My Notes to Myself and Others... : Bitlocker

BitLocker To Go Reader

Erik Rozman — Fri, 30 Oct 2009 21:23:42 GMT

BitLocker protection on removable drives is known as BitLocker To Go. When a BitLocker-protected
removable drive is unlocked on a computer running Windows 7, the drive is automatically recognized
and the user is either prompted for credentials to unlock the drive or the drive is unlocked automatically
if configured to do so. Computers running Windows XP or Windows Vista do not automatically recognize
that the removable drive is BitLocker-protected. With the BitLocker To Go Reader users can unlock the
BitLocker-protected drives by using a password or a recovery password (also known as a recovery key)
and gain read-only access to their data.

Download it here.

BitLocker and Safe Mode

Erik Rozman — Sat, 15 Nov 2008 11:29:59 GMT

<Rant>

This one is kind of a gotcha that has caught me by surprise. If you use BitLocker with
a TPM that is PIN protected you can’t log into Safe Mode unless you go into recovery mode.

Personally I found this very surprising to say the least. I honestly can’t say that this sounds
logical to me, if you can provide the PIN protecting the TPM I can’t see why you shouldn’t
be able to access Safe Mode. You are not circumventing any of the protection mechanisms
you simply choose an alternate boot method AFTER you have already gained access to the
system legitimately.

…

</Rant>

BitLocker Repair Tool

Erik Rozman — Sat, 03 May 2008 18:51:58 GMT

If you have been following my blog you know that I have a series of posts
about BitLocker. The third part is still missing in action, but a new tool
from Microsoft will be sure to make a guest appearance in that post:
BitLocker Repair Tool.

This tool helps access data encrypted with BitLocker if the hard disk has been
physically damaged. This tool attempts to reconstruct critical data from the drive
and salvage any recoverable data.
To decrypt the data, a recovery password or recovery key is required. In some
cases, a backup of the key package is also required.
Use this command-line tool if the following conditions are true:
• A volume has been encrypted by using BitLocker Drive Encryption.
• Windows does not start, or you cannot start the BitLocker recovery console.
• You do not have a copy of the data that is contained on the encrypted volume

Download it here.

BitLocker and WinPE

Erik Rozman — Sun, 20 Apr 2008 14:46:15 GMT

Continuing the BitLocker related posts, I wanted to reveal a tip I intend to discuss
in the third part of my BitLocker post series: accessing BitLocker encrypted volumes
by using WinPE.

If something went terribly wrong with your Windows installation you are in a bad
situation since not only can you not load Windows but since you can't load Windows
you can't access you data (since it is protected by BitLocker that is a feature of
Windows).

You may attempt to access your data by loading WinPE, yet obviously since the
data is encrypted you will see the drives blank...interesting bind.

Have no fear though, your data is safe and if you have your recovery key or password
handy you will have access at no time. First of all you need to make sure that you
have the scripting package install on your WinPE,once this is done you will use the
BitLocker command line interface to access the data:

cscript manage-bde.wsf -unlock <drive letter> -recoverykey <path to BEK file>

cscript manage-bde.wsf -unlock <drive letter> -recoverypassword <48 digit password>

Note that the drive letter you may be looking for might be different then you one
that you assume it is. The S: drive will most likely take the letter C: and the rest will use
consecutive letters.

BitLocker - Implementation (Part 2 of 3)

Erik Rozman — Sat, 19 Apr 2008 12:48:13 GMT

It has been a while since I wrote the first part, much longer then I planned but as
the saying goes: Man plans,God smiles...

In the first part of the series I have described what is Bitlocker and how it works,
now it's time to get your hands dirty and implement it. As with any process, planning/preparing
will increases the chances of success and in the case of Bitlocker it doesn't really
matter wether you plan to implement it on one system or one thousand systems some
planning is necessary.

Planning/preparing the process

The preparations for Bitlocker implementation concentrate on two major areas:

Choosing the the protector- in my previous post I have pointed out that there are
two types of protectors (I wouldn't count the recovery key/password as standard protectors).
Before you begin the process you should choose the protector you plan to use.
The decision is dependent on what your system(s) supports.
Facilitating recovery- If your protector is lost or damaged you should be ready to provide
a recovery process, if you can't you will be stuck with a very large and useless brick...
Recovery can be provided by either saving the text file (which stores the 48 character
recovery key) or storing the same information in Active Directory. An additional option is to
carry an additional key with you.

I will describe all options and their use later in this post.

Starting the process - Creating a new boot volume

The process for creating a new boot volume can be executed manually or with a tool provided by Microsoft
(found in Vista Ultimate). The description and methods of obtaining the tool can be found at:
http://support.microsoft.com/kb/930063

Start the 'Bitlocker Drive Preparation Tool'
Accept the license
Note the warnings described by the wizard. The last one is especially important, do not store any data
on the newly created partition as it will not be encrypted. Press 'Continue'.
At this stage the wizard starts the actual work by shrinking drive C, creating a new volume (S: unless already
in use in which case it will use the next available letter-Thanks Eli!), copying the necessary files and turning it
into the active drive.
At this stage you will be requested to restart the system.

Starting the process - Configuring the local GPO

Unless you are in an enterprise environment you need to configure your local GPO settings to enable the usage
of BitLocker and to customize it.

Start>Run>gpedit.msc [acknowledge the UAC prompt]
Go to: Computer Configuration>Administrative Templates>Windows Components>BitLocker Drive Encryption
Even though it may seem a bit daunting (and not to mention that each of the options has significant impact on the
way BitLocker is implemented) the options are relatively straight forward:
1. Turn on BitLocker backup to Active Directory Domain Services- As the name implies, this option
  controls wether a backup to AD should be made, wether it is mandatory and what should be backed
  up (48 digit key and/or key packages-that will enable the creation of keys later on).
2. Control Panel Setup:Configure recovery folder- allows you to set the default path provided by the
  wizard when saving the recovery password.
3. Control Panel Setup:Configure recovery options- enables you to specify the recovery key type. Note
  that since Bitlocker must have a recovery method if you disallow both key types (48 and 256) then AD
  recovery must be enabled (if not a policy error occurs).
4. Control Panel Setup:Enable advanced startup options-Now this one is important. To enable Bitlocker
  this setting must be enabled as it determines which protector will be used and how:
  1. Allow BitLocker without a compatible TPM - if your system does not have a supported TPM (1.2).
  2. If the computer does have a TPM then you can set the mechanism needed to access the information
    stored on the TPM (either a PIN code or a key, you can't have both).
5. Configure Encryption Method - self explanatory
6. Prevent memory overwrite on restart- If enabled, it will overwrite memory before restarting. This
  destroys the key stored in RAM to access encrypted material or in other words increases safety at the
  cost of performance.
7. Configure TPM platform validation profile- one major advantage of using a system with TPM is
  the added security a Trusted Platform Module provides. This added security comes in the form of
  verification of boot time parameters, if those parameters changed the TPM will not allow access to the
  encryption keys and the system will enter recovery mode.

Starting the process - Enabling BitLocker

Up to this point no encryption mechanisms have been enabled. Your system has been changed, yet the changes did
not enable or apply any encryption to the system,so lets get to it:

Once the settings have been configured we can finally start the encryption process. This is done by starting the
BitLocker Drive Encryption tool.
Choose 'Turn On BitLocker'. The screenshots have been taken from a system that has a compatible
TPM. If your system doesn't have one, the steps will be a bit different but the concept will be the same.
If you haven't turned the TPM on yet you will receive a warning message about it- Vista turns it on but it still
needs some interaction from you- Shutdown the system and turn it on.
After restarting, on the system I used (Lenovo X61) I received a message requesting me to acknowledge the
request to turn the TPM on.
After acknowledging the request, I logged into the system and I could finally start the encryption process.
Ownership of the TPM is taken.
At this stage (if you configured the system to use a PIN to protect the TPM) you will be asked for that PIN.
If you chose to use a key you will be asked to use a removable storage device to store the key.
As you may remember, BitLocker needs a recovery mechanism. This is where you configure it.
Note that you can create additional keys later one but you need to create at least one at this stage
to continue.
Once the recovery key is saved, the encryption can start...well almost. After creating the recovery
key I would advise that you make sure that it is tested by marking the checkbox for 'Run BitLocker
System Check'. This will restart your system and the recovery key you created will be tested.
If the test fails, encryption will not commence.
After the system starts up, you finally get to the promised land...or encryption.

A few Observations about the process

The encryption process can be paused and continued at a later stage by different users of the same system.
The process will continue over restarts form the point it left off, and the decryption key will be required after
every restart and hibernation.
During the encryption process, the free space on the volume being encrypted drops dramatically to approximately
6 GB. This happens due to the way BitLocker balances between security and performance while encrypting a volume. Free
space on a hard drive is rarely empty, when you delete data on a volume you do not destroy the data, you simply
hide it from plain view. In other words, free disk space may still hold valuable data and it too needs to be encrypted
or destroyed. When deciding on a method (encrypting or destroying the data) encrypting the data stored in free space
seems to be a waste of time and performance so the logical solution is destroying the data. This is achieved by creating
a huge file (called the wipe file) that covers all free space, except 6GB (to avoid full disk messages) which are encrypted.
The process bar (percentage) doesn't seem to reflect the time left-so don't base your time calculations on it. It seems to
start out at a slower pace and the pick up.

Managing BitLocker

Once BitLocker is applied there is not much to do, it's simply there.Nevertheless, there are a few additional tasks that
you should be aware of and both are reachable by starting the 'BitLocker Drive Encryption Tool':

Save additional copies of the Recovery key
Reset the TPM PIN
Encrypt additional volumes- once the first volume (typically C:) is encrypted, additional volumes (except S:)
can be encrypted.
Turn off BitLocker- You may want to turn off BitLocker for two main reasons:
1. Remove BitLocker from the system - This can be done by choosing 'Turn Off Bitlocker'
  and then 'Decrypt the drive'. This is a lengthy process as the drive needs to be fully decrypted.
2. Disable Bitlocker for driver installations and BIOS updates - In some cases you might be instructed to
  help in facilitating BIOS updates or driver installations by disabling BitLocker. When you disable BitLocker
  you do not remove the encryption, you simply put it on hold...the key needed to decrypt the data is freely
  available to the OS.

Managing BitLocker - Recovery

Recovery mode can be triggered by several factors:

If you use TPM and the boot environment has been tampered with (automatically)
You lost your TPM PIN or key (manually)
On a TPM protected system, the system board needs to be replaced
On a TPM protected system, the disk is moved to a different system

If recovery mode is triggered you will need to use either the recovery key you have created or the recovery
password that is stored with the recovery key you created. Basically they are both protectors in different
forms, one provides the key by a file saved on removable storage while the other provides the key by
entering a 48 digit long password. Both can be used by you if you have access to the removable storage
while the password can be used by a helpdesk representative helping you remotely.

Lets take a closer look at these protectors:

BEK (Backup Encryption Key?) file - This is an unreadable (to human eyes) file that stores the key needed
by BitLocker to decrypt the volume in question.
TXT (Text) file - Holds the 48 digit password which is the key to the volume.

To use these recovery options, you should choose recovery mode (or reach it automatically) when your system
by pressing ESC

Note that once you reach recovery you are requested to provide the key (note the file name in the screenshot). If
you do not have the key with you you can press Enter which will provide you with the user interface needed to
enter the 48 digit password:

Note that after booting through recovery mode you can continue working normally. As I mentioned in the first post
of this series, recovery mode is not different from a standard boot mode. Recovery mode simply uses different
protectors to provide the decryption.

Even though you can continue working normally using recovery mode to boot every time you should recreate your
original method of booting the system,either by creating a new key (on a removable storage device) or on your
TPM(which may be a bit more complicated then it seems,more about this in part three).

2nd part conclusions

In this part of the series I tried to describe the hands on process of configuring BitLocker and using it, we are not
done though. In part three, I plan to show you how to use the command line interface to control BitLocker
and a few additional tips and tricks.

As usual,any feedback/corrections are welcome.

Frozen RAM and Bitlocker (can it be defeated?)

Erik Rozman — Fri, 22 Feb 2008 09:25:22 GMT

This came as no surprise to me, yet when you see something theoretical being applied
it always manages to give you a jolt...especially if you consider the timing.

During the last week I was (and still am) planning a series of posts about Bitlocker.
In (very) short,Bitlocker is a Windows Vista technology that encrypts your hard drive
as a unit. To access the data you need to provide some type of a key that releases the
key used to decrypt (and encrypt) your data into RAM.

The main advantage of Bitlocker is it's ability to protect your data even if someone manages
to gain physical access to your system(by stealing it) and boots the system form a parallel
OS.

In the past I have read a research paper(still looking for it), stating that in contrary to popular
belief when you cut power to a RAM module the data it has stored is not lost. In addition to that,
the data inside RAM can be preserved by cooling the RAM modules.

Considering that your encryption/decryption keys are saved in RAM if someone gains access to
your system while it is still turned on(or shortly after you have cut power to it) they may be able
to access your encryption/decryption keys and additional sensitive information such as documents
you worked had open.

This concept has been demonstrated (to some extent in a video and a research paper) by a group of
people mainly from Princeton at their website:
http://citp.princeton.edu/memory/

In my opinion, it is extremely important to point out that Bitlocker protects your data only
if the computer is turned off or is hibernated (if your system is on, the data is not protected).

I am humbled to correct people from Princeton but it is something that I must do in this case, during the
video, the narrator mentions that in some cases Bitlocker can be attacked even if a system is turned off and
the way to discern between such cases is if a system asks for a key/pin(you are protected) or a password(you are
not protected).
The first part is very inaccurate and may cause unnecessary confusion.
There is only one way for a system to be off-there is no power running to it. Either it is shut down
or it is hibernated all the other methods do not shut a system down.

Anyway- it is still a cool concept to demonstrate...