" are two critical concepts that must be understood and will be used heavily throughout the rest of this tip. For the purposes of this tip, offline will mean "not being actively used by the operating system for which it was intended." Think of an attacker pulling a disk out of a system, placing it into another system and attempting to attack it. For our purposes, that would be a disk that is "offline." Run-time will mean "being used by the operating system it was originally meant for." This is when the system is booted and the disk is mounted, accessible and operating normally. It will be important, because each of the technologies we talk about provide protection under those different modes.

How to use Bitlocker, EFS and NTFS

The following is a short introduction to each of the technologies and their primary role in protecting data at rest.

BitLocker: Provides full disk encryption. It is an integrated Windows feature (part of Enterprise and Ultimate editions of Windows Vista and Windows 7, as well as Windows Server 2008) that encrypts at the volume level, which can include part of a disk, the entire disk or multiple disks. BitLocker protection happens at a low level in the operating system and is effectively transparent to the user as well as any programs or applications being run on the system. To use BitLocker, it must be enabled on a volume.

From a practical standpoint, BitLocker provides protection for offline data, not run-time. Once the system is booted and running, BitLocker already has the keys it needs to encrypt and decrypt the drive.

A quick note on BitLocker To Go (BTG). BTG takes the functionality of BitLocker and applies it to removable storage. In particular, BTG can and should be used to protect data that is stored on external USB drives, most notably USB thumb drives.

Encrypting File System (EFS): Provides file- and folder-level encryption in Windows operating systems. Protection is enforced by EFS driver in the Windows operating system. Any user or program that wants to access the file/folder must have the appropriate key. A combination of public-key and symmetric-key cryptography make decrypting the files very difficult without the correct keys. EFS provides protection for both offline and run-time modes. In offline mode, the files/folders are encrypted as they sit on the disk. In run-time mode, the Windows operating system does not have the keys needed to decrypt the information; the user does in his profile. The protection is provided by operating system libraries as well as the use of cryptographic keys that a user must possess in order to access the data.

NTFS (new technology file system): Provides access control (i.e., permissions) for data at rest. NTFS is a file system first introduced in Windows NT and still supported on later versions of Windows. It provides the ability to protect data based on specifying individual user or group rights to specific files/folders.

NTFS file permissions provide run-time protection in the form of access control on files and folders. NTFS does not provide any form of offline protection of data.

There are a couple of other points that are important to understand:

  • BitLocker: As long as data stays on the disk, wherever that disk goes, the data is protected. Encryption goes with the disk.
  • EFS: Encryption of the file/folder is only on the system EFS is applied on. If you move or copy the file to another system (say a remote file share), the encryption is removed. Protection is specific to the system.
  • NTFS permissions: When copying or moving a file or folder, the permissions may change depending on where you move the file or folder. For all intents and purposes protection is specific to the system.

If used correctly, the combination of NTFS, EFS and BitLocker can provide comprehensive offline and run-time data at rest protection.

How to use BitLocker: details
BitLocker basically sees volumes in two different flavors: operating system volumes and data volumes. Operating system volume can be secured using one or more of the following modes:

Transparent: Uses the capabilities of the trusted platform module (TPM) 1.2 or higher to store encryption keys, thus enabling a transparent system boot, and that the system boots normally to the user. The keys needed to access the data are pulled from the TPM. The TPM provides a hardware-based mechanism to securely generate and store cryptographic keys, generate pseudo-random numbers, and provide remote attestation (cryptographic summary of the hardware and software/BIOS configuration) and sealed storage (encrypt data and specifies a state in which the TPM must be in order for the data to be decrypted).

Use this mode when: You want minimal user interaction, and you trust the hardware the disk is inserted in. The primary protection this mode provides is if someone removes the disk from the device and tries to attack it in another offline mode (i.e., plugging it into another system and attempting to access the data).

User authentication: Requires that the user provide a PIN during the pre-boot, which will be used to decrypt the keys needed to access the data. This is used in conjunction with a TPM.

Use this mode when: You don't trust the physical protection of the hardware (i.e., a laptop that can be stolen versus a system in a locked office) and want to require some type of user interaction for the additional protection it provides, and are satisfied with just the knowledge of the password/PIN being entered at boot time as the additional security mechanism. This enhances the protection of the transparent mode by adding a layer of security that requires user interaction.

USB key: Requires that the user insert a USB device that contains a startup key during the pre-boot. The USB key will then be used to decrypt the keys needed to access the data. This can be used standalone or in conjunction with PIN and/or TPM.

Use this mode when: You don't trust the hardware and want to require some type of user interaction for the additional protection it provides, and are satisfied with just the knowledge of the password/PIN being entered at boot time as the additional security mechanism. This enhances the protection of the transparent mode by adding a layer of security that requires user interaction.

You can use the following different combinations of the above authentication mechanisms with BitLocker when enabling it for the volume that contains the currently running operating system:

  • USB Key only
  • TPM only
  • PIN only
  • TPM + PIN
  • TPM + USB Key
  • TPM + PIN + USB Key

For data volumes, you have 3 different options:

Automatic: Will protect volume's encryption key with a key protected on the Widows disk (effectively the TPM or USB Key). In order toto automatically unlock fixed data drives, the drive that Windows is installed on must also be encrypted by BitLocker.

Smart card: A BitLocker certificate on the smart card protects the volume's encryption key. To unlock the drive, you will insert the smart card and enter the smart card PIN.

Password: The user's password secures the volume's encryption key. To unlock the drive, you'll enter the password.

TPM validation
By default, when the system starts, the TPM checks for a number of things to see if there are changes to a number of items, but the biggest ones I care about are:

  • BIOS
  • Master Boot Record Code and Partition Table
  • NTFS Boot Sector and Boot Block
  • Boot Manager BitLocker Access Control

If any changes are made to these while BitLocker protection is enabled, the TPM will not release the volume's encryption key and the system will enter BitLocker recovery mode. From there you will need to:

  • Enter the 48-digit numerical recovery password (Note: This is not available in FIPS-compliance mode)
  • Insert a USB flash drive containing a 256-bit recovery key
  • Access to backup of keys in Active Directory Domain Services (if configured)

Using BitLocker for customer data protection
Getting back to our vantage point, here are my recommendations for using BitLocker as part of a resale offering or in a generic architecture for your client:

  • Use a newer system with a compatible TPM chip, and use the following authentication modes
    • Laptop: TPM + PIN
      • You don't want a stolen laptop to only rely on the TPM for protection.
    • General Desktop or Server in datacenter: Transparent
      • Protection level seems to be commensurate with the risk. I want systems to be able to reboot automatically after maintenance.
    • Secure Desktop, or Server not in datacenter: TPM + USB or TPM + PIN
      • These are important systems, deserving of special consideration due to lack of more stringent physical controls.
    • Print the recovery key and provide it with the physical machine if applicable
  • Require a minimum 8-digit PIN.
  • Allow the use of passwords on removable drives (passwords cannot be used if FIPS compliance is enabled).

Using BitLocker and these three recommendations will give you the ability to provide your clients added security for their data without significant heartache. For example, if you are deploying a software package that needs secure storage of configuration files that may contain sensitive information or keys, you could configure the system to use BitLocker for offline protection. You may also use BitLocker to ensure any removable USB drive is encrypted prior to storing any sensitive data to it.

About the author: 
Phil Cox is a principal consultant of SystemExperts Corporation, a consulting firm that specializes in system security and management. He is a well-known authority in the areas of system integration and security.

His experience includes Windows, UNIX, and IP-based networks integration, firewall design and implementation and ISO 17799 and PCI compliance. Phil frequently writes and lectures on issues dealing with heterogeneous system integration and compliance with PCI-DSS. He is the lead author of Windows 2000 Security Handbook Second Edition (Osborne McGraw-Hill) and contributing author for Windows NT/2000 Network Security (Macmillan Technical Publishing).

Dig Deeper on Managed network security services