Windows BitLocker

Table of Contents

Windows BitLocker ......................................................................................................................... 2

Windows BitLocker Overview ......................................................................................................... 3

Windows BitLocker Usage .............................................................................................................. 5

Windows BitLocker Advantages ..................................................................................................... 8

Windows BitLocker Disadvantages ............................................................................................... 10

Windows BitLocker Configuration -1 ............................................................................................ 16

Windows BitLocker Configuration - Turn On ................................................................................ 17

Windows BitLocker Configuration - Turn Off................................................................................ 18

Notices .......................................................................................................................................... 19

Page 1 of 19

Windows BitLocker

79

Windows BitLocker

**079 Another locker is Windows BitLocker. This is the one we talked about that has encryption associated with it.

Page 2 of 19

Windows BitLocker Overview

80

Windows BitLocker Overview

BitLocker provides hard drive encryption.• Windows system drive• Fixed data drives (internal hard drives)

BitLocker ToGo is used for removable hard drives.• External hard drives• USB drives

If a TPM (Trusted Platform Module) is on the system, BitLocker will store the cryptographic keys in the TPM.

**080 Hard drive encryption. The Windows system drive is going to be encrypted with BitLocker. Any internal drives I have on this computer system are going to be encrypted with BitLocker. BitLocker itself does not work with these devices-- any external drives or USB devices. If I want to have encryption on these devices, there is a version-- it's called BitLocker ToGo-- that I can employ that will support that capability. When we think about encryption, encryption requires keys. If we have a trusted platform module on the computer system, BitLocker will use

Page 3 of 19

that Trusted Platform Module to store those cryptographic keys. So those keys-- if you think about it, the danger is this: If I have a hard drive and I'm going to encrypt that entire hard drive, and the keys are stored on that hard drive, then once I do the encryption, I will never have access to the keys to be able to decrypt it. So we want the keys stored somewhere else, and that's why we use the Trusted Platform Module-- a chip on the machine, for example, that is going to allow us to have those keys to decrypt it. Right? So, I have BitLocker for internal system drives and then BitLocker ToGo for external drives.

Page 4 of 19

Windows BitLocker Usage

81

Windows BitLocker Usage

BitLocker requires two partitions.• System partition to contain files needed to start the system• An OS partition for Windows and all other files that will be encrypted

Files are automatically encrypted as they are added to the drive.

Microsoft provides a step-by-step guide to BitLocker.

Ref: http://technet.microsoft.com/en-us/library/cc732725%28v=ws.10%29.aspx

**081 Yes? Student: So the obvious question is, if a machine doesn't have TPM, where does it store its keys? Mark Williams: Then you're going to have to have a-- well, it would store it on a different partition on the drive, or you could even have a different drive that you would store it on. Maybe you would want to store your keys on a removable device. All right? Student: I see. Thank you.

Page 5 of 19

Mark Williams: You'd have to choose. And that's one of the things to keep in mind. When we're installing BitLocker externally, it does require two partitions, and that's partly-- partly the reason is if I don't have a TPM, that second partition is going to be for the keys, and that second partition would also be for the basic files that are needed to get it going. If I encrypt every single thing, then obviously it won't work at all. So we have two partitions. Which, that implies-- if I have to have multiple partitions-- that implies I'm going to have to BitLocker when I first build the machine, right? Doing it later on is going to be much more cumbersome. Yeah? Student: You can store it in Active Directory, but you have to extend the schema. So. Mark Williams: Active Directory on the domain controller? Student: Yeah. But apparently you have to extend the schema a little bit. There's a little bit of work involved. Mark Williams: A little bit of work. Student: Yeah. Mark Williams: Yeah, I can't imagine doing any of this without a little bit of work. Student: Right. Mark Williams: All right. One of

Page 6 of 19

the nice things about BitLocker is once you do encrypt the drive, if I create a new file, I add a new file, I modify the file, that newly created, newly added, newly modified file is automatically going to get encrypted on the drive. All right? The cool thing is, it is not-- well, I say the cool thing. Initially it's not a real simple task to enable BitLocker. But the cool thing is Microsoft does provide a very good guide that you can follow that gets you through the steps. All right?

Page 7 of 19

Windows BitLocker Advantages

82

Windows BitLocker Advantages

BitLocker helps to stop the hackers from accessing the system files that they rely on to get to your passwords.

Data cannot be accessed even if the drive is placed in another system.

BitLocker can be turned off at any time.

**082 Why do we want to do it? Like I said, if that government agency that sent me that letter telling me that my data was on a stolen laptop, had they told me that the laptop was encrypted, I would not have had any troubles with that issue. Right? But they didn't do that. One of my partners one time, she was in a hotel. She had her laptop stolen from the hotel. And we weren't worried about it, because we knew that she does use full hard disk encryption, so all the customer data, all the client data that we had on that laptop-- it's not a big deal. Yeah,

Page 8 of 19

they have the hardware, they have a machine, but there's no way, without the proper key, that they're going to be able to get access to that actual customer data. And that's the big benefit. Once I turn on BitLocker, it is flexible in the fact I can turn it off if I want. I can even turn it off for short periods of time if I wanted to do that. I personally can't think of a real good reason why I would want to-- after enabling BitLocker-- turn it off, other than maybe there's a performance issue or performance reason that I might want to turn it off for a period of time. You have a reason? Student: Updating BIOS. Mark Williams: Updating BIOS? Okay. Student: They don't see that as a hardware change. So you just suspend it, do it, bring it back, and it's fine. Mark Williams: All right, very good. That's a good point. I hadn't thought of that. So updating BIOS. All right.

Page 9 of 19

Windows BitLocker Disadvantages

83

Windows BitLocker Disadvantages

Data is only encrypted on the BitLocker drive.• Move the data, say send the file in an email, the encryption is lost.

BitLocker may cause performance issues.

**083 Disadvantages. The data is only protected while it's on that BitLocker drive. If I take that data off of that BitLocker drive and move it somewhere else-- say send it to you in an email-- the encryption does not go with it. And so that's a potential danger. And just the mere fact that we're doing any kind of encryption and decryption just to use files and data, it's probably going to be a performance hit. How about servers and databases? Would you guys use BitLocker in a database environment? I don't think I would.

Page 10 of 19

Student: I've used Microsoft as a product for SQL Server. Transparent data encryption. And it only took about a 3 percent hit. Mark Williams: A 30 percent hit? Student: Three percent hit. Mark Williams: Oh, I was going to say, only a 30 percent hit? That's pretty bad. But 3 percent. Student: Utilization when I the database. It wasn't bad. I mean, it was a pretty decent Dell server. Mark Williams: All right. It did take a hit. You have to really take a look at what kind of equipment you're running it on. Right? And also look at the application-- the utility, I should say. How often is the data going to be accessed and by how many people-- that all is going to have a bearing on, "Should I turn on this encryption on this very busy server on this very busy database or not?" A lot of people would say that the encryption-- the performance hit that we take is just too great. But 3 percent, that's not too bad at all. Student: That's not bad. The one caveat was it needed the enterprise version of SQL, which was more money. And the plus side of it was there's certain laws saying if your data is encrypted and it gets compromised, then you have leeway as to whether you need to do notification or not. It just depends.

Page 11 of 19

Mark Williams: Yes? Student: The thing is there's quite a nice alternative, self-encrypting drives, which is relatively low cost, and really easy to manage, and you complete a separate-- the data on rest encryption from your CPU. And it's platform-transparent. So that's much easier to deal with. Mark Williams: That is an alternative, absolutely. Student: Who makes it? Student: Quite a few. Hitachi, Seagate. Mark Williams: Yeah, a lot of the drive manufacturers support it. Student: I know for certain Dell, IBM and HP all have their laptops and servers and desktops equipped with a BIOS-- with a TPM chip as well as self-encrypting drives. Student: It's pretty easy to save the keys and everything, escrow, or-? Student: It's pretty easy. You can also reassign keys, remotely have a centralized management system. Mark Williams: Yeah, the key thing-- pardon, it's not supposed to be a pun-- but the important thing about it is that key management piece. Especially in an enterprise environment when you have multiple systems, centrally storing those keys

Page 12 of 19

in a trusted way is very important. And there are enterprise tools that will support that for you. Student: Yeah, you want to consider forensics too. If you need to get into the machine, is there a way to use that key or another key. Mark Williams: Absolutely-- are there any backdoor keys. Yeah. To my knowledge, there are no BitLocker backdoor keys that forensics guys can use. So if-- and that's one of the challenges, since you brought up forensics. The bad guys are getting more and more sophisticated. I have a couple of colleagues and acquaintances I know that do forensics for law enforcement, and they say one of the challenges they're running into is when they acquire a hard drive from Joe the Child Exploitation Bad Guy that they cannot get the evidence because they don't have access to the encrypted data. That's the dual- edged sword of cryptography, isn't it? All right? To my knowledge-- like I said, to my knowledge-- there's not a backdoor key for BitLocker that it would be available to law enforcement. Student: Assuming your laptop, when it's lost, is turned off. If it's running, all encrypted data doesn't count. Student: Yeah, I've heard that law enforcement people are told now, "Don't touch the"-- if it's up and running, don't touch it. Because their

Page 13 of 19

initial thing is to shut it down, and once they do that, they've lost any ability. Mark Williams: Absolutely. That is one of the considerations for them. Because you're right, if they shut it down and there is an encrypted drive, there is an encrypted file, there's encrypted anything, when it's shut down then they've lost that access. And that does require them-- this is not really a forensics class-- but that does require them to have a different approach for how they do the acquisition-- right?-- and how they collect that evidence. One of the things to be aware of, from a forensics standpoint, there's a thought that if I do any kind of live evidence collection on a computer system, there's a possibility that I am corrupting evidence. Just by me looking around on the machine, there's the perception that I'm changing something. Student: Which you are, actually? You're changing the last accessed time. Mark Williams: I'm changing last accessed time. I'm changing what's in memory. So there's a perception. But from a-- I'll use the child exploitation standpoint. From a child exploitation standpoint, you know what? Me looking around on that machine is not going to change the fact that there are 50 thousand images of children doing-- in a bad situation. Does that make sense? So

Page 14 of 19

one of the things about evidence is for admissibility, evidence has to be believable. And just by me looking around, it's not believable that I could have planted those 50 thousand images on there. Does that kind of make sense to you? But it does change-- it does change the rules for how the forensics investigator is going to do his or her job. But that's not our discussion today. Our discussion is about BitLocker and encryption, but encryption is a dual-edged sword. All right?

Page 15 of 19

Windows BitLocker Configuration -1

84

Windows BitLocker Configuration -1

Requires a Trusted Platform Module (TPM)

Set the BIOS to boot first from the HDD.

Partitions must be created before installing the operating system.

• System partition minimum 1.5GB• System partition is active partition

Must begin with a fresh installation.

**084 So, BitLocker configuration. Trusted Platform Module is desirable. We have to tell the BIOS that we are going to be doing BitLocker, so we have to go into the BIOS and say, "Boot from the hard disk drive, not from a CD or USB." So that has to be the first selection in BIOS. And it does require multiple partitions, one partition which is going to be minimum one and a half gig for the system, and then we have the other partition, which is going to be the active partition. Fresh install. If you already have an install of the machine up and running, you're not going to do BitLocker. You have to start over from scratch to do it. Right?

Page 16 of 19

Windows BitLocker Configuration - Turn On

85

Control Panel System and Security clicking Bitlocker Drive Encryption Turn On BitLocker.

Enter Admin password if prompted.

Follow instructions from the wizard.

Windows BitLocker Configuration - Turn On

**085 And here they're showing you how to turn on BitLocker. And just from the System and Security window, BitLocker Drive Encryption, turn it on, and a little GUI to get us started on it.

Page 17 of 19

Windows BitLocker Configuration - Turn Off

86

Windows BitLocker Configuration - Turn Off

Control Panel System and Security clicking Bitlocker Drive Encryption Turn Off BitLockerDecrypt Drive.

To Suspend BitLocker Suspend Protection Yes.

**086 Suspending BitLocker, same thing. The Drive Encryption selection, and Suspend BitLocker, select Yes on that. All right?

Page 18 of 19

Notices

2

Notices© 2014 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu.

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

Page 19 of 19